a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843

Analysis

max time kernel
151s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Size

1.0MB
MD5

7d0b633e5fc4845d3fc4f207de1a8631
SHA1

deb4f30f155e804b2e6331721fa1685d860650c3
SHA256

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843
SHA512

f1b19e3f4e6041f3f513a209d6db26497d4b6f60102a68d962b7908cdd56c902b05b5a9b59a52fff474409daea07ef374cb35e7f0bc9234aa3e08605429805b0
SSDEEP

24576:S6JUlITT9jwynP2UJriv3FjTKip034eHBFWvnhbfHKfsPyzTBfSQnsLGgPIPp:VqIT1wyP2TK6E4SWVf2sPct6QZgPIPp

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

tytghn.exetytghn.exetytghn.exetytghn.exetytghn.exe

pid process

3256 tytghn.exe
752 tytghn.exe
4288 tytghn.exe
3752 tytghn.exe
864 tytghn.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tytghn.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation tytghn.exe

pid	process
3256	tytghn.exe
752	tytghn.exe
4288	tytghn.exe
3752	tytghn.exe
864	tytghn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tytghn.exe

Loads dropped DLL 12 IoCs

Processes:

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

pid	process
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{829b0a44-adff-4618-be4f-1b9311096c6c}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{829b0a44-adff-4618-be4f-1b9311096c6c}\ = "script helper for ie"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{829b0a44-adff-4618-be4f-1b9311096c6c}\NoExplorer = "1"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

Drops file in Program Files directory 9 IoCs

Processes:

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

description	ioc	process
File created	C:\Program Files (x86)\getithd\tdataprotocol.dll	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\logo.ico	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\uninstall.exe	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\terms.lnk.url	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\jsloader.dll	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\updatebhoWin32.dll	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\updater.ini	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\toolbar.dll	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
File created	C:\Program Files (x86)\getithd\widgetserv.exe	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

Drops file in Windows directory 11 IoCs

Processes:

tytghn.exetytghn.exe

description	ioc	process
File created	C:\Windows\Tasks\getithd Runner.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\getithd Runner.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\getithd FireFox Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\getithd Chrome Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\getithd Stats Report.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\getithd Stats Report.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\getithd Stats Report.job	tytghn.exe
File created	C:\Windows\Tasks\getithd Update Checker.job	tytghn.exe
File created	C:\Windows\Tasks\getithd FireFox Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\getithd Chrome Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\getithd Update Checker.job	tytghn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1508 752 WerFault.exe tytghn.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4000 taskkill.exe

pid	pid_target	process	target process
1508	752	WerFault.exe	tytghn.exe

pid	process
4000	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

tytghn.exea4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exetytghn.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{829B0A44-ADFF-4618-BE4F-1B9311096C6C}	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{829B0A44-ADFF-4618-BE4F-1B9311096C6C}	tytghn.exe

Modifies registry class 64 IoCs

Processes:

