4d900d4167d5087233fa638acba93bb2e5b64ed81c1b384f4f04bf68aa7be90e

Analysis

max time kernel
555s
max time network
565s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

raidtool.exe
Size

11.0MB
MD5

e647ee067a72c800a7ed0fe671ed35e9
SHA1

8a2567c0a296f3c5b82ece58acaaeb7605c6323e
SHA256

4d900d4167d5087233fa638acba93bb2e5b64ed81c1b384f4f04bf68aa7be90e
SHA512

5091641fee56702b8592a47a9b92c83ab6bf2a486bf2312fb79122167f5ebe81de433382f333b12647bc9d653e6eafad905b53fdb6f30474282ac0791e72f43f
SSDEEP

196608:bnQ/X1G89EqlA1HeT39Iigw8v+vvKub75bcjWgbkzfAcUToG1kMbikjbzWl+OUdf:iG8du1+TtIiFpvvB5IjWqkzabfpHda

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4856	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
4840	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe
3852	raidtool.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
15	discord.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	taskmgr.exe
Token: SeSystemProfilePrivilege	1836	taskmgr.exe
Token: SeCreateGlobalPrivilege	1836	taskmgr.exe
Token: 33	1836	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1836	taskmgr.exe
Token: SeDebugPrivilege	2852	firefox.exe
Token: SeDebugPrivilege	2852	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe
Token: SeDebugPrivilege	1456	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	firefox.exe
1456	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4856	2852	raidtool.exe	81
PID 2852 wrote to memory of 4856	2852	raidtool.exe	81
PID 4856 wrote to memory of 3548	4856	raidtool.exe	83
PID 4856 wrote to memory of 3548	4856	raidtool.exe	83
PID 4856 wrote to memory of 3584	4856	raidtool.exe	84
PID 4856 wrote to memory of 3584	4856	raidtool.exe	84
PID 4856 wrote to memory of 3604	4856	raidtool.exe	85
PID 4856 wrote to memory of 3604	4856	raidtool.exe	85
PID 4856 wrote to memory of 4968	4856	raidtool.exe	86
PID 4856 wrote to memory of 4968	4856	raidtool.exe	86
PID 4856 wrote to memory of 3972	4856	raidtool.exe	87
PID 4856 wrote to memory of 3972	4856	raidtool.exe	87
PID 4856 wrote to memory of 1560	4856	raidtool.exe	88
PID 4856 wrote to memory of 1560	4856	raidtool.exe	88
PID 4856 wrote to memory of 1012	4856	raidtool.exe	89
PID 4856 wrote to memory of 1012	4856	raidtool.exe	89
PID 4856 wrote to memory of 5096	4856	raidtool.exe	90
PID 4856 wrote to memory of 5096	4856	raidtool.exe	90
PID 4856 wrote to memory of 5084	4856	raidtool.exe	91
PID 4856 wrote to memory of 5084	4856	raidtool.exe	91
PID 4856 wrote to memory of 5052	4856	raidtool.exe	92
PID 4856 wrote to memory of 5052	4856	raidtool.exe	92
PID 4856 wrote to memory of 3084	4856	raidtool.exe	93
PID 4856 wrote to memory of 3084	4856	raidtool.exe	93
PID 2992 wrote to memory of 4840	2992	raidtool.exe	116
PID 2992 wrote to memory of 4840	2992	raidtool.exe	116
PID 4840 wrote to memory of 1300	4840	raidtool.exe	117
PID 4840 wrote to memory of 1300	4840	raidtool.exe	117
PID 4840 wrote to memory of 1776	4840	raidtool.exe	118
PID 4840 wrote to memory of 1776	4840	raidtool.exe	118
PID 4840 wrote to memory of 1736	4840	raidtool.exe	119
PID 4840 wrote to memory of 1736	4840	raidtool.exe	119
PID 4840 wrote to memory of 2376	4840	raidtool.exe	120
PID 4840 wrote to memory of 2376	4840	raidtool.exe	120
PID 4840 wrote to memory of 1264	4840	raidtool.exe	121
PID 4840 wrote to memory of 1264	4840	raidtool.exe	121
PID 4840 wrote to memory of 1756	4840	raidtool.exe	122
PID 4840 wrote to memory of 1756	4840	raidtool.exe	122
PID 4840 wrote to memory of 4560	4840	raidtool.exe	123
PID 4840 wrote to memory of 4560	4840	raidtool.exe	123
PID 4840 wrote to memory of 4192	4840	raidtool.exe	124
PID 4840 wrote to memory of 4192	4840	raidtool.exe	124
PID 4840 wrote to memory of 4632	4840	raidtool.exe	125
PID 4840 wrote to memory of 4632	4840	raidtool.exe	125
PID 4840 wrote to memory of 2300	4840	raidtool.exe	126
PID 4840 wrote to memory of 2300	4840	raidtool.exe	126
PID 4840 wrote to memory of 1236	4840	raidtool.exe	127
PID 4840 wrote to memory of 1236	4840	raidtool.exe	127
PID 4840 wrote to memory of 2364	4840	raidtool.exe	128
PID 4840 wrote to memory of 2364	4840	raidtool.exe	128
PID 4840 wrote to memory of 2152	4840	raidtool.exe	129
PID 4840 wrote to memory of 2152	4840	raidtool.exe	129
PID 4840 wrote to memory of 2412	4840	raidtool.exe	130
PID 4840 wrote to memory of 2412	4840	raidtool.exe	130
PID 4840 wrote to memory of 1940	4840	raidtool.exe	131
PID 4840 wrote to memory of 1940	4840	raidtool.exe	131
PID 4840 wrote to memory of 1484	4840	raidtool.exe	132
PID 4840 wrote to memory of 1484	4840	raidtool.exe	132
PID 4840 wrote to memory of 3836	4840	raidtool.exe	133
PID 4840 wrote to memory of 3836	4840	raidtool.exe	133
PID 4840 wrote to memory of 1164	4840	raidtool.exe	134
PID 4840 wrote to memory of 1164	4840	raidtool.exe	134
PID 4840 wrote to memory of 5112	4840	raidtool.exe	135
PID 4840 wrote to memory of 5112	4840	raidtool.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\raidtool.exe
"C:\Users\Admin\AppData\Local\Temp\raidtool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\raidtool.exe
  "C:\Users\Admin\AppData\Local\Temp\raidtool.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1820

