Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2025, 07:54
Static task
static1
General
-
Target
442fc32065555d167806a2a766454b88.exe
-
Size
1.8MB
-
MD5
442fc32065555d167806a2a766454b88
-
SHA1
10882938da5aed6fe9e2d7df16919aca6e849eff
-
SHA256
61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9
-
SHA512
c19e959174d1e266302d782ffb43ffdd891387c4121fa5949f20b6e7d932326f76a972c0bb55cdb4cf51bb49987cd69426100e745f20def59d90fa73add80fe7
-
SSDEEP
49152:TnkrXn/GImQqXv0k14QUpvyXW+rKKM2F0luHM4iON6I3sd1:TnkTn/Gqq/B17uvV+PMQMuse
Malware Config
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/7428-39646-0x0000000000BF0000-0x0000000001024000-memory.dmp healer behavioral2/memory/7428-39647-0x0000000000BF0000-0x0000000001024000-memory.dmp healer behavioral2/memory/7428-39684-0x0000000000BF0000-0x0000000001024000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 2747997d1c.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 2747997d1c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2747997d1c.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 2747997d1c.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 442fc32065555d167806a2a766454b88.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6bb6814219.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2747997d1c.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4960 powershell.exe -
Downloads MZ/PE file 5 IoCs
flow pid Process 31 3600 rapes.exe 28 4752 svchost.exe 54 3600 rapes.exe 115 3600 rapes.exe 26 3600 rapes.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\Drivers\750fb06b.sys d1b2141c.exe File created C:\Windows\System32\Drivers\klupd_750fb06ba_arkmon.sys d1b2141c.exe File created C:\Windows\System32\Drivers\klupd_750fb06ba_klbg.sys d1b2141c.exe -
Sets service image path in registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\750fb06b\ImagePath = "System32\\Drivers\\750fb06b.sys" d1b2141c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon\ImagePath = "System32\\Drivers\\klupd_750fb06ba_arkmon.sys" d1b2141c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klbg\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klbg.sys" d1b2141c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klark.sys" d1b2141c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_mark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_mark.sys" d1b2141c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_750fb06ba_arkmon.sys" d1b2141c.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 442fc32065555d167806a2a766454b88.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 442fc32065555d167806a2a766454b88.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6bb6814219.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2747997d1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6bb6814219.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2747997d1c.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation 442fc32065555d167806a2a766454b88.exe Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation rapes.exe -
Deletes itself 1 IoCs
pid Process 2216 tzutil.exe -
Executes dropped EXE 11 IoCs
pid Process 3600 rapes.exe 3000 laf6w_001.exe 4036 f2832e5128.exe 3112 upnpcont.exe 2216 tzutil.exe 6020 6bb6814219.exe 6936 9ccc466db6.exe 8328 rapes.exe 7428 2747997d1c.exe 6248 788c3fde.exe 11416 d1b2141c.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine 442fc32065555d167806a2a766454b88.exe Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine 6bb6814219.exe Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine 2747997d1c.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys d1b2141c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys\ = "Driver" d1b2141c.exe -
Loads dropped DLL 25 IoCs
pid Process 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2747997d1c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2747997d1c.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {7621FABD-8E1C-4682-ACCD-F95D288F67B3}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6bb6814219.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318620101\\6bb6814219.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ccc466db6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318630101\\9ccc466db6.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2747997d1c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318640101\\2747997d1c.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\086f6211-f6a5-4b3c-b169-0ea7bf55a0f3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{59c04b36-a14e-4eaa-95c8-cef71c4a16b2}\\086f6211-f6a5-4b3c-b169-0ea7bf55a0f3.cmd\"" d1b2141c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini firefox.exe File opened for modification C:\Users\Public\desktop.ini firefox.exe File opened for modification C:\Users\Public\Documents\desktop.ini firefox.