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\ProxyStubClsid32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\ = "gihd timer"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID\ = "updatebho.TimerBHO"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ThreadingModel = "Apartment"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\ = "gihd Class"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}\ = "gihd Class"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1\CLSID\ = "{963B125B-8B21-49A2-A3A8-E37092276531}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{700CAB9C-FBBA-434C-98F2-C1E46AA76FA9}\1.0\0\win32\ = "C:\\Program Files (x86)\\getithd\\jsloader.dll"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\TypeLib	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\ = "updatebho 1.0 Type Library"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{700CAB9C-FBBA-434C-98F2-C1E46AA76FA9}\1.0\0\win32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CurVer\ = "updatebho.TimerBHO.1"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\getithd\\tdataprotocol.dll"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ = "C:\\Program Files (x86)\\getithd\\tdataprotocol.dll"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\getithd"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}\VersionIndependentProgID\ = "wit4ie.WitBHO"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID\ = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}\InprocServer32\ThreadingModel = "Apartment"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CurVer	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS\ = "0"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1\CLSID	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID\ = "updatebho.TimerBHO.1"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ = "C:\\Program Files (x86)\\getithd\\updatebhoWin32.dll"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\ = "CTData Class"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}\Programmable	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{700CAB9C-FBBA-434C-98F2-C1E46AA76FA9}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\TypeLib	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{700CAB9C-FBBA-434C-98F2-C1E46AA76FA9}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\getithd"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID\ = "{963B125B-8B21-49A2-A3A8-E37092276531}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}\InprocServer32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{829b0a44-adff-4618-be4f-1b9311096c6c}\TypeLib	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\TypeLib\ = "{700CAB9C-FBBA-434C-98F2-C1E46AA76FA9}"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\ProxyStubClsid32	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B091438C-AF24-48A7-9F0B-238EB10233E3}\TypeLib\Version = "1.0"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{700CAB9C-FBBA-434C-98F2-C1E46AA76FA9}\1.0\HELPDIR	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "gihd timer"	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exetytghn.exetytghn.exetytghn.exetytghn.exetytghn.exe

pid	process
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
3256	tytghn.exe
3256	tytghn.exe
752	tytghn.exe
752	tytghn.exe
752	tytghn.exe
752	tytghn.exe
4288	tytghn.exe
4288	tytghn.exe
4288	tytghn.exe
4288	tytghn.exe
3752	tytghn.exe
3752	tytghn.exe
4288	tytghn.exe
4288	tytghn.exe
864	tytghn.exe
864	tytghn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4000 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4000	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exetytghn.exe

description	pid	process	target process
PID 608 wrote to memory of 3256	608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe	tytghn.exe
PID 608 wrote to memory of 3256	608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe	tytghn.exe
PID 608 wrote to memory of 3256	608	a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe	tytghn.exe
PID 3256 wrote to memory of 4000	3256	tytghn.exe	taskkill.exe
PID 3256 wrote to memory of 4000	3256	tytghn.exe	taskkill.exe
PID 3256 wrote to memory of 4000	3256	tytghn.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

tytghn.exetytghn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe

C:\Users\Admin\AppData\Local\Temp\a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe
"C:\Users\Admin\AppData\Local\Temp\a4218672e9c4f68dbe634e9d155c942696e0d413647b5b78506c34a2358e5843.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:608

C:\ProgramData\getithd\tytghn.exe
"C:\ProgramData\getithd\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=gihd /affId=gihd1 /uId={203307AC-EF94-4A69-9E1C-766291B0EEC6} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=getithd /txx=1 -regAppName=getithd -txx=2
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\ProgramData\getithd\tytghn.exe
C:\ProgramData\getithd\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=gihd /affId=gihd1 /uId={203307AC-EF94-4A69-9E1C-766291B0EEC6} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=getithd /txx=1 -regAppName=getithd -txx=2
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 676
2⤵
- Program crash
PID:1508

C:\ProgramData\getithd\tytghn.exe
C:\ProgramData\getithd\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=gihd /affId=gihd1 /uId={203307AC-EF94-4A69-9E1C-766291B0EEC6} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=getithd /txx=1 -regAppName=getithd -txx=2
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 752 -ip 752
1⤵
PID:376

C:\ProgramData\getithd\tytghn.exe
C:\ProgramData\getithd\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=gihd /affId=gihd1 /uId={203307AC-EF94-4A69-9E1C-766291B0EEC6} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=getithd /txx=1 -regAppName=getithd -txx=2
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\ProgramData\getithd\tytghn.exe
C:\ProgramData\getithd\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=gihd /affId=gihd1 /uId={203307AC-EF94-4A69-9E1C-766291B0EEC6} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=getithd /txx=1 -regAppName=getithd -txx=2
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\getithd\jsloader.dll
Filesize
215KB