C:\Users\Admin\Desktop\raidtool.exe
"C:\Users\Admin\Desktop\raidtool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\Desktop\raidtool.exe
  "C:\Users\Admin\Desktop\raidtool.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:652
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.0.1083940843\521937485" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1756 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f22e7d0-7c51-4bc9-abe8-7e2b3570a612} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 1852 1d2ffc0c158 gpu
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.1.12733959\482703178" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10bf9175-1043-4239-822d-72eff11a3d38} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 2412 1d28a279b58 socket
    3⤵
    - Checks processor information in registry
    PID:1964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.2.771755257\1799131253" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1ae5edc-e896-47b8-8eff-9360b62d41d6} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 3012 1d28c6e0858 tab
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.3.563917742\2000782888" -childID 2 -isForBrowser -prefsHandle 3768 -prefMapHandle 3588 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec79fa9e-02ec-4cae-940a-dd79c22d5fff} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 3784 1d28ef8e958 tab
    3⤵
    PID:2340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.4.2015422023\1312543283" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aeba31e-062d-4c04-baa4-20940dcd61e6} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5072 1d29104c458 tab
    3⤵
    PID:4032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.5.588259122\2043183673" -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a431b60-3ffe-4551-b4a1-3d5e9ed24eff} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5212 1d29104d058 tab
    3⤵
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.6.1792598240\1257605153" -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5440 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {329d7534-f09d-4183-9990-1be846e7125a} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5424 1d29104df58 tab
    3⤵
    PID:2964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2852.7.1126441114\2040124348" -childID 6 -isForBrowser -prefsHandle 5864 -prefMapHandle 5860 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e15b37c-c208-497f-bd8f-d93050cc1769} 2852 "\\.\pipe\gecko-crash-server-pipe.2852" 5872 1d28d406558 tab
    3⤵
    PID:2700

