Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2025, 13:02
Static task
static1
Behavioral task
behavioral1
Sample
ff1ebb565ca943b117ab688e10e9f10b.exe
Resource
win7-20240903-en
General
-
Target
ff1ebb565ca943b117ab688e10e9f10b.exe
-
Size
3.0MB
-
MD5
ff1ebb565ca943b117ab688e10e9f10b
-
SHA1
d35fdcd2b00a60afec28bd9579c3461ba1225671
-
SHA256
26d09f46d3cc20583ea59a17a3ea6eb482b1e7171bf7a98f17032b2606f7bbdd
-
SHA512
28b455133d0295f7336762e9c4a26f408a7c28505ecec9ad0a15069354bc41f72523e2b3c1a2a9dce1620d0d43964512259a376816e96f6d7d807b7db5e69ebe
-
SSDEEP
49152:OBaAgnAX+BKQGguHFCqmbG4Bb41BeFvSry6vqB32FSM:SaAgAX+QQGgacvMf3qz
Malware Config
Extracted
lumma
https://defaulemot.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://dawtastream.bet/api
https://foresctwhispers.top/api
https://tracnquilforest.life/api
https://xcollapimga.fun/api
https://strawpeasaen.fun/api
https://jquietswtreams.life/api
https://starrynsightsky.icu/api
https://earthsymphzony.today/api
https://zfurrycomp.top/api
https://larisechairedd.shop/api
https://9garagedrootz.top/api
https://ksterpickced.digital/api
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/3224-550-0x0000000000680000-0x0000000000AFA000-memory.dmp healer behavioral2/memory/3224-554-0x0000000000680000-0x0000000000AFA000-memory.dmp healer behavioral2/memory/3224-620-0x0000000000680000-0x0000000000AFA000-memory.dmp healer -
Gcleaner family
-
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 31259822d9.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 31259822d9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 31259822d9.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 31259822d9.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ff1ebb565ca943b117ab688e10e9f10b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FGCN7W8Z7ZAI4IVTYM08.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ebd93290fe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 508bd398a4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9f66cd69b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08b23c373e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 930eb7ce98.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3883249678.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 31259822d9.exe -
Downloads MZ/PE file 12 IoCs
flow pid Process 95 2676 BitLockerToGo.exe 30 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 181 4664 3883249678.exe 39 536 rapes.exe 39 536 rapes.exe 39 536 rapes.exe 39 536 rapes.exe 39 536 rapes.exe 39 536 rapes.exe 39 536 rapes.exe 39 536 rapes.exe 76 736 BitLockerToGo.exe -
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 930eb7ce98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ebd93290fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ebd93290fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 31259822d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 508bd398a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ff1ebb565ca943b117ab688e10e9f10b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3883249678.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FGCN7W8Z7ZAI4IVTYM08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9f66cd69b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08b23c373e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08b23c373e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 930eb7ce98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 31259822d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 508bd398a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ff1ebb565ca943b117ab688e10e9f10b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FGCN7W8Z7ZAI4IVTYM08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3883249678.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9f66cd69b.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation FGCN7W8Z7ZAI4IVTYM08.exe Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation rapes.exe -
Executes dropped EXE 16 IoCs
pid Process 4732 FGCN7W8Z7ZAI4IVTYM08.exe 536 rapes.exe 216 e9f66cd69b.exe 5112 08b23c373e.exe 1336 0769261554.exe 2588 0769261554.exe 1044 0769261554.exe 1500 930eb7ce98.exe 4908 rapes.exe 4664 3883249678.exe 3688 ebd93290fe.exe 1304 ec7e32af3a.exe 3224 31259822d9.exe 1968 508bd398a4.exe 5396 MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe 5056 rapes.exe -