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: d1b2141c.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 d1b2141c.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000d00000001fad6-39222.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1592 442fc32065555d167806a2a766454b88.exe 3600 rapes.exe 6020 6bb6814219.exe 8328 rapes.exe 7428 2747997d1c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4036 set thread context of 3396 4036 f2832e5128.exe 104 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 788c3fde.exe File opened (read-only) \??\VBoxMiniRdrDN d1b2141c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job 442fc32065555d167806a2a766454b88.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh d1b2141c.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh d1b2141c.exe -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language laf6w_001.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 9ccc466db6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6bb6814219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 9ccc466db6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2747997d1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442fc32065555d167806a2a766454b88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ccc466db6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1b2141c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 788c3fde.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 7308 taskkill.exe 7424 taskkill.exe 7004 taskkill.exe 880 taskkill.exe 2488 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1592 442fc32065555d167806a2a766454b88.exe 1592 442fc32065555d167806a2a766454b88.exe 3600 rapes.exe 3600 rapes.exe 4960 powershell.exe 4960 powershell.exe 3396 MSBuild.exe 3396 MSBuild.exe 3396 MSBuild.exe 3396 MSBuild.exe 6020 6bb6814219.exe 6020 6bb6814219.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 8328 rapes.exe 8328 rapes.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 7428 2747997d1c.exe 7428 2747997d1c.exe 7428 2747997d1c.exe 7428 2747997d1c.exe 7428 2747997d1c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe 11416 d1b2141c.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3000 laf6w_001.exe 3000 laf6w_001.exe 3000 laf6w_001.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 4960 powershell.exe Token: SeDebugPrivilege 7004 taskkill.exe Token: SeDebugPrivilege 880 taskkill.exe Token: SeDebugPrivilege 2488 taskkill.exe Token: SeDebugPrivilege 7308 taskkill.exe Token: SeDebugPrivilege 7424 taskkill.exe Token: SeDebugPrivilege 7612 firefox.exe Token: SeDebugPrivilege 7612 firefox.exe Token: SeDebugPrivilege 7428 2747997d1c.exe Token: SeDebugPrivilege 11416 d1b2141c.exe Token: SeBackupPrivilege 11416 d1b2141c.exe Token: SeRestorePrivilege 11416 d1b2141c.exe Token: SeLoadDriverPrivilege 11416 d1b2141c.exe Token: SeShutdownPrivilege 11416 d1b2141c.exe Token: SeSystemEnvironmentPrivilege 11416 d1b2141c.exe Token: SeSecurityPrivilege 11416 d1b2141c.exe Token: SeBackupPrivilege 11416 d1b2141c.exe Token: SeRestorePrivilege 11416 d1b2141c.exe Token: SeDebugPrivilege 11416 d1b2141c.exe Token: SeSystemEnvironmentPrivilege 11416 d1b2141c.exe Token: SeSecurityPrivilege 11416 d1b2141c.exe Token: SeCreatePermanentPrivilege 11416 d1b2141c.exe Token: SeShutdownPrivilege 11416 d1b2141c.exe Token: SeLoadDriverPrivilege 11416 d1b2141c.exe Token: SeIncreaseQuotaPrivilege 11416 d1b2141c.exe Token: SeSecurityPrivilege 11416 d1b2141c.exe Token: SeSystemProfilePrivilege 11416 d1b2141c.exe Token: SeDebugPrivilege 11416 d1b2141c.exe Token: SeMachineAccountPrivilege 11416 d1b2141c.exe Token: SeCreateTokenPrivilege 11416 d1b2141c.exe Token: SeAssignPrimaryTokenPrivilege 11416 d1b2141c.exe Token: SeTcbPrivilege 11416 d1b2141c.exe Token: SeAuditPrivilege 11416 d1b2141c.exe Token: SeSystemEnvironmentPrivilege 11416 d1b2141c.exe Token: SeLoadDriverPrivilege 11416 d1b2141c.exe Token: SeLoadDriverPrivilege 11416 d1b2141c.exe Token: SeIncreaseQuotaPrivilege 11416 d1b2141c.exe Token: SeSecurityPrivilege 11416 d1b2141c.exe Token: SeSystemProfilePrivilege 11416 d1b2141c.exe Token: SeDebugPrivilege 11416 d1b2141c.exe Token: SeMachineAccountPrivilege 11416 d1b2141c.exe Token: SeCreateTokenPrivilege 11416 d1b2141c.exe Token: SeAssignPrimaryTokenPrivilege 11416 d1b2141c.exe Token: SeTcbPrivilege 11416 d1b2141c.exe Token: SeAuditPrivilege 11416 d1b2141c.exe Token: SeSystemEnvironmentPrivilege 11416 d1b2141c.