C:\Users\Admin\Desktop\raidtool.exe
"C:\Users\Admin\Desktop\raidtool.exe"
1⤵
PID:1860
- C:\Users\Admin\Desktop\raidtool.exe
  "C:\Users\Admin\Desktop\raidtool.exe"
  2⤵
  - Loads dropped DLL
  PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:984
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.0.571996019\1890524756" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22244 -prefMapSize 235168 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81ba1001-8bb4-415b-87b5-caf4c0fbe33f} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 1900 1de2cef3458 gpu
    3⤵
    PID:2008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.1.1251063102\1387302595" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22280 -prefMapSize 235168 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b507dc-b9e5-416d-9c19-dd557f4b4a9b} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 2468 1de2108ab58 socket
    3⤵
    PID:1476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.2.1359750013\1273869935" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 3060 -prefsLen 22318 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b8c1443-775d-49a8-9c9b-fa25e137cae5} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 3048 1de306e7b58 tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.3.1069292907\1710234627" -childID 2 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 27692 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09a328fe-9d4b-4d19-806c-3103f366fd70} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 4212 1de332c0458 tab
    3⤵
    PID:3772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.4.1348622204\2042089320" -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 5072 -prefsLen 27692 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf5e26f3-340d-41a3-8707-2a9e1c4f225a} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5088 1de34d50858 tab
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.5.1811992278\1580075829" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5244 -prefsLen 27692 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50906fe5-40da-41a2-b63a-b522cf41b431} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5228 1de34d53258 tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1456.6.812995072\656458486" -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5316 -prefsLen 27692 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db46efe-ba47-4eb5-bbd5-955016e6fad1} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" 5448 1de34d53858 tab
    3⤵
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
0cffff6e312deaa9d3794f6eb1576bcc

SHA1
df81d8e28278e02a4906abe22165f15ff92aa2b1

SHA256
baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc

SHA512
e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
16KB

MD5
578a9c55edc76db0e0ffee4dc8da3ece

SHA1
a85c92b2f82975e9cd713a9db87529238ab280f2

SHA256
d889585aceea579c09de0b909f6cd94fce023d73fc07c189c16a2726ededf50f

SHA512
99cdf282f31c44e3d58ddf083c3f09887632f0f5744fafe38b2de914c1dc20275732ec3c35731740a029106f0ca17b32bd089602ccc0817cd2632460a02f396a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_asyncio.pyd

Filesize
69KB

MD5
209cbcb4e1a16aa39466a6119322343c

SHA1
cdcce6b64ebf11fecff739cbc57e7a98d6620801

SHA256
f7069734d5174f54e89b88d717133bff6a41b01e57f79957ab3f02daa583f9e2

SHA512
5bbc4ede01729e628260cf39df5809624eae795fd7d51a1ed770ed54663955674593a97b78f66dbf6ae268186273840806ed06d6f7877444d32fdca031a9f0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_bz2.pyd

Filesize
82KB

MD5
59d60a559c23202beb622021af29e8a9

SHA1
a405f23916833f1b882f37bdbba2dd799f93ea32

SHA256
706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e

SHA512
2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_ctypes.pyd

Filesize
122KB

MD5
2a834c3738742d45c0a06d40221cc588

SHA1
606705a593631d6767467fb38f9300d7cd04ab3e

SHA256
f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089

SHA512
924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_decimal.pyd

Filesize
246KB

MD5
f930b7550574446a015bc602d59b0948

SHA1
4ee6ff8019c6c540525bdd2790fc76385cdd6186

SHA256
3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544

SHA512
10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_hashlib.pyd

Filesize
64KB

MD5
b0262bd89a59a3699bfa75c4dcc3ee06

SHA1
eb658849c646a26572dea7f6bfc042cb62fb49dc

SHA256
4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67

SHA512
2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_lzma.pyd

Filesize
155KB

MD5
b71dbe0f137ffbda6c3a89d5bcbf1017

SHA1
a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f

SHA256
6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a

SHA512
9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_multiprocessing.pyd

Filesize
34KB

MD5
4ccbd87d76af221f24221530f5f035d1

SHA1
d02b989aaac7657e8b3a70a6ee7758a0b258851b

SHA256
c7bbcfe2511fd1b71b916a22ad6537d60948ffa7bde207fefabee84ef53cafb5

SHA512
34d808adac96a66ca434d209f2f151a9640b359b8419dc51ba24477e485685af10c4596a398a85269e8f03f0fc533645907d7d854733750a35bf6c691de37799