MD5
1be981671495d24f296ada8495e413cf

SHA1
bc5f34a6c0957a46ca98fad7431e67cf4af75f12

SHA256
41b5887c8dd279b2766ebc16e9d8400f04b2287bc3b58f75589c012a9ff73548

SHA512
7583c39fb615bd981d8020c64c5e7519e5385fb5f8943a8cc5127540cfb5ab17db7dd6d72c50bfd8753548aaf5b7f6674a40a772be4d32e8b733d0af50abccc4

Download Submit
C:\Program Files (x86)\getithd\tdataprotocol.dll
Filesize
149KB

MD5
ffdc730ec5f8b90e4dda0c7685650c9d

SHA1
0f052108bcef14beffb6f325981b22fc40c7d047

SHA256
2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e

SHA512
172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c

Download Submit
C:\Program Files (x86)\getithd\toolbar.dll
Filesize
119KB

MD5
05a209746c054559ea4ff207b75b2b0c

SHA1
48a28fee0c29b989b1bff2dc189a99cab7b69390

SHA256
c3a07ce8e673a0289b6eb7b9e7d06e9b11a81a8070c39a66b3555cea0af74fe0

SHA512
76b1373d83e81b9ecbc5ac4904f64798a5885719eb247dabec669679f871f464782152f172ab742a3e4ebcacb1f9b90d3a552c13e71a56a3b07bcfdc4613f875

Download Submit
C:\Program Files (x86)\getithd\toolbar.dll
Filesize
119KB

MD5
05a209746c054559ea4ff207b75b2b0c

SHA1
48a28fee0c29b989b1bff2dc189a99cab7b69390

SHA256
c3a07ce8e673a0289b6eb7b9e7d06e9b11a81a8070c39a66b3555cea0af74fe0

SHA512
76b1373d83e81b9ecbc5ac4904f64798a5885719eb247dabec669679f871f464782152f172ab742a3e4ebcacb1f9b90d3a552c13e71a56a3b07bcfdc4613f875

Download Submit
C:\Program Files (x86)\getithd\updatebhoWin32.dll
Filesize
120KB

MD5
8e9a3bec45ac9fb74bd575750d2b329e

SHA1
62aabb4dad9456afbab6ac3ec599e7d880341e37

SHA256
0575883970a99aad422405655d84b690456f82b747cd9c58070743b145e4f931

SHA512
c867445c08f3743d873adbb156c0d171715af8570a86834d0d199dce76f282d80069b0087b491b55d8b19795c193021cfc890da46b7f5becdb9220f5a5fa03b3

Download Submit
C:\ProgramData\getithd\df-ch.crx
Filesize
121KB

MD5
c6855ae904b10ebfc778d0c2d0eed936

SHA1
be03a07fd7fe87cc47e1e644e592720498b3ba3f

SHA256
3b16b722439f0dc73951f6a01bc7fddfef67f2c8fbfec6cdcfee52687788dbdd

SHA512
4bda6901befe72ef21a8bd62ecc5853c5e5dac3144a5b25f46e2d2690e7d02e1de4d4a68851017773520dde1f92bb15843b11387feec12fc804048d78441d6df

Download Submit
C:\ProgramData\getithd\df-le.xpi
Filesize
92KB

MD5
bab769e6a803408d4b3ba3a4e4fff98a

SHA1
ecff8bd4a2f9bdc442c24af0c568e3c1d477d984

SHA256
9832fa7dfd8227e23f762d5f4cce17cce1d292c2f131d29c1f99604f86bc5062

SHA512
08ac98da9a3a8ddee5b67e4ee26b015be91e5e61c6d0614c702a358bc94866368cdbee3a91656e7fc2551389fc8e1eb4d5de3d813d1c49ba455d0b9debfe3a4c