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 7612 firefox.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 6936 9ccc466db6.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe 7612 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 7612 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1592 wrote to memory of 3600 1592 442fc32065555d167806a2a766454b88.exe 89 PID 1592 wrote to memory of 3600 1592 442fc32065555d167806a2a766454b88.exe 89 PID 1592 wrote to memory of 3600 1592 442fc32065555d167806a2a766454b88.exe 89 PID 3600 wrote to memory of 3000 3600 rapes.exe 95 PID 3600 wrote to memory of 3000 3600 rapes.exe 95 PID 3600 wrote to memory of 3000 3600 rapes.exe 95 PID 3000 wrote to memory of 4580 3000 laf6w_001.exe 96 PID 3000 wrote to memory of 4580 3000 laf6w_001.exe 96 PID 3000 wrote to memory of 4752 3000 laf6w_001.exe 98 PID 3000 wrote to memory of 4752 3000 laf6w_001.exe 98 PID 4580 wrote to memory of 4960 4580 cmd.exe 99 PID 4580 wrote to memory of 4960 4580 cmd.exe 99 PID 3600 wrote to memory of 4036 3600 rapes.exe 102 PID 3600 wrote to memory of 4036 3600 rapes.exe 102 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4036 wrote to memory of 3396 4036 f2832e5128.exe 104 PID 4752 wrote to memory of 3112 4752 svchost.exe 105 PID 4752 wrote to memory of 3112 4752 svchost.exe 105 PID 4752 wrote to memory of 2216 4752 svchost.exe 106 PID 4752 wrote to memory of 2216 4752 svchost.exe 106 PID 3600 wrote to memory of 6020 3600 rapes.exe 110 PID 3600 wrote to memory of 6020 3600 rapes.exe 110 PID 3600 wrote to memory of 6020 3600 rapes.exe 110 PID 3600 wrote to memory of 6936 3600 rapes.exe 116 PID 3600 wrote to memory of 6936 3600 rapes.exe 116 PID 3600 wrote to memory of 6936 3600 rapes.exe 116 PID 6936 wrote to memory of 7004 6936 9ccc466db6.exe 117 PID 6936 wrote to memory of 7004 6936 9ccc466db6.exe 117 PID 6936 wrote to memory of 7004 6936 9ccc466db6.exe 117 PID 6936 wrote to memory of 880 6936 9ccc466db6.exe 119 PID 6936 wrote to memory of 880 6936 9ccc466db6.exe 119 PID 6936 wrote to memory of 880 6936 9ccc466db6.exe 119 PID 6936 wrote to memory of 2488 6936 9ccc466db6.exe 121 PID 6936 wrote to memory of 2488 6936 9ccc466db6.exe 121 PID 6936 wrote to memory of 2488 6936 9ccc466db6.exe 121 PID 6936 wrote to memory of 7308 6936 9ccc466db6.exe 123 PID 6936 wrote to memory of 7308 6936 9ccc466db6.exe 123 PID 6936 wrote to memory of 7308 6936 9ccc466db6.exe 123 PID 6936 wrote to memory of 7424 6936 9ccc466db6.exe 125 PID 6936 wrote to memory of 7424 6936 9ccc466db6.exe 125 PID 6936 wrote to memory of 7424 6936 9ccc466db6.exe 125 PID 6936 wrote to memory of 7560 6936 9ccc466db6.exe 127 PID 6936 wrote to memory of 7560 6936 9ccc466db6.exe 127 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7560 wrote to memory of 7612 7560 firefox.exe 128 PID 7612 wrote to memory of 772 7612 firefox.exe 129 PID 7612 wrote to memory of 772 7612 firefox.exe 129 PID 7612 wrote to memory of 772 7612 firefox.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\442fc32065555d167806a2a766454b88.exe"C:\Users\Admin\AppData\Local\Temp\442fc32065555d167806a2a766454b88.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\10318590101\laf6w_001.exe"C:\Users\Admin\AppData\Local\Temp\10318590101\laf6w_001.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'4⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Downloads MZ/PE file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""5⤵
- Executes dropped EXE
PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""5⤵
- Deletes itself
- Executes dropped EXE
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\{ec70c38a-d3ea-47ea-aa46-10150c9d2d46}\788c3fde.exe"C:\Users\Admin\AppData\Local\Temp\{ec70c38a-d3ea-47ea-aa46-10150c9d2d46}\788c3fde.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot6⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:6248 -
C:\Users\Admin\AppData\Local\Temp\{9c1a0fe4-10ec-470e-a247-7d4a472b6df8}\d1b2141c.exeC:/Users/Admin/AppData/Local/Temp/{9c1a0fe4-10ec-470e-a247-7d4a472b6df8}/\d1b2141c.exe -accepteula -adinsilent -silent -processlevel 2 -postboot7⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:11416
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318600101\f2832e5128.exe"C:\Users\Admin\AppData\Local\Temp\10318600101\f2832e5128.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318620101\6bb6814219.exe"C:\Users\Admin\AppData\Local\Temp\10318620101\6bb6814219.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6020
-
-
C:\Users\Admin\AppData\Local\Temp\10318630101\9ccc466db6.exe"C:\Users\Admin\AppData\Local\Temp\10318630101\9ccc466db6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6936 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7308