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_overlapped.pyd

Filesize
54KB

MD5
61193e813a61a545e2d366439c1ee22a

SHA1
f404447b0d9bff49a7431c41653633c501986d60

SHA256
c21b50a7bf9dbe1a0768f5030cac378d58705a9fe1f08d953129332beb0fbefc

SHA512
747e4d5ea1bdf8c1e808579498834e1c24641d434546bffdfcf326e0de8d5814504623a3d3729168b0098824c2b8929afc339674b0d923388b9dac66f5d9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_queue.pyd

Filesize
31KB

MD5
f3eca4f0b2c6c17ace348e06042981a4

SHA1
eb694dda8ff2fe4ccae876dc0515a8efec40e20e

SHA256
fb57ee6adf6e7b11451b6920ddd2fb943dcd9561c9eae64fdda27c7ed0bc1b04

SHA512
604593460666045ca48f63d4b14fa250f9c4b9e5c7e228cc9202e7692c125aacb0018b89faa562a4197692a9bc3d2382f9e085b305272ee0a39264a2a0f53b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_socket.pyd

Filesize
81KB

MD5
9c6283cc17f9d86106b706ec4ea77356

SHA1
af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6

SHA256
5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027

SHA512
11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_ssl.pyd

Filesize
173KB

MD5
ddb21bd1acde4264754c49842de7ebc9

SHA1
80252d0e35568e68ded68242d76f2a5d7e00001e

SHA256
72bb15cd8c14ba008a52d23cdcfc851a9a4bde13deee302a5667c8ad60f94a57

SHA512
464520ecd1587f5cede6219faac2c903ee41d0e920bf3c9c270a544b040169dcd17a4e27f6826f480d4021077ab39a6cbbd35ebb3d71672ebb412023bc9e182a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_uuid.pyd

Filesize
24KB

MD5
7a00ff38d376abaaa1394a4080a6305b

SHA1
d43a9e3aa3114e7fc85c851c9791e839b3a0ee13

SHA256
720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016

SHA512
ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\_wmi.pyd

Filesize
35KB

MD5
c1654ebebfeeda425eade8b77ca96de5

SHA1
a4a150f1c810077b6e762f689c657227cc4fd257

SHA256
aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9

SHA512
21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\aiohttp\_helpers.cp312-win_amd64.pyd

Filesize
54KB

MD5
6769b44017870dab45a324b157928d22

SHA1
84f51bb078ddba1f1e36b6abb6f88160979990e7

SHA256
eefdd52e7737fd43c67577fd577f7a0654007dd4d5233314f3cff152d49aca61

SHA512
4bcd53449f4de96603ee0b7861158ac0d62b7fd1af1c3f8e45ae6ce77a349c87f163a5db1d28fde22c2992a5910bd0d1d389a158000be9e9cbf871b880d06d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\aiohttp\_http_parser.cp312-win_amd64.pyd

Filesize
249KB

MD5
67339c5db48e3a9ff19a41e4a65726ee

SHA1
5fa5361df31c6e42aa3ef4ffd0b2f2a94df300fa

SHA256
e68d72016fc9f47850302c7ee2488920cb9b0755b28d9fb807614a37028f23db

SHA512
debc1e83c17abbf276d073f28dd2c26cfb445769bc4c3966d5c5669efa5452b0b14cba1a4d84cdb8c7ed373e2b4b5028b673447c360079b7e4dcbff3b88cdd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\aiohttp\_http_writer.cp312-win_amd64.pyd

Filesize
49KB

MD5
e4a9b45460d2f1514c132c926ae3f80a

SHA1
c4cd93157406169914211053b0fd78c6fc334a0f

SHA256
4a58ba33286d64e994219b34d29582bb261c8a4d72e6ec0076c1b93ecf378752

SHA512
f029e7ffc0dbc914c47b9fe348761c3ed298b2463f8b3aa74d3f94910f33afd062061fa20cd7e0c784d03d7c0cefbeb5e50f5c962e8224218ccc3723251924de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\aiohttp\_websocket.cp312-win_amd64.pyd