Download Submit
C:\ProgramData\getithd\tytghn.exe
Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
C:\ProgramData\getithd\tytghn.exe
Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
C:\ProgramData\getithd\tytghn.exe
Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
C:\ProgramData\getithd\tytghn.exe
Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
C:\ProgramData\getithd\tytghn.exe
Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
C:\ProgramData\getithd\tytghn.exe
Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
C:\ProgramData\getithd\valuese.xml
Filesize
1KB

MD5
416f55847d6bcfb044ec4aaf2a966c3d

SHA1
ebd9aac4b45873424bb980bf58f352ccaceb35f1

SHA256
cb8a2336bcca84fd8959e46deedeb69a2a2eaf6b101b5d5158757b3793de2b46

SHA512
db7949399d6497e44f373b665c757cc1c98a9f9814025f5fc1603686da8ce2c6f565ab5159b39a5644596dee8de9bd749a7d54c01ecec607509ac9e0e53b78c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CEF.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome.manifest
Filesize
192B

MD5
9609eae13421d287ecc665d1117b4f75

SHA1
b99b842149a17b06eb8765b92c3fe5e6e7a85ee1

SHA256
669869784417e35e4012527c791d9bcb74dbef7a8ac290232aa11e05ee9b886a

SHA512
11cccf791417513024fc639c0c64dd2c3da578a3a2f627dd6b4b104c0442de0173697c3f2d0b0caa83688f8fe6e558d1b5b39f371c66107bfea5d4ff3b54daa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\bubble.js
Filesize
1KB

MD5
e3cf4b651109156221e2072f83be5aa2

SHA1
be06675125c178e3ff2fd78cf57f3d643bec5cc4

SHA256
73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84

SHA512
976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\bubble.xul
Filesize
490B

MD5
75743b09194736b8fc79a6dd65db177d

SHA1
dbf38a26e0597697d0c6aad15e2515c398753e16

SHA256
f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6

SHA512
d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\fix2.js
Filesize
20B

MD5
b5ce3889cdd24c2b2e9d540ba1aab48d

SHA1
30d6c76f244e7617c835b3769bfb1fd125e401f1

SHA256
03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0

SHA512
f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\fix3.js
Filesize
20B

MD5
abdc04c0bb1bac8ee8962aa5e5fba9a8

SHA1
2689078d902bfa6d65483e26d122d0a30d2a6560

SHA256
3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482

SHA512
55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\fix4.js
Filesize
20B

MD5
4b95306cdc01a9023a3ca1e8c7fcdd61

SHA1
f518c9d20ec181229d35089f685a9588a5b19e7d

SHA256
be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d

SHA512
4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\fix5.js
Filesize
20B

MD5
010d54d2fc0c7c7ae39324a6217030f2

SHA1
3d73cbe8cce886b2075b5cea17d136b344814992

SHA256
032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751

SHA512
ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\icon.png
Filesize
1KB

MD5
fb86f48da4ba040244c23d29fc209682

SHA1
e9855eecf1f0ed4b1cba0dd2229e99b07ec63015

SHA256
c50db02ff244a0195d9f06bd9b965aca3ac3edf70322ae207e3b6516c579b647

SHA512
b5221187aa9490f7978038f7eccec3f9b2a33eec1c343a481491b5b81ddbf6fd6611bcccf80c9193b92d7083f67100d6f7f606da451f925b030b55b79fa8b999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js
Filesize
92KB

MD5
432e6ce300e0604b682c612aa0de1c82

SHA1
c559ab91e420bdca977c4c4c3f7f5e8564a78fb2

SHA256
6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a

SHA512
9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126
Filesize
144KB

MD5
ad8fb3d98543bf59a927bd53997aff6b

SHA1
bbe7939ae2ab5a66b1cff5dc0cfc4faef848641f

SHA256
04eb0efe823287d8d81b4080ed94a15dc26e1be8c5682bc4c6285df61b906f40

SHA512
426cf2ba8e809c472c57fe339b2b67e3ef99626166c07b34805a9abf860bcc4c5e70f2ae746c77b926f4c1e852b98b290da66a036c199ff78c5d4e0b33c3549f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\lock.js
Filesize
27B