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:7560 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:7612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {9186c35d-5895-4458-af57-c322e05e2ba5} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu6⤵PID:772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2512 -initialChannelId {000115b7-e9dc-4790-8ac4-bf2e3e279493} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket6⤵PID:8216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3920 -prefsLen 25213 -prefMapHandle 3924 -prefMapSize 270279 -jsInitHandle 3928 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3936 -initialChannelId {1b31ded2-48a1-4e08-91e0-30f959d3fe0e} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab6⤵
- Checks processor information in registry
PID:9104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4084 -prefsLen 27325 -prefMapHandle 4088 -prefMapSize 270279 -ipcHandle 4072 -initialChannelId {30419433-60f9-4234-8ff7-608efd300b26} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd6⤵PID:9188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4376 -prefsLen 34824 -prefMapHandle 4380 -prefMapSize 270279 -jsInitHandle 4384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4356 -initialChannelId {04f9adf3-8cf7-4de4-b2ff-44ae7d187c47} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab6⤵
- Checks processor information in registry
PID:9716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5164 -prefsLen 35012 -prefMapHandle 5168 -prefMapSize 270279 -ipcHandle 5144 -initialChannelId {e64c9507-0f60-46b8-ae0f-959360226c0d} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility6⤵
- Checks processor information in registry
PID:3128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5272 -prefsLen 32952 -prefMapHandle 5276 -prefMapSize 270279 -jsInitHandle 5280 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5236 -initialChannelId {dfa547c3-cacb-46fc-a930-7abf3f15387d} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab6⤵
- Checks processor information in registry
PID:6508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5472 -prefsLen 32952 -prefMapHandle 5476 -prefMapSize 270279 -jsInitHandle 5480 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5276 -initialChannelId {ef8f867d-61ce-4ff5-889a-46c586f7f373} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab6⤵
- Checks processor information in registry
PID:6572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5504 -prefsLen 32952 -prefMapHandle 5508 -prefMapSize 270279 -jsInitHandle 5512 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5488 -initialChannelId {22751fd7-d4ff-4ee9-a29e-465f41621750} -parentPid 7612 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7612" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab6⤵
- Checks processor information in registry
PID:412
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318640101\2747997d1c.exe"C:\Users\Admin\AppData\Local\Temp\10318640101\2747997d1c.exe"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7428
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8328
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
6Disable or Modify Tools
5Safe Mode Boot
1Modify Registry
7Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD55cd4014907f6065bd3d12c575dda5bd1
SHA1abdede27bd0d532c4e7644aa1f58a011b016f981
SHA25616c1c34c4380cb4bb8dbd9425b20ba540148fbd08a7319ffa5ccfd72e2996736
SHA512fab2b13f9777590c517b2576d9ec7fbed9d032e85156b10d4d9818587525f91993e26b7cc1feecf8d0fdd3b1cab0177d178291243116326909853902638ba2bf
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\clr2s0gc.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD5dacf84e14cbd76b52df858e93471078c
SHA16463a929ef5c0e12f51456f7b527f9903b32ab14
SHA2568e647ef7e0304c9db709a61ae01239512ab67d12284a1e8d5a2af305198aff80
SHA512becce8872586074de51300c27825e6e85175617b28c2653692c159c00dcae9ead5ba92ed1d76a110e289eac08b9663f8afe3930ad358045fedba32bf37f047ea
-
Filesize
1.2MB
MD5d6ea7e3f4fe6ed3f10591b5d2cfa330e
SHA1a8e4168f3bb2586af3c3b48f24401cfe5e828b53
SHA25694ea263e7adea5df392a68dd41332d718e88c0afec14ee98ebf91fc2f42c586d
SHA512225c07356c88a91d2ba4d32dd55da945fd06f0971885d7d6801fe8d27d85303926425c6fc9dda4877d6050c48c2dd5109d9d6e88d107df72f88b89a29ff61bc8
-
Filesize
1.1MB
MD5999c92338f2c92dd095a74f0581fe012
SHA162d53a745cc4d83a0d00a865cf7f2ec28fb84b1b
SHA256b28e8a5c04dbfcbf462014aedc83bafec26d0eedebefca620b740df26cb09700
SHA512a94b4ba0c4677d0ac231f0047a1eb7556bf7b36b7bcda896782711ff3bb52800ab26f28fe36ef2d445dce3134d5ce8c024466451dd1e58842b5ebbe7e35a70e3
-
Filesize