Filesize
36KB

MD5
fb5ff970246a5524337027e03fdcbe8d

SHA1
6c83c29f27c0ca7408ab0d046ddf037b8d8e001c

SHA256
a64cf62a7c7f2af733aa240de69f68eeef712c56adacad8df94e59cecfae8992

SHA512
f1cf45979bb0cb5ca1f2e76eebd82e05015f4d6b4e96b38d7d8498137d7feb61082f197924126fa7f34e5ec1c5ac2033779b59ce4fe55315b2588ed0b3a81125

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\frozenlist\_frozenlist.cp312-win_amd64.pyd

Filesize
84KB

MD5
d7193bea71087b94502c6b3a40120b04

SHA1
51aa3825a885a528356ba339f599c557e9973ec3

SHA256
886375bc6f0ff2bbd1e8280f8f1cb29c93f94b8e25b5076043cd796654c3a193

SHA512
c65cef39362a75814d40132f4f54f25f258c484dd011b12ae7051fa52865f025c960e4a3130c699b7eb1be375a3d2c3c3b733d6543338d7e40aad0488d305056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\multidict\_multidict.cp312-win_amd64.pyd

Filesize
45KB

MD5
ab3685f651c7821bbf03baf1d436b617

SHA1
f6306217ecaf5fa1dc8c78260d02dd2716903316

SHA256
1ef9e6eaff88cdcc0a32346b7b266a0e1d19716ecac07f16a189a7057ce971f9

SHA512
08e4d615ce5f9c565d54a16b1f475b6ad746b5d8e7f17248d235b5acd474333036bb33671c887bb64794b56ec910af28efbb7bed8bdea2eddd4bcd81c1b1fb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\pyexpat.pyd

Filesize
194KB

MD5
f179c9bdd86a2a218a5bf9f0f1cf6cd9

SHA1
4544fb23d56cc76338e7f71f12f58c5fe89d0d76

SHA256
c42874e2cf034fb5034f0be35f7592b8a96e8903218da42e6650c504a85b37cc

SHA512
3464ece5c6a0e95ef6136897b70a96c69e552d28bfedd266f13eec840e36ec2286a1fb8973b212317de6fe3e93d7d7cc782eb6fc3d6a2a8f006b34f6443498de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\python312.dll

Filesize
6.7MB

MD5
550288a078dffc3430c08da888e70810

SHA1
01b1d31f37fb3fd81d893cc5e4a258e976f5884f

SHA256
789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d

SHA512
7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\select.pyd

Filesize
29KB

MD5
8a273f518973801f3c63d92ad726ec03

SHA1
069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f

SHA256
af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca

SHA512
7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\unicodedata.pyd

Filesize
1.1MB

MD5
04f35d7eec1f6b72bab9daf330fd0d6b

SHA1
ecf0c25ba7adf7624109e2720f2b5930cd2dba65

SHA256
be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab

SHA512
3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28522\yarl\_quoting_c.cp312-win_amd64.pyd

Filesize
94KB

MD5
44eb05d3c409e626ad417ed117068160

SHA1
dc0c4446e0601a2d341a09cda68ce6d2e466c040

SHA256
f306e375e186c011585dea2bc875530fb7d734861db388764a2aa307b1b68df3

SHA512
51194721d5ed968d40394f784a4708e6282d7c28b45b387165ae44eb5798f58432e85f743f798dae2c79722c88f5e8bb61c31ea37110781aa2368c6b4a4a45a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
a4654ac585262ecb346a4848bd8a2173

SHA1
aa3aa3981158e9923824420b84f0fc03311b7fe0

SHA256
77c1ee119beb26889d3862229a07e2d95c5e58c8b1540c534cfac0ae7f41b2bf

SHA512
2d9a54fb8b68aa86b034031f7a566422fd49e0b8088f7bcbd4c7d66202fe74e626186793a893b24e13b7699561b94684927651aebd7b4d136c319147c3132904

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
fa39fc7d30ea43ed8983a8b5c284b12f

SHA1
161505decd9fff4e61099143dc7bd07e2725e369

SHA256
360de125a64a74c34de615dd5ad056bff5d0e3a24446cacdd480a5f0eafc9d04

SHA512
75205f654ab5b16f077ed0377b8cb8b475ecd0165ef2fa448b1e3477fecd1e082f4e1c078df13bcc44390c914fcdd26662340fcf553d20706838c25267536108