Identifies Wine through registry keys 2 TTPs 13 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine FGCN7W8Z7ZAI4IVTYM08.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine e9f66cd69b.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine 08b23c373e.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine ebd93290fe.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine 31259822d9.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine ff1ebb565ca943b117ab688e10e9f10b.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine 930eb7ce98.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine 3883249678.exe Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine 508bd398a4.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 31259822d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 31259822d9.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3883249678.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10153960101\\3883249678.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebd93290fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10153970101\\ebd93290fe.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ec7e32af3a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10153980101\\ec7e32af3a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31259822d9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10153990101\\31259822d9.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023d72-188.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4732 FGCN7W8Z7ZAI4IVTYM08.exe 536 rapes.exe 216 e9f66cd69b.exe 5112 08b23c373e.exe 1500 930eb7ce98.exe 4908 rapes.exe 4664 3883249678.exe 3688 ebd93290fe.exe 3224 31259822d9.exe 1968 508bd398a4.exe 5396 MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe 5056 rapes.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1336 set thread context of 1044 1336 0769261554.exe 101 PID 216 set thread context of 736 216 e9f66cd69b.exe 104 PID 1500 set thread context of 2676 1500 930eb7ce98.exe 117 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job FGCN7W8Z7ZAI4IVTYM08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3360 1336 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff1ebb565ca943b117ab688e10e9f10b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3883249678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0769261554.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage ec7e32af3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 508bd398a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f66cd69b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebd93290fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language ec7e32af3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31259822d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGCN7W8Z7ZAI4IVTYM08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08b23c373e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0769261554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 930eb7ce98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec7e32af3a.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4384 taskkill.exe 2916 taskkill.exe 2612 taskkill.exe 3544 taskkill.exe 1548 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 4732 FGCN7W8Z7ZAI4IVTYM08.exe 4732 FGCN7W8Z7ZAI4IVTYM08.exe 536 rapes.exe 536 rapes.exe 216 e9f66cd69b.exe 216 e9f66cd69b.exe 5112 08b23c373e.exe 5112 08b23c373e.exe 1044 0769261554.exe 1044 0769261554.exe 1044 0769261554.exe 1044 0769261554.exe 1500 930eb7ce98.exe 1500 930eb7ce98.exe 4908 rapes.exe 4908 rapes.exe 4664 3883249678.exe 4664 3883249678.exe 4664 3883249678.exe 4664 3883249678.exe 4664 3883249678.exe 4664 3883249678.exe 3688 ebd93290fe.exe 3688 ebd93290fe.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 3224 31259822d9.exe 3224 31259822d9.