MD5
02469e8f69f26729bf7373aaf83e7687

SHA1
cee5b53a1b7f93986b9d336ea43e640da532eba6

SHA256
86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f

SHA512
45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\style.xul
Filesize
812B

MD5
668dec8a49b6dc8575acc0e34ecd4284

SHA1
9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe

SHA256
022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965

SHA512
94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\witapi.js
Filesize
37KB

MD5
37aa7cecc679ae0a7344446a325e7ca3

SHA1
598c0007530bc0fe930b9f1c817ad181fb81efa0

SHA256
7f0460af789e0b4cb50ae83bd6c1b0f92a4869a8a7ec8506e74bc1f109ad3a1c

SHA512
b3e68d1128d45296a73d4fe70a68404df3a7ba284f5e2b7392adaff182d50f3a47f0cc3e61233df2bc4c2947945100655a02a2e78b8a31b91ec2e3768c948300

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\witmain.js
Filesize
914B

MD5
7ce881eecb20d61c03bfbd631539d1bc

SHA1
88738856bc21584fc09ad708037503a9edac3414

SHA256
bd9cef410e14d21c0c0949b3707c42bd7e80fe1a064f2667bc68087700a5a044

SHA512
1446f60aa772f7372423f926e1ca09a29abeef87201f774822252d330cd38734aab4be70562add8bb0d7d6d768994ff312b2e1e08dffcbe43484eb3f246fc48b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\wittoolbar.js
Filesize
2KB

MD5
cda5b2727e277b095e1c802930ab9a78

SHA1
16898837afad35f9ea3cdb203b3881a1f1cc14b0

SHA256
1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f

SHA512
353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\chrome\content\witutils.js
Filesize
23KB

MD5
e98815b4088c11d052fce961ea863308

SHA1
0aa226ffcbc73b435f0bf19a4f658a111f572e3d

SHA256
aa7546f7a02f77a48f737644272ae18d1ec4e7fc51756d406af88e530cb8b489

SHA512
ee86a07cda4fc7cca9947dacadbf3d5d8eb63b7f0529c20d506bb75bd99de60c2dd7b354149d8ad2ba70f40fa133aa79fc619a410786d51f45f14a7a65a1d6c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\components\handleProtocol.js
Filesize
20KB

MD5
abf901d67e5262e496caff4b9b052ed5

SHA1
a03dc0aee81720c096a9935ebfdafd9c07f48965

SHA256
70bf2aed2f96f0d4924edb4e594faf35308865a14fb6dcafc70acc3757fdc225

SHA512
0f73671ce4c6d862048c42ced136844558657fe6c06c45e616c0730f0b233c738131f2982a95a59ff893c9538624d704566c61926e375c09cccc59b91ab1f929

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\extensions\[email protected]\install.rdf
Filesize
713B

MD5
40deb53e1cd9f4440e2a583a87d94383

SHA1
a0fb36c705438bbd592e613ca2082a7f74d49120

SHA256
efae0572564882bc6dd95e3aec99e126cc8592deb60c78d613fe9e4865163207

SHA512
71df3cf1bb6c9ca1605122b591e27ceb59dac21cc19b8109656120b0a4384745a520c032c68f1fe353f67b5ed985bebff3347bbc059ec32cd6bfd0467ba4a359

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome.manifest
Filesize
192B

MD5
9609eae13421d287ecc665d1117b4f75

SHA1
b99b842149a17b06eb8765b92c3fe5e6e7a85ee1

SHA256
669869784417e35e4012527c791d9bcb74dbef7a8ac290232aa11e05ee9b886a

SHA512
11cccf791417513024fc639c0c64dd2c3da578a3a2f627dd6b4b104c0442de0173697c3f2d0b0caa83688f8fe6e558d1b5b39f371c66107bfea5d4ff3b54daa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\bubble.js
Filesize
1KB