1.7MB
MD58d11087a47c122d153a0f32a60ec79b7
SHA1d60299a6118fb5706dc3fab2b3d49541374720fe
SHA256cc886d5b507c8dd985e23d060b0b890bbf68683b46c572bf7b3e58f66a6be48a
SHA5124119bf9786b26d39d4216481737087529b7543e4382c5860fe7e145571839487ddd783a8d83f0c084df1516ee9f7780212d4d8dac812251e6834d8f26ef28436
-
Filesize
950KB
MD581c02be5ee8d37c628c7a0016c468149
SHA189bc9d55785d71f396fb2b50960aa248799ebef9
SHA256186bdab14c6784d101350b0386d06e3c0b890f895d64cdf2a1a6e9cc32e48f57
SHA512ebf4058e4a096f0b24221574ccd372f864dc4db853c3bf6d763d3286af49a348372656c4de5efb173b07f5096647bed4747e7d13109989743e95a7e6bb091fab
-
Filesize
1.6MB
MD50352afc500e6104d51a1099c441fda4a
SHA1f13c4e80db7722aeeb6a8aceb77fb3ca8bb1a860
SHA2568df4bce66ec1404ffc71cc3cafdbd198f3d6a5b45166e9be8ef42feebc42e9c7
SHA5127e43882d65ad9115b17921792130fd7b5b172eb4a385be90164b979198d4bf5b816b24b6933a9e501300d79b36af4d749f10dcd40e21aa09809ce6518f8c64c7
-
Filesize
3.6MB
MD5eee2a159d9f96c4dd33473b38ae62050
SHA1cd8b28c9f4132723de49be74dd84ea12a42eef54
SHA25652c720ca9b1d7649214694bc46a9ea0cf2ee3091e1ac717633ee06b6e2864384
SHA512553c8b347e1654ca256dd4b760deb669cf394763419c972bb60a555006525afed2cff53b2516e8b239bc4bb35afd5429bd89611303143e7e65b901c0f5c2cc07
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5442fc32065555d167806a2a766454b88
SHA110882938da5aed6fe9e2d7df16919aca6e849eff
SHA25661260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9
SHA512c19e959174d1e266302d782ffb43ffdd891387c4121fa5949f20b6e7d932326f76a972c0bb55cdb4cf51bb49987cd69426100e745f20def59d90fa73add80fe7
-
Filesize
1.7MB
MD5ee4a03e3cc00a3ad777644fa9915ae6c
SHA17fe44b3ba80003b80527e149313fd3bd242f1796
SHA256bf85c56c568254f78c9080c35d40d5633dc7836942a66c3c87267c90af5b8068
SHA51200938830410e972d65f83d2a45b5463cf4c0a95bf30ccfa037abb23f9808b0099f296f2c00fe16198a5e1f2a8c1a62ddc9a6249add9d48c9d2e4fccc31512959
-
Filesize
1.7MB
MD5b7e0175c74e1117ceedcdd0a2604b7da
SHA17eed20c1747d3a141a495dacaaf338421219a7bb
SHA25655b5608f77b5f987693c5ccde06fc8ae5ebeea8f395e6ac79b24b782153d7323
SHA51213d677ac81b0872bc90e1c43d04484b0eb32ac69b5f7217c25ced0785e58a2059ca89c6a4476286c4823254aa888cc65e71204c86b7da338b4aced81a7eb9017
-
Filesize
1.6MB
MD54689785e00e9656fd15def99a281ec14
SHA18597be76ba0f4f450f2dfc76445696e50b16f683
SHA25632de4d2f98783db2431cc42e5879eae6a382ce77447d791f2981c8d7f4131ec4
SHA512be542feb67ce89d1493c7920ba1aabc6c8b75eb97d89fcca09958aaea6aece1ebbfc7aec9528d0b2bf1dcf7367b9d080bf79897e18956fa9dc0ba3dbffaf76b8
-
Filesize
1.6MB
MD5fc6967918bf4fd342daddf133dd675eb
SHA12f6af540d77c67dc8f8bec7ff7f476db2b03ee9a
SHA2566275b98cd7fbc47b1c425132f2bbc0219341dd925c0ae03da07b6fe9cd7e1d0c
SHA512af0f40efc38653daf3b5923e64d3b53f44f0d8c5c265cb5ce00b0cae554a30bf585ddfa94567d8424ead4c04aef982135b2389855a9426bfdfc6f9060aaf8bee
-
Filesize
1.7MB
MD55bea28fcb0e6136e02c721129fdc9c55
SHA1dd2071c0f0000328ead252bd34ae2c3fbcea6580
SHA2563598d5ac06ba35ef8df15d20c7b21c3064a3f6bf84086b5f5ea122972b3e111f
SHA51234a27bc6cf1cc89c39864c9df66b4c2788bc5894af020987f42ed259607f8525ffff9445774d95435a60d7c8b9727fa7ca46eb9828dd491b601654dbf80de4c1
-
Filesize
1.6MB
MD55ed82685e0dab4c7d46043df5effb6e3
SHA1eaa4d5ef52ada46fcccdd90434cedc579fe225b2
SHA2562dba49f2a11a38c7f049cc9edda0ce35bc04bfd52d8f4c207c087b4ea1ccf5b2
SHA512279cf180f0bcc01f0b79a182e892e9dd98309577f36c2e0949de750e1781cecb5f739b54cc6253860c1f668b4f874988ad7d3fb8263673788003eabc6ba03d4c
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
1.3MB
MD515bdc4bd67925ef33b926843b3b8154b
SHA1646af399ef06ac70e6bd43afe0f978f0f51a75fd
SHA2564f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d
SHA512eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8
-
C:\Users\Admin\AppData\Local\Temp\{59c04b36-a14e-4eaa-95c8-cef71c4a16b2}\086f6211-f6a5-4b3c-b169-0ea7bf55a0f3.cmd
Filesize695B
MD58795b0701abf04a7db652b43d0ef23ad
SHA19c0aae76ed478d5f1a939bf92b6cfbe003ed199c
SHA2560e1ff8596327327a02191dea341f61107091233c96ecc9faa98429e305f6e898
SHA512a6808bfb279facbf6e5b90f25c60b9ed01f9be3fda708a8c147a72e3cbc45f3d2b1e8091c7443290ccd738ddfbde7aa4a032e4927949af69c5d0e4dfce9dab93
-
C:\Users\Admin\AppData\Local\Temp\{9c1a0fe4-10ec-470e-a247-7d4a472b6df8}\Bases\Cache\sys_critical_obj.dll.7a985f23681627a99a33ab3c0bdf1385_0
Filesize725KB
MD57a985f23681627a99a33ab3c0bdf1385
SHA15cf4a11ce8ea6b427440fffbf4c1338e06b7c79a
SHA2566e8f63491c98500aa9d6746bd44f002457a03eca3d1321501b7e76e1baa976c4
SHA512bd0a195d7bc033a9b51e1b605041b9dcdb0c4abaa49961351c898355e500844be9bf192f65af9614f15ad6b474cbd474b26b995b7a371c4706131e46f49e9c51
-
Filesize
580KB
MD5289a8981bf0fa75f4c44f1588b1ad4ce
SHA199f774f0a42144bd00bdfee7b22d2cec855ab5d4
SHA2564517402305ded9265087d0d50860ffae52a9d23a11cd9c39e5c7aa7404f923b2