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 3224 31259822d9.exe 3224 31259822d9.exe 3224 31259822d9.exe 1968 508bd398a4.exe 1968 508bd398a4.exe 5396 MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe 5396 MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe 1968 508bd398a4.exe 1968 508bd398a4.exe 1968 508bd398a4.exe 1968 508bd398a4.exe 5056 rapes.exe 5056 rapes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3544 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 4384 taskkill.exe Token: SeDebugPrivilege 2916 taskkill.exe Token: SeDebugPrivilege 2612 taskkill.exe Token: SeDebugPrivilege 4040 firefox.exe Token: SeDebugPrivilege 4040 firefox.exe Token: SeDebugPrivilege 3224 31259822d9.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4732 FGCN7W8Z7ZAI4IVTYM08.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 1304 ec7e32af3a.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 1304 ec7e32af3a.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 4040 firefox.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe 1304 ec7e32af3a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4040 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4892 wrote to memory of 4732 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 92 PID 4892 wrote to memory of 4732 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 92 PID 4892 wrote to memory of 4732 4892 ff1ebb565ca943b117ab688e10e9f10b.exe 92 PID 4732 wrote to memory of 536 4732 FGCN7W8Z7ZAI4IVTYM08.exe 93 PID 4732 wrote to memory of 536 4732 FGCN7W8Z7ZAI4IVTYM08.exe 93 PID 4732 wrote to memory of 536 4732 FGCN7W8Z7ZAI4IVTYM08.exe 93 PID 536 wrote to memory of 216 536 rapes.exe 96 PID 536 wrote to memory of 216 536 rapes.exe 96 PID 536 wrote to memory of 216 536 rapes.exe 96 PID 536 wrote to memory of 5112 536 rapes.exe 97 PID 536 wrote to memory of 5112 536 rapes.exe 97 PID 536 wrote to memory of 5112 536 rapes.exe 97 PID 536 wrote to memory of 1336 536 rapes.exe 99 PID 536 wrote to memory of 1336 536 rapes.exe 99 PID 536 wrote to memory of 1336 536 rapes.exe 99 PID 1336 wrote to memory of 2588 1336 0769261554.exe 100 PID 1336 wrote to memory of 2588 1336 0769261554.exe 100 PID 1336 wrote to memory of 2588 1336 0769261554.exe 100 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 1336 wrote to memory of 1044 1336 0769261554.exe 101 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 216 wrote to memory of 736 216 e9f66cd69b.exe 104 PID 536 wrote to memory of 1500 536 rapes.exe 114 PID 536 wrote to memory of 1500 536 rapes.exe 114 PID 536 wrote to memory of 1500 536 rapes.exe 114 PID 536 wrote to memory of 4664 536 rapes.exe 116 PID 536 wrote to memory of 4664 536 rapes.exe 116 PID 536 wrote to memory of 4664 536 rapes.exe 116 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 536 wrote to memory of 3688 536 rapes.exe 118 PID 536 wrote to memory of 3688 536 rapes.exe 118 PID 536 wrote to memory of 3688 536 rapes.exe 118 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 1500 wrote to memory of 2676 1500 930eb7ce98.exe 117 PID 536 wrote to memory of 1304 536 rapes.exe 119 PID 536 wrote to memory of 1304 536 rapes.exe 119 PID 536 wrote to memory of 1304 536 rapes.exe 119 PID 1304 wrote to memory of 3544 1304 ec7e32af3a.exe 120 PID 1304 wrote to memory of 3544 1304 ec7e32af3a.exe 120 PID 1304 wrote to memory of 3544 1304 ec7e32af3a.exe 120 PID 1304 wrote to memory of 1548 1304 ec7e32af3a.exe 122 PID 1304 wrote to memory of 1548 1304 ec7e32af3a.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1ebb565ca943b117ab688e10e9f10b.exe"C:\Users\Admin\AppData\Local\Temp\ff1ebb565ca943b117ab688e10e9f10b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\FGCN7W8Z7ZAI4IVTYM08.exe"C:\Users\Admin\AppData\Local\Temp\FGCN7W8Z7ZAI4IVTYM08.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\10153920101\e9f66cd69b.exe"C:\Users\Admin\AppData\Local\Temp\10153920101\e9f66cd69b.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:736
-
-
-
C:\Users\Admin\AppData\Local\Temp\10153930101\08b23c373e.exe"C:\Users\Admin\AppData\Local\Temp\10153930101\08b23c373e.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\10153940101\0769261554.exe"C:\Users\Admin\AppData\Local\Temp\10153940101\0769261554.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\10153940101\0769261554.exe"C:\Users\Admin\AppData\Local\Temp\10153940101\0769261554.exe"5⤵