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\bookmarkbackups\bookmarks-2024-07-03_11_sEInrcbjNuQU78LVjPjgjw==.jsonlz4

Filesize
997B

MD5
438e9000da555630c15edc578fc888c3

SHA1
bd773d897b3740a635cc9b5769c53ea2b4bc8fd1

SHA256
bf7e59f07dcb198444cb7c15c5ebceab10b0153cd4878019df4b8196edc36909

SHA512
632de477ff13d808ccf79c194de42c47114fa4fd2dc0b695efaabccf2d4deb575e23bf20b04e94b7437d9538b8dcbd8b63b3e57503ed5e2e3c9a7f1c54088ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
a7769b5f405dd6dd11d9035e0fa24ad2

SHA1
3d9a83dd3d98f61bdad1cd201785a0513b89bf3b

SHA256
69cd7e79e184ea85013db6de3ce1ee408537daed035099ce626928d5c13d19ec

SHA512
3ab2c00acff226d8d41fcfa12a3bbeb70e3373ac89b6aada5851b529aece8629ef10d71823478fb44cd8e38a8907e68c195107f72abdfb5063bcde0ece322802

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
212e66fb71e20c3ad2f5b1d312db7c9b

SHA1
5501fddb388ed43b998dcabc2e95deffcb4850d1

SHA256
9cf7a49161cb5e5aaf881bfcb731139f7f8844df3fde0ae767c4395442078662

SHA512
a3500d3639fde44a68f8b5bb25afefe589f6d2c36458c882d4b755853c183526912a3406091e4eff803efd0281a2af3b94cee0f9290ce3ffb8eb85e41fd04477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
8KB

MD5
a3abf37e695a43407c55ead675210b7c

SHA1
6ffec0b434056a866e64862c55ed70391e5ef06a

SHA256
7ef774a281c311d86916944d4d5a5e8c1b504216a820c12c417b54f8f748c532

SHA512
5941eaad35ded0d5e466b03f71fd078e253c27de36e2e817f12566c96e8564c35b4dcc35e7ff8b14da24ed1be8284a798798115fe66465907120045c4eed8551

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
eff362968906d5f27723cc27900eb0ef

SHA1
afb25dc02942c5c9072cdbb42afc3fca7d8de944

SHA256
f35faf6824f62dfdd691f1ce9a733b63fccc42a1963b9dce392a95d213917d3a

SHA512
67a573f7b54bd904b13f817e77fc81e96e5854e64c7d893c99d28774504070aae01099fc70f1e743ed420e2fcbc7e1434f866a09a2a0e787fe8923f8599d6cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
128ee2d37412feea1592c85943d9ca78

SHA1
925d9991a8a5d1827acdd0fbc7803b8ea498195c

SHA256
7a8d275333a0fcd311ad6c3d3b63484855d60170b8e05b4cd14ebc9bdaf1a785

SHA512
48470a70822db2f2ad4d77a8fe7c013c27dd4fce47269e7f98e59324a3f3e13ce92aca7425b20572f60591d159209e38d60587566bbb8935bdd080f1d1b628bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fefecdcc21af7a43547afcade0d92f85

SHA1
325ff5adb898129d38eab18f0e430a97647def64

SHA256
3e494c6b4e608aeb74ed1010eeab326be73a1d3587b1710794cd6155077caaa9

SHA512
caf59327040c1725bb6b4d09acf3f55168b335a98b479b87d34749ae0d326bb7a6fa7dc1bcf2a02aefacce5472bc72e155833ce60f71acadef9c177b7204e070

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
f47ab72cc7724289b96e2f48d19244d3

SHA1
db35e66b85c0a42349ae31099866ae7f30367007

SHA256
1e3b99db5757ad6d895cceeee6450fc8737151fde8b7f2cec40b43ab40cd6ea9

SHA512
dbedb341f18793d0b9c50b82fe694b5cdbfc9792ed0d622e2129ba7db81e4aeda7fdc35522b4ea3fa07a7d688449ae32754e346183d04e9f7e1d28512cd9b02b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\targeting.snapshot.json