SHA512ca1e9feca29ce7de6a47ec87d48a14187e619a6af40d0c3b856bc39f8c3caabcf9c2705495c4412e136eb2a347a49b80e31c4bbe0220e3e02ce95a609aeceb38
-
Filesize
810KB
MD557bdff1dcc80b87c01eb9f8c6d5d4e45
SHA1ba0e265b3cbce7a70aa06460e9c95aed836e5b26
SHA256abf3bafa646351cafe39d7c9bfd05a68d6553d58531a49f5b2439684a42c8f52
SHA512460b0f6880cffb16d8ee87dc178325376c0931195987410044bd9188d5cca610e8de2d5d88b31891479334fcdbc63b95dd4816424e2f605dd007fc1d8df12ea5
-
Filesize
390KB
MD57c924dd4d20055c80007791130e2d03f
SHA1072f004ddcc8ddf12aba64e09d7ee0ce3030973e
SHA256406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6
SHA512ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806
-
Filesize
2.3MB
MD5e6c466bfdc31dae7e5ca2ab84b84a05a
SHA13d5bbe61f2e2291849fd936a2aa2259b01d12924
SHA256b53a9d407db6fffac3322ea0f6cc4d32e0c831cdfe9340183877f325d86e835d
SHA5124648c83374b6a1ee17f50c3c489d325948a421337360aeda68e907ddbcffea18fae13e106a60814ebc2d26a4e5749e47d0f1cae39e2a4c2b31bda861b75f9c1d
-
Filesize
730KB
MD5926051cb0a2a35a72b3ef78a705caa8d
SHA139fc4903134e9db7f1a2d2c4d0b45e3f824f218f
SHA256e14426389fcc7952f831ed97ccff75ae7225f59f98dd7f62876475983f9263fd
SHA512bd28ac27ae8365e610d9ed2e59150e266a017933aae56efbc812a78136e67eb22372b21eab39f7f06a90879d61bf008af98149d9d5a55e40009deda28563a9f8
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
Filesize
1.3MB
MD5fe0964663cf9c5e4ff493198e035cc1f
SHA1ab9b19bd0e4efa36f78d2059b4ca556521eb35cb
SHA256ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39
SHA512923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea
-
Filesize
619KB
MD581172e3cf5fc6df072b45c4f1fb6eb34
SHA15eb293f0fe6c55e075c5ebef4d21991546f7e504
SHA2562a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57
SHA5128dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813
-
Filesize
51KB
MD5184a351c4d532405206e309c10af1d15
SHA13cf49f2275f3f9bd8e385eddcdd04e3fc2a17352
SHA256ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6
SHA5129a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341
-
C:\Users\Admin\AppData\Local\Temp\{9c1a0fe4-10ec-470e-a247-7d4a472b6df8}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize367B
MD59cf88048f43fe6b203cf003706d3c609
SHA15a9aa718eb5369d640bf6523a7de17c09f8bfb44
SHA2564bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb
SHA5121d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e
-
Filesize
1.9MB
MD5faf8d079132fe4f01bf50a5b4dce8d00
SHA1e7e5b6e6a1f302e6359bd0ec619fa18f81b395a2
SHA256961c28a780b88f5a8efb9918f18b94f106e02a870d9418366e42badf0cd52716
SHA51238d154ca6affdc3c090fb3baff82a719df3fe541d38413320e0700e661d6f86a4c8f818b8bfebd29e9d9154c7d2869354dbfc49fd901b63909ef0317952bd923
-
Filesize
61KB
MD53d9d1753ed0f659e4db02e776a121862
SHA1031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f
SHA256b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2
SHA512e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92
-
Filesize
2.0MB
MD5717a092c6c1a5c129f0dd86bb69b20ba
SHA12a9b421678007dc7fba22f904a4e115d494e4ca8
SHA256100619a8f1e92acc1c0002bda5dc2641b47819f7c05b92f9f1f4304a40d1caaa
SHA51298bf0afadfc4ec588f8fe966b899e9762f5539bc479818e2d19673ecdd6ef6cfb7cd98effbf60eaef3250a56202ae43e7f574486759f4c1dfba46b32404169fa
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
703KB
MD598b1a553c8c5944923814041e9a73b73
SHA13e6169af53125b6da0e69890d51785a206c89975
SHA2566fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8
SHA5128ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363
-
Filesize
409KB
MD5f56387639f201429fb31796b03251a92
SHA123df943598a5e92615c42fc82e66387a73b960ff
SHA256e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA5127bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e
-
Filesize
3.4MB
MD5c6acd1d9a80740f8a416b0a78e3fa546
SHA17ea7b707d58bde0d5a14d8a7723f05e04189bce7
SHA256db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f
SHA51246c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d
-
Filesize
158KB
MD59bf7f895cff1f0b9ddf5fc077bac314c
SHA17e9c0ce6569c6f12c57f34597b213cd4d8f55e68
SHA256d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4
SHA512d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
87KB
MD5a69adedb0d47cfb23f23a9562a4405bc
SHA19e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA25631eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA51277abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820
-
Filesize
1.3MB
MD5e6db25447957c55f3d9dac2a9a55a0f0
SHA1a941c1a04ea07fd76b0c191e62d9621d55447cb5
SHA2566c6305c220444294179da749d639c91bb97afd507d30a322d7c1c16ccf0ac9fc
SHA5121a4634245990335fccfb3d4eed858f61ca40bb1a12c919b6c737cebcdbde4727a26dac0180de226ff4e7d7229e6d379500396a00f6c235495cfacf3014df099a