- Executes dropped EXE
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\10153940101\0769261554.exe"C:\Users\Admin\AppData\Local\Temp\10153940101\0769261554.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 8085⤵
- Program crash
PID:3360
-
-
-
C:\Users\Admin\AppData\Local\Temp\10153950101\930eb7ce98.exe"C:\Users\Admin\AppData\Local\Temp\10153950101\930eb7ce98.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"5⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\10153960101\3883249678.exe"C:\Users\Admin\AppData\Local\Temp\10153960101\3883249678.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe"C:\Users\Admin\AppData\Local\Temp\MDC1RC7TJ4XT3Q2BSR71RA5DFH.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5396
-
-
-
C:\Users\Admin\AppData\Local\Temp\10153970101\ebd93290fe.exe"C:\Users\Admin\AppData\Local\Temp\10153970101\ebd93290fe.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\10153980101\ec7e32af3a.exe"C:\Users\Admin\AppData\Local\Temp\10153980101\ec7e32af3a.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:4708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4040 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 27454 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f581a90-ed47-4ba8-9eb0-68d50d3f8643} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" gpu7⤵PID:2268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 28374 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52dbe2d4-5a70-4a78-9763-c72380ee182d} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" socket7⤵PID:1844
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2996 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee8db5a4-6287-4f55-ab2a-f194aa04cc8a} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" tab7⤵PID:1504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2972 -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 2716 -prefsLen 32864 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1c3f586-3aa6-44ae-8bd3-c8ab0405b9e4} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" tab7⤵PID:3276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4556 -prefMapHandle 4548 -prefsLen 32864 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cfb0bdd-343d-483d-8910-49cca58b981b} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" utility7⤵
- Checks processor information in registry
PID:2060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5500 -prefMapHandle 4532 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95336b3c-1782-465e-913c-bcab69b5e037} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" tab7⤵PID:5480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d785aba-9c93-47a9-9fee-4177ddb2e4b1} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" tab7⤵PID:5508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5900 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {236efc4f-6e6f-470b-bd3a-37dec32477e4} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" tab7⤵PID:5520
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10153990101\31259822d9.exe"C:\Users\Admin\AppData\Local\Temp\10153990101\31259822d9.exe"4⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Users\Admin\AppData\Local\Temp\10154000101\508bd398a4.exe"C:\Users\Admin\AppData\Local\Temp\10154000101\508bd398a4.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1336 -ip 13361⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4908
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
6Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
987KB
MD5f49d1aaae28b92052e997480c504aa3b
SHA1a422f6403847405cee6068f3394bb151d8591fb5
SHA25681e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA51241f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\v82jw7ls.default-release\activity-stream.discovery_stream.json
Filesize22KB
MD54efd02ce515148a0c5cf3aa552556793
SHA1c2326560d4916330f6bd640009c6b3eff77705b5
SHA256e92cfc5c9b546be225554b4763865cdfb933686505b7b79f93cb33f209f7cc6b
SHA5121c9a2bd7646cac373f94182949bdf553fa6966bbe0b0b91f6f478fae251191b2e8257551433b947146a4b3a24f94568ce0ec458dfad5c930106f3f0ea8db7e94