MD5
e3cf4b651109156221e2072f83be5aa2

SHA1
be06675125c178e3ff2fd78cf57f3d643bec5cc4

SHA256
73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84

SHA512
976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\bubble.xul
Filesize
490B

MD5
75743b09194736b8fc79a6dd65db177d

SHA1
dbf38a26e0597697d0c6aad15e2515c398753e16

SHA256
f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6

SHA512
d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\fix2.js
Filesize
20B

MD5
b5ce3889cdd24c2b2e9d540ba1aab48d

SHA1
30d6c76f244e7617c835b3769bfb1fd125e401f1

SHA256
03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0

SHA512
f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\fix3.js
Filesize
20B

MD5
abdc04c0bb1bac8ee8962aa5e5fba9a8

SHA1
2689078d902bfa6d65483e26d122d0a30d2a6560

SHA256
3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482

SHA512
55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\fix4.js
Filesize
20B

MD5
4b95306cdc01a9023a3ca1e8c7fcdd61

SHA1
f518c9d20ec181229d35089f685a9588a5b19e7d

SHA256
be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d

SHA512
4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\fix5.js
Filesize
20B

MD5
010d54d2fc0c7c7ae39324a6217030f2

SHA1
3d73cbe8cce886b2075b5cea17d136b344814992

SHA256
032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751

SHA512
ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\icon.png
Filesize
1KB

MD5
fb86f48da4ba040244c23d29fc209682

SHA1
e9855eecf1f0ed4b1cba0dd2229e99b07ec63015

SHA256
c50db02ff244a0195d9f06bd9b965aca3ac3edf70322ae207e3b6516c579b647

SHA512
b5221187aa9490f7978038f7eccec3f9b2a33eec1c343a481491b5b81ddbf6fd6611bcccf80c9193b92d7083f67100d6f7f606da451f925b030b55b79fa8b999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js
Filesize
92KB

MD5
432e6ce300e0604b682c612aa0de1c82

SHA1
c559ab91e420bdca977c4c4c3f7f5e8564a78fb2

SHA256
6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a

SHA512
9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js_126
Filesize
167KB

MD5
224c257265b43f4b4e5ebe21e7575dbe

SHA1
4a7990cfea863655aca06e4c7ee708a0641d4e35

SHA256
a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a

SHA512
9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\lock.js
Filesize
27B

MD5
02469e8f69f26729bf7373aaf83e7687

SHA1
cee5b53a1b7f93986b9d336ea43e640da532eba6

SHA256
86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f

SHA512
45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\style.xul
Filesize
812B

MD5
668dec8a49b6dc8575acc0e34ecd4284

SHA1
9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe

SHA256
022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965

SHA512
94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\witapi.js
Filesize
37KB

MD5
37aa7cecc679ae0a7344446a325e7ca3

SHA1
598c0007530bc0fe930b9f1c817ad181fb81efa0

SHA256
7f0460af789e0b4cb50ae83bd6c1b0f92a4869a8a7ec8506e74bc1f109ad3a1c

SHA512
b3e68d1128d45296a73d4fe70a68404df3a7ba284f5e2b7392adaff182d50f3a47f0cc3e61233df2bc4c2947945100655a02a2e78b8a31b91ec2e3768c948300

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\witmain.js
Filesize
914B

MD5
7ce881eecb20d61c03bfbd631539d1bc

SHA1
88738856bc21584fc09ad708037503a9edac3414

SHA256
bd9cef410e14d21c0c0949b3707c42bd7e80fe1a064f2667bc68087700a5a044

SHA512
1446f60aa772f7372423f926e1ca09a29abeef87201f774822252d330cd38734aab4be70562add8bb0d7d6d768994ff312b2e1e08dffcbe43484eb3f246fc48b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\wittoolbar.js
Filesize
2KB