-
Filesize
333KB
MD5ed5f35496139e9238e9ff33ca7f173b9
SHA1ed230628b75ccf944ea2ed87317ece7ee8c377c7
SHA25693c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069
SHA512eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
1KB
MD50a30b703f7c11790ee4cb6a6b37d2b52
SHA10a0f62b1d8941eeccceac80faa3c5c75b615c50c
SHA25612f2b0817e2d8ad8b1c2fae6c5ec6ea81cfcfb7c722b4d0c09058c54b46aad1b
SHA5126d9f9ffe04e420b8555326885c528004cc71022a5b289b356eb0c1d65f1ac5b2394fb68f16700708b0ebdbd2d46893b1aa0c54795addabdbd22439c983614c05
-
Filesize
11KB
MD5173eee6007354de8cd873f59ffca955f
SHA1395c5a7cb10d62cc4c63d2d65f849163e61cba5a
SHA25617dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1
SHA512465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a
-
Filesize
301KB
MD5d470615822aa5c5f7078b743a676f152
SHA1f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c
SHA256f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc
SHA5128826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9
-
Filesize
6KB
MD51a3330c4f388360e4c2b0d94fb48a788
SHA1127ad9be38c4aa491bd1bce6458f99a27c6d465b
SHA25601b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d
SHA5121fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553
-
Filesize
224KB
MD502e3b9a72890922cc85080a5039f5d01
SHA1eef9377cf0ec0ca90b74a2f3aff47218b01bcdd8
SHA256b3c3a0cd5a8b6b94ae8d598463bcf15c19c07d7b20ca5bb69aa561745d4e83ed
SHA5121e40f27a67db88f5220b7862cf651e1e51a80c1cfdb8cb473af6c1e47c391b1463ca7626d41000e6b792496d997f30d27597f5642e9f8507f7a99a3a0499d6e3
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\AlternateServices.bin
Filesize10KB
MD51415a8777a8983d9e0a15649aad09df5
SHA1cf631b0f9026869de1360a7530bb72b8ebdef9f4
SHA25605bb8ea042cc76753efca6556fd715ded830a5b9fa2a6229c663f42b96e77075
SHA5127e3ca25a57972a08668f826c41adea98fafdaa548e6dd72a4da850478dc06c2e35ce5ad6ed38f6aa0eff8382928094e2d58b2eb915a91c33d958b95b314b8aab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\SiteSecurityServiceState.bin
Filesize1KB
MD5d20c8695222123d805ba98a2d62dfff8
SHA11ed25d34aad2bc9464f79db1ad13a6dc8fe77f1b
SHA25684883307eb63acf2448a29da3f737f2c747aae3ac72293d4430abf28b5561fb2
SHA512cdad3ee6f57744604b9ec351295e6868dba34ef9244a6b38da3cda55cc5e14dd7f4f198c5672fa6beecaddcd301073b07871ec3a2b31ccc25764597e117a1408
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD57d0a7d3bf76e877dd651b5f08272e110
SHA1df1767e16fca91d02fffd94ff440a10d82dd5f98
SHA256ac82430de4e00e080ff008ec925ff8ca1872a8179c9b43293e15cc69b066110b
SHA512639a7dc6142c6550a2634cbdabaee4379471d812f1deb4ae7ff21888ad6aefd3449ef1c222e1a3db4f220fb7518a8dc87c7f94624dd141f0f8f70ac5bcfc1492
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
Filesize29KB
MD5a7c9c9f86da8058fee9d24a4591d7472
SHA15ae223334d78d60fb60b2c5cb925c7b8a2a137f8
SHA25627fda0799633e63c5a8b98acb8bf852970aee746befbd5613e93ad4bcde7a7a9
SHA5127ec9aea04d8466c181f165fea8b5fe2d0ebad59f62e1fb1e1bb428dd038be4bbaf7e6e5bea4fd0be53712e13237dfdc5d703a685d01c61354d03ec8c50f381d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
Filesize29KB
MD53b9ed579ea7cf7e4d62dcfbb5feb91aa
SHA114c6c7a223dbd932188ba0c6ea65db8b7d35a4a4
SHA2567aa3d4a8a496bb74aba121bd69159d57824c25ccd5564f10aac74915d4039014
SHA512bf31a964b3ccdda134262b06493fdfcd5d69a3177e47ab53e85f8c0c27f43da3b68f7afd893d3dc0af454d3196bc6eacebfe1a3481005de290b21bd22165e064
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD51ec5c5483c5fef2e28b9c75b9f21c6be
SHA195ddc7043ae9eb0931d7993bce9ffda13d7f11fb
SHA256bfc2fadc72bc64269d8ab86b3a13c3e281c2be3068864152a5435f2a0590693b
SHA512ba09cc01f8ec7379b301b232a0712a7f58ebe2256b9dfe0381b22bbdb3d6919433f492860374bd3640a19a8962d2f65cc8e4cf56fbe5fa538d2abd88a3758711
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\events\events
Filesize1KB
MD53951ce1ee3ab49791639025c56482761
SHA12af0bcd06ac34e5bdd1485456a9d86b95b0d8b95
SHA2561e49f6bcb5077c2f7902f9470085b5b80e8528343d704fa076346f5e4788d217
SHA5120422f5ecc184447cb107706a172c9f420e6f473f9c9e83f3fdff196552fa15f7fb510f8ea48981acca6fdd962861567f946e63ab7789409791a1d39b0d80a7ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\181cc840-975e-45a3-9189-aae5dad92742
Filesize886B
MD5f7f25be6ae3f44a56ebc52b90fa6496b
SHA13de57744f5fe5dc04193394618f372d337fd9209
SHA256de31b2ac9c87308d2de9f2a614f6468fe7209066afc13b0825ab8af6f679a3ef
SHA512bb76545f988ab6cf9429bd9c5a48adf442d674e316e6186bf38159a323ab49276d4b12534e6c00918a2d10fa730042b97ab15b5e2aa898cbf35da4ba1885af27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\2737338f-2bc1-4b49-b8f1-1b10c14086a6
Filesize235B
MD541a4ce96963492b1fed9bba140d24427
SHA12613ceae528fea9d0aa73005530c9f26e6e7955e