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\v82jw7ls.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
Filesize13KB
MD55f5bea9d56a88fd5034dbce4e42349df
SHA19e0ba9670dfa0e0fa377f5722a35b296643e11ba
SHA256de03d42b5373ffd4602b2247dba7ddf45e843816186755d852dac2f8ee86eff0
SHA512a698bc514b51254d7a20f0415cce1da6f8905fb8837bf9c528c0d4646742e091752c6a44438180289c1fddd74cee78fc4bb044f07d0dc4d38b4e27247a613070
-
Filesize
3.7MB
MD5eb34e45f65b7fc63b70c4be6be6cdff0
SHA1102a7738b8fedf72b1b6434995ac268babc762e7
SHA256e43690422d5be4c42c901601e57f001f28716418fc0e1aab3608bc42d3a43d6e
SHA512c0b539a3535498bc3dfa1424ff375cf60dad3620769eb5423441f5823432bb9098aac8f1de364b5bbb8003a53a1a7109113732766767e6378dfc320df2a2f91d
-
Filesize
1.8MB
MD5c943fbdf2a1f521fe76c79e9985964a1
SHA1dcc16efbfa6dc339059efde11b2ce63d3f027849
SHA256345258f62164abbef56e55fc25e67c6a485e33198356eba76a182779452e00f5
SHA512f41d0d8a4aaa6c7536207097ca3f005c61bb3051ccc4e526031416d57eb310c8aaa4b1f4262e8bea4e7b1e360bcbe770bcbb0d59041bebca7ebeeab054b8d696
-
Filesize
364KB
MD59dd7f35baa732ab9c19737f7574f5198
SHA1af2f9db558e5c979839af7fc54a9c6f4c5f1945c
SHA256ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6
SHA512ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91
-
Filesize
4.5MB
MD59859b53bedea90532c7c4f5b0dd3be13
SHA169609e400aa25534bf6b4f30eeb2ed3919de53a2
SHA25651148ed5e37af563b47ca174f14066d1973563ddb5461633eefa9239c5704594
SHA5120ea97c4ec45a5d44f5f6f852ed20d09d3955f08f9fc89115408332844b4cb317488a97358c8a5e1e152a45c2b243c33f3325b4a075ddca0ffbd4cbcb04b56ebf
-
Filesize
3.1MB
MD5365c0df64d64d5cee8542a58c4c90543
SHA1184022aaa1ea015915e1fd9cdeee094549ae5117
SHA2560e49b222f8ae28b4b64ff200ec0133b28017b56936dce8608326bc6d3bb32539
SHA512b8867bdfbf08c81df4cbf6f72e687863ef3c61e76c5b64d7d18a704e94068d01bff5c8c7d564cdefc417769aeaacfe63d73607ab267a1ab0601d5a16980a28f1
-
Filesize
1.7MB
MD545a40a288412e108f0fdc9894efcaa97
SHA1729e2ce49b4d44ff4c8650cc162c8c39c2a96b58
SHA2561ba534fa9e529bdbb70806e185a50c89b2faf9f4fb88cb004cd1b0b25e95129d
SHA5120edff0f9100a9a245a5b76270c89a8e5bba96077dec78845dd94783e9780e0f9e4e3fe021968eabf4d7ec7fb619e3186eacae67bda83ab443181f23aea25fb96
-
Filesize
945KB
MD59d1e606dfe94ada76c4bc2c79815c180
SHA1042a9ff84315c4a2144a77c0e9496090ab057cf1
SHA25679b84340b85063ef5f9cc37eb4532f89e8fc8328f2547aee8576d87020d99c61
SHA512cd042e3a5b10c7a61607a688d41c94e5b0e1801cb210ab4614ee942f96478559776ae814b1dd7a015de2f5d57ca2312f29dc1f35512660b69de1dbaf7ecfe66d
-
Filesize
1.7MB
MD561b86d02157c7ff47e25ca364f9900e6
SHA16f48d4b11f49d41fd8cbbbd186dcffd5b477383a
SHA256dcd461c00ae1604fff81da33c2190199ae0d532b234a69faea6315e7c58c19e7
SHA5123b62d8b5a5e21271d57880e3ce1444d47bd3773f7540214e1a62835a10afcbb48a1ecef8a61df87cfdad211cb374e45cc7f61dcd8b24ab56bd190c363e50c600
-
Filesize
2.9MB
MD51709d0d2607c16eb7f5fd4ba1422a3f2
SHA1f241ce3c1364f6fac9573cfedc55af52ba332fbc
SHA2560e60973238b2e72dd26d0cc1e89764fadf8ec124dda7fcae251aa67de3ec809f
SHA51283079b2f7d3475606edecf32ce685a38840edc7b9a628ffbc2393acd8991c85cb246df0fd63fbc8ea007d85ad461f2c56a8a5f4b8216483ea8a9bc3daef35ff6
-
Filesize
1.8MB
MD57661f8a27dd998537639f05be76cd241
SHA17066f848488c53d80023e0bfd35b9a6265a679ca
SHA256b93a2b5f865c09f10612603cae16c5849504586c9e062b396968def5677f595f
SHA51250b2c99c0ef6a9f52ffc8a43a5475b10c8730d5d88d3a5dbeb0cd5c90489a2188c86725ae89554c65498de5711e5693862738151002474ddd7966fda6e1fb211
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\AlternateServices.bin
Filesize8KB
MD5c74d90e9f941d4ecdf266b8b06024bc0
SHA161b4e1017a53b15d5af420a701b3ae1f3f6bc02e
SHA256c1d54796ab3b4ddd3b7d52f4d6b4c96e3390a2ba473afbb2e4a67781964751cb
SHA512e8a3bd62a9abf29b72e48edd326aebeba1de8d7dedeec4cf31f7abe54cf845ee1ce9f44ffbb07aca231070add9c32a6123d92ae1368c701c27de8d4e3730db5d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\AlternateServices.bin
Filesize13KB
MD5b64a95c452138c0c6f40379d5707a4e3
SHA1266e85869a2ba7cf69b59127e6ccc24c710370ff
SHA25645c65f14f2bd98ff1cce054943063f3c860da523c672c0abd92ced9d6a6bd272
SHA51228098e46bb9d444941e4c9b2199c5a92f41ad277f486bedc9a4bb99953a88223cc5ed25c2cce2813a333d68f68aef0b7bb63a37fb43b562d486f44a3270a0090
-
Filesize
224KB
MD5b62430adc2fa68cdd3e1f19a0e64cae1