Filesize
4KB

MD5
470e52924839c29410ef3461d4633199

SHA1
33bf1aea3fcea3adfb68b6bb2532f7c69e9e44c4

SHA256
44558b3edc6fd5f10d83257e238d033078ba382f603ae4aac46d16e26fb62bcd

SHA512
a622fb014113accdf328bdd4ba7661def4aded4a3775f4be0426a4c2c559742a3d94d3de240db990fb2677e6eac992f91e2055b51dd03ebc84b042f9cc68dfc6

Download Submit
C:\Users\Admin\Desktop\ApproveExit.htm

Filesize
435KB

MD5
6b6755337d6dcfee976af610cab4ef2f

SHA1
71a96f4d4611ea9afc979f23f367fc469eb69f50

SHA256
8bb160d16c9f10f73210fafc779e8e60c4c4b0abd18b0a7c82e4b285a6c5500f

SHA512
d319c0f0fa9e46be7580b5505a6ed2b6f0bbcff7f1db06a61d38eb411ab3e9cefdc6f2510acddc4b4c7c3c25597f9e9b66e179e8707ec852a76caab3d9a12e42

Download Submit
C:\Users\Admin\Desktop\AssertGrant.search-ms

Filesize
1.1MB

MD5
daa7af483819014dc09ec8e8bde722a9

SHA1
c2772d30891b0b0fe6c696fd25b39f8278138fdb

SHA256
7d063ee84f02e4a3b11f12cc6986c1dd61b43167d50a72bd5592dabc86d16cbb

SHA512
903fff01df2e8d4a2ce4a4c81b62288f64e3cc81a534b8f152b57d9ac8183a1a0cf869f50c6f0decf63755c86817b2925ffe1df5d1e9c50f289776e6f7adcff2

Download Submit
C:\Users\Admin\Desktop\BackupConvertFrom.DVR-MS

Filesize
609KB

MD5
751e3309e7e2696550408bffaaa983f9

SHA1
3342cb018b03cb7abe07fb2eea2567f4286077de

SHA256
96bb834c6777c6f98ea93755c26152bb92a1d0d3211d08ebd651ea858b57a81d

SHA512
eda0e8c26ae6e043fe49c5b7553f6b8c0948a6125351ed9cc039ccc3e55967ec756f6163cf5b552e5d95515aaa9795c96f377b8371123d7df8784d7617a0e11d

Download Submit
C:\Users\Admin\Desktop\CloseDeny.wma

Filesize
1.0MB

MD5
b81c212f5fa7e3b9f3553c97345a5941

SHA1
4aa31a64dab59bda9a9e6baf17a593cdf7681f85

SHA256
48b5c7adebb5d48a9f50da6034a2fd7a5c863d394b71470f79b680baed975759

SHA512
580061ae7d51a94f3f2ae416eb6158493080f658b7c9fb83a2935a64860f2b0bec36730cb5ba909b42774762470bff5f55aa892b72c142bd2592d9524db4652d

Download Submit
C:\Users\Admin\Desktop\CloseGrant.cab

Filesize
818KB

MD5
a905de61b6cfcc79261fbe6874beba06

SHA1
52ba0531d64e955e6a1540d2ec48d7051833b589

SHA256
cf1abe0d6e9255e19ba7384e362b00171ba68262839098071c13d92a99553088

SHA512
2c4383f79589e632d470d5128103a7fb83a9ea7ad7c2ae21fe11b84640978debfda626b2ff749c142554e6caebcfab37a604f9d28ed992293d760a4e625b3521

Download Submit
memory/1836-97-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-102-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-103-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-104-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-105-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-106-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-107-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-108-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-98-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/1836-96-0x0000025167F00000-0x0000025167F01000-memory.dmp

Filesize
4KB

Download
memory/2852-128-0x00007FF6BB1A0000-0x00007FF6BB1F7000-memory.dmp

Filesize
348KB

Download
memory/2852-114-0x00007FF6BB1A0000-0x00007FF6BB1F7000-memory.dmp

Filesize
348KB

Download
memory/4856-115-0x00007FF6BB1A0000-0x00007FF6BB1F7000-memory.dmp

Filesize
348KB

Download