SHA256b1c0d61cb4ba6f06798e05079d459ff2499d8e59858af8bb101f6c639b5e3362
SHA512549a3e0f29963b1f794711d64be06d57264bf1c637457e966a013c74333cf98c8745462493a26a98af1e1e4e2d951353cb515686a182e8cce7acb0e756ffabe6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\390f4a3c-4497-45c0-a1b9-c00e09cc0338
Filesize15KB
MD50b2f15b007fc6611fbb1c938d4cdae9d
SHA132856fd66530db88ca88bbc9a127afe40e7c625a
SHA256b9a5b4f29afb684cfe7cb54538fe64b8a04d6c660d5f1d590d47deaf0de75f6f
SHA51240c647eb7f7bd662ffd148986c2c3245a95294f6a7ffffdf3c9edefd3e1beefa9d6444639c72f8e7d16ab37a501d1b5f0b2ebbf8e5a70140c5d68a4d788eb901
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\5351c68e-4a2f-434b-8fa1-c91d34c2ec97
Filesize883B
MD57a22fb630c909105a7e9a0e9ce0a0f46
SHA1136e848a95893d81823d7a08e39c15a7efb9efd0
SHA256fc114210ef2db2a3225ccda97bb3bd7a487b39f089c1ad638bdf7e86fece6fa2
SHA5120c9dcc7a462836e7c1bc4fefda3ce277639ee85a90c1a1f5f10f6f4619c2d024b00c36be1555d3243c65646e057b01810db8cf50a53ab28390489959ba3e0d1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\c2b99945-4059-4ea2-ade0-848bb0e35b70
Filesize2KB
MD517d8acd5040e74beefe50b2c3e121a8c
SHA1a17e64b624e2b1eee9aa0b38adffe65d837f7189
SHA25684eea6f9c111a56979498432878d4bb15fab5be4406c91feb6091ee0772286ad
SHA512a7087e95da35dcd7f41ae48098f941cda00f1fc1eac0cfab7824ed93ba7889aca2286ef46c968d9f60552e72e86731b85082a2d1718617694d479044de9181ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\ddd4a932-8d16-43b4-91bb-bc734812d933
Filesize235B
MD5f938028cc534436cb9d85c075ed77d93
SHA1c9ba060ca1359f8cc7277d71e1b8511264c33d81
SHA256daf34a2927cfd54b6eea0c6101cae0c4dbae460491b4ed7f48e3cbb7b32b3c21
SHA5122a069d783c4f80836d4c3fca8771f49d8ebc015e795feb60e4021f86d2a6fb77ed652f38edbeaf6c9d56ca713b97906e474584f75723bd182f1e6b4b87405a51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
6KB
MD5fe0cbfc8a0c9fc8d6b055667c607b880
SHA1b040d7caacd0020694a7cf9ded674779a042b8a2
SHA256809ca2c5355acaf729b9efbca0be3a3d98afd3ccd4e98d23f2563f5b1bb06bdb
SHA51208e02baa5a44c5ae0266470b67b238af9c292731718907513eb52e065c2be49c27bf7581ff4c646b82274762345e3e66ef6ae49e1443eb10502ed8c0a972243d
-
Filesize
8KB
MD59ad43391dae279ad64e98d2a5418e92b
SHA13746b7a3d387cfdbc2da432872498e366c86e865
SHA256ac57127f444f055d72fb986bf7f74aaa8488ac0b9d5f30b6640ba00a8cc552ec
SHA5120844ade93879e32a9a05495b8c388c19cc8f0e92204422ce33d594ea818037de4679c9316f5e551fb4dd0f73c867335a1f1249abdc66c892624d1e028567d653
-
Filesize
11KB
MD555401dd403093e5e26d897f6340e3a1a
SHA12c6d979c40b2b88437832952a98b927b43919781
SHA256de16fe44623f4ca60e9b37ff1c8370d0656e5f292b0c5c454bedd8e48b2c68b8
SHA51260bb4d4fa1ca658d79c34241f166f55af42c0e4d3327565ca17d85fa30474cf54f5488713cdc8bc35692390ad5562eae042db9d19fad8fd8520ad349b58adafd
-
Filesize
11KB
MD564c96ec441462840e0de942e3aa2eff8
SHA1ef0f23081f4a6fae82462952efe9f3ca943e4983
SHA2566cf1ef9b02ecfa80a8f23b3738383dd30387fe923731bdbfd1b1d21156404a8c
SHA5126eee18f8bd31229669b3f54f16ef8e85e0d2327170af3ba4043a8941977fc5bb7e6671ed6310a9a6f0e68736fca78f484b7860fe20a131bf29d5c761b238d979
-
Filesize
6KB
MD5ba903d6dcdbd003f86d3f8fb402f136f
SHA14835fcd5a06095b80c70217024ee328754a06ce8
SHA25679dd3bf455660f13d91c169254a96442f7d261e9764b731f70fe99fe82e9c26b
SHA512403a93bfba3c745d4ac6bdf9b9faceb4163800321994e8ccb596bc4ce2ab9fece7d8da8e1c9da9ccbf87872a144cfdc9fc38eb71f5f25a42905b45203c55f1a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD55f4e0571ceb7396bc125799aa356af93
SHA19e215aecd042b1b37111933b5cfea5f5f4ad6266
SHA256dabd189f4d5a82511c21730e96f30cf70a2d09c8263a99e8543cf5c409b36472
SHA512097f5d3f4423c39ca9d2ecaecc93a5e763658a536613f80079fd51c38c47f7ff4af8a3135281c5e9e0e441ef8e9db773c05530acab29002586cf94ec2953a04c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.2MB
MD5b3cf0c7f333251dd9712de79e138d183
SHA163fe5d5174ddde98c69de6f0ff18e0a33d6c4734
SHA2566d4b815dd60ccf50582175427b585cadeb645b96b2fe51dd29957e9d90dc6a07
SHA512c3ad2e0b46ca8ec259a038a4eb520492709ecaa49b0f6014b28c1e2d94a0c27977e72475b71034341130738fc3300fc7e3f4dac12b38ea1fa410637d107b5bd8
-
Filesize
355KB
MD59cfe1ced0752035a26677843c0cbb4e3
SHA1e8833ac499b41beb6763a684ba60333cdf955918
SHA2563bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634
SHA51229e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c
-
Filesize
199KB
MD5424b93cb92e15e3f41e3dd01a6a8e9cc
SHA12897ab04f69a92218bfac78f085456f98a18bdd3
SHA256ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e
SHA51215e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f
-
Filesize
260KB
MD566522d67917b7994ddfb5647f1c3472e
SHA1f341b9b28ca7ac21740d4a7d20e4477dba451139
SHA2565da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1
SHA512921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968