SHA12a965bdcb9c09f5d93e99330fd106c5849c8fb08
SHA2565e75422e224ce067c456d41f3e8eb8a1710366d636214f3d7aff73578d32295f
SHA51227f948a002da3ef203d132983b4fbfcba453a31526fd5c0d3349cbfd53f85dbf83f69f9b9e0dd60ca57572bfd7c635a98971c1f4686976f13bfe194d53722006
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD59a7048c9f7cc1014896fec477f5c1360
SHA1e7b9d4f36a67362bf018cad9bbc3307113efe6b1
SHA256d7b5ac7ac8aab55a0be3d14c3eced32c027b2ae805479e3dabc64326ba761ac8
SHA512ce24411ad9cf3d704568846639d489c9e20437aa94fb1682c19ffdc20b128c91cfd62cb00e85323c17d729e3df1ea1017a49c21b26cd21aa5bcf8a97923bcb0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD53219d7ff4f83e1d388e65dcfeb97ced1
SHA1f4f4c088c9b818b0b10549888cb4948015024b7a
SHA256128ee63cdbc29f8ec01b17c399d4ddbfd444f99ab1d4edbc5a9a0a8f8570aadd
SHA512591a0002ed1b20d1b4a4129eea2cdefc0a1c9111b3d61c517759182a47951a6ef552207ec3ef17118158d2522e928f9276c035091d1f2b0c4c348b5155003504
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\datareporting\glean\pending_pings\43ac2784-0715-4940-8527-abf44e4cbdf3
Filesize671B
MD5920048dffce8e4e151eeced34d640a9b
SHA16ad6e331c81cfd6fcc0807f156d52617cf40a9d2
SHA25677795c85429358cd10084918aa756b3e4aa3c2cae7190b0f55d16fd31a39145a
SHA512a83e2705f36bdf47ebfa525d9ff3ee58ecc82ce9dc58cac1e2d895f252ac66ddec32c8eecc47801eae1b3289ab8607807120761d8082c36f7131675516f681a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\datareporting\glean\pending_pings\4ba8e9bf-ec02-4d10-86fa-34f51e285c0d
Filesize982B
MD5f2aac4eaf01fd91902ec586fbff8023f
SHA10819c8ebe9341d4fe2f874bb1ea71cc3197a75b0
SHA256ec3073ac6cc0d6b6bbed8cc120cef3f3f690fbe3d67427c1f3cc2e4eda031e0f
SHA512d869e35008a60fa969b910021dcfeddbe47ac014ee29b75d08fce15b04f91988eb7d8eebcb319a14dc386e1de2da916fdaf155b59325d0b64d1953988cccbf24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\datareporting\glean\pending_pings\536c9ab7-882d-4ed4-b961-06a30cffac71
Filesize27KB
MD5094968ada84aaa22e35661e74ea823eb
SHA1e6ca702b26b231d3e05508cce30ef7a48e1fa7a2
SHA2560b5866475cf84ffc72c0c36c5b37c840af4d6f4f0d8b4a76d0b4f06bb116c8fd
SHA512e5d33864015cd072cd41900b23f33340635515175cbc9c719fced37fda0d97df7bc86e2bc5dbffcc1aac8d06104914fbed0ef63164dafbf41efe83f490979cca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD59c462dc32afcf728c812984f5a00f9df
SHA1e57bc945c2b8d04265a65f1d55ccaacc8c8fbd02
SHA256228e3649c261c73a3330dd01d3fc0a2a262464603683af072b50cdf9fb696c64
SHA5124c9b83590685a8d7d3e84a582ac515dfe7201e7da305e638b1a8b03eb9208a27bf9e496f1ab9a05741e497a2ae9fbdb48a019c8b3def5a067c2da657a1844523
-
Filesize
14KB
MD530d46a4db57646ea0cd85119c3be36c9
SHA1b8657eb1a580562d0e1c7c1c7e6f14bc77f610b3
SHA2567f55f0d5a13eaec2363355307b7889a597e092c7e0e0d0e53456a4c02a2271bc
SHA512d0caaddc2ee9d9de2882bab925ef6fcfe0ebfbb315e7dcb2675f46695667d62670f3f366a961bb61e8ef03b3d96a49b91f985ff20b2dca7d9c3e0846c4b73c66
-
Filesize
10KB
MD5052d87c0ef9b0f855920872341a6df63
SHA1db81b3e82e7be49f03cf3a188a72c033c785aad3
SHA256671120057cd1ba65089a7ef3f2907ea9a828dab454a93a42ae2602afd0a65baa
SHA5120f93e4a5df7a92a2ba61927c960dd22622ed7f2d1a2517315a2c6b7e2697321a8de3c2b9504539edea170c52163c33d220e8004c90c0d3a17ece54be6dbac1f9
-
Filesize
9KB
MD581b7289083f866082b994c370b416c29
SHA15f9236a344517e75799ff3d80588b6f80ebc05d3
SHA256564a5b7755b0d37855e84b3747ed184581d2bb00cf38fe6a921899a0467494f5
SHA512bd763d8980365c37062cf32044fb58fc4ac2fcecb9800c64539f559e76a5ed11bcf88bc5bae3c9ee6741daf4062b00a22917553763ce3507c137b7b2f09373c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v82jw7ls.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize8.1MB
MD5a3ee055109c48e94169ed1375097922e
SHA12ca615e6b5de66f046d47541def4f8f2e4b59732
SHA25612457e6d126835b93f83d4b3713b972bb0e792eed78cc83ebc48df51a3639f18
SHA5125e2b3b8147dbd48b451c8147961af7242ccb6042f59a76f02fbf05e9bb54bd05ec81752eedfceecd54f02a386954c4b35542baf2f2daec286f23dd5d3022cbdd
-
Filesize
2KB
MD59944ab67e70c1c6e3a050fc161892990
SHA108ec5dd0e680fdd5bf64c43f6dfab4479fe95aa5
SHA2561b36827e8f3fcb9d07fdabaee48ae428df8535a147a0a3359f3829c719e6854d
SHA512e9eff6ca102d6a86481ab47cab3e03a0065e92ec14ed7be0580fd1d714cd522d99a80798adf9bf126959e16047057a2e45e9c9122f5c258b61d1b720816afef5