MD5
cda5b2727e277b095e1c802930ab9a78

SHA1
16898837afad35f9ea3cdb203b3881a1f1cc14b0

SHA256
1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f

SHA512
353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\chrome\content\witutils.js
Filesize
23KB

MD5
e98815b4088c11d052fce961ea863308

SHA1
0aa226ffcbc73b435f0bf19a4f658a111f572e3d

SHA256
aa7546f7a02f77a48f737644272ae18d1ec4e7fc51756d406af88e530cb8b489

SHA512
ee86a07cda4fc7cca9947dacadbf3d5d8eb63b7f0529c20d506bb75bd99de60c2dd7b354149d8ad2ba70f40fa133aa79fc619a410786d51f45f14a7a65a1d6c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\components\handleProtocol.js
Filesize
20KB

MD5
abf901d67e5262e496caff4b9b052ed5

SHA1
a03dc0aee81720c096a9935ebfdafd9c07f48965

SHA256
70bf2aed2f96f0d4924edb4e594faf35308865a14fb6dcafc70acc3757fdc225

SHA512
0f73671ce4c6d862048c42ced136844558657fe6c06c45e616c0730f0b233c738131f2982a95a59ff893c9538624d704566c61926e375c09cccc59b91ab1f929

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wvpppa2c.Admin\extensions\[email protected]\install.rdf
Filesize
713B

MD5
40deb53e1cd9f4440e2a583a87d94383

SHA1
a0fb36c705438bbd592e613ca2082a7f74d49120

SHA256
efae0572564882bc6dd95e3aec99e126cc8592deb60c78d613fe9e4865163207

SHA512
71df3cf1bb6c9ca1605122b591e27ceb59dac21cc19b8109656120b0a4384745a520c032c68f1fe353f67b5ed985bebff3347bbc059ec32cd6bfd0467ba4a359

Download Submit
C:\Windows\Tasks\getithd Chrome Watcher.job
Filesize
1002B

MD5
c63855e726623102fa8e78ae7d92f193

SHA1
c73e107e3de56d3e0d357973257bc941e5c324fc

SHA256
948960b6bb5d4f1db9645f8bc36b9ffdd355b5cfca8e1692600fea025a53fd4b

SHA512
78b066ec8871f74500564f7ebc2259cd915147786a8c79325491ba83e4476cbd981c2226cc72d809ceb71dd0fcdc252bd64ec862cf2972f4e79a8c1eba235954

Download Submit
C:\Windows\Tasks\getithd FireFox Watcher.job
Filesize
1002B

MD5
b4b80dfa3b9e06e1c71ab8ac0b9f992e

SHA1
76ed3affdb35a6440fefc6c98763c481c2ef3a93

SHA256
48699bd1a7e940e3b8a0e52441c691a2c6a44b63f2db956378ecb6678f3bde88

SHA512
69eadf439cb888271a381a25694e6374ed2843781b1f72604f20dea0e5cad819bf164aa9c0146e1a4848ec259852477c9ffa4b14eeb974e88383de35af580cae

Download Submit
C:\Windows\Tasks\getithd Stats Report.job
Filesize
1002B

MD5
3a90a0352b1dfd6e32e627f890834b90

SHA1
2b2144b87a0c07126b18368ae8e11044f3d64fe9

SHA256
0342302acad9fb031b551af77fe9f14c0ba76d82f13054354754acf760f447ff

SHA512
668547be0b3379444cabdbfd9f71b7f26d28cec03cade45c6d3d8e0d2933bfd8c2306303955aa0591d938f4676eadb9fe3ff030a626b92ddb0b55acb23253600

Download Submit
memory/608-141-0x00000000023A0000-0x00000000023C3000-memory.dmp

Filesize
140KB

Download
memory/3256-143-0x0000000000000000-mapping.dmp

Download
memory/4000-148-0x0000000000000000-mapping.dmp

Download