58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2023, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

calc.exe
Size

27KB
MD5

5da8c98136d98dfec4716edd79c7145f
SHA1

ed13af4a0a754b8daee4929134d2ff15ebe053cd
SHA256

58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f
SHA512

6e2b067760ec178cdcc4df04c541ce6940fc2a0cdd36f57f4d6332e38119dbc5e24eb67c11d2c8c8ffeed43533c2dd8b642d2c7c997c392928091b5ccce7582a
SSDEEP

384:Otj8FKzuRxmeWCJxhd2WS/YWyiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiB:QXif4CbPQ7

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	inst.exe

Executes dropped EXE 2 IoCs

pid	Process
5056	inst.exe
3604	AgreementViewer.exe

Loads dropped DLL 3 IoCs

pid	Process
5056	inst.exe
5056	inst.exe
3604	AgreementViewer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	inst.exe
File opened for modification	\??\PHYSICALDRIVE0	inst.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\360\360Safe\{D9FC444D-CC39-44df-88B4-D5CCA2A58318}.tf	inst.exe
File created	C:\Program Files (x86)\360\360Safe\{2644B381-9EB6-4b31-8989-F713D96216D5}.tf	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\inst.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5056	inst.exe
5056	inst.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeManageVolumePrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe
Token: SeDebugPrivilege	5056	inst.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
5056	inst.exe
5056	inst.exe
5056	inst.exe
5056	inst.exe
5056	inst.exe
5056	inst.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
5056	inst.exe
5056	inst.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1052	OpenWith.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
5056	inst.exe
5056	inst.exe
3604	AgreementViewer.exe
3604	AgreementViewer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 4712 wrote to memory of 3372	4712	firefox.exe	92
PID 3372 wrote to memory of 3760	3372	firefox.exe	94
PID 3372 wrote to memory of 3760	3372	firefox.exe	94
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4964	3372	firefox.exe	95
PID 3372 wrote to memory of 4180	3372	firefox.exe	96
PID 3372 wrote to memory of 4180	3372	firefox.exe	96
PID 3372 wrote to memory of 4180	3372	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
1⤵
- Modifies registry class
PID:748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.0.2046061906\2145098073" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa3aa29b-a818-45ae-9b55-9a369be6e26d} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 1940 1fb2e716258 gpu
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.1.1731537382\2032619736" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72573e8d-79ac-48cf-8540-990ea75e2157} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 2316 1fb20771f58 socket
    3⤵
    - Checks processor information in registry
    PID:4964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.2.1489238774\1221598201" -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3316 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4ff0800-f709-4fb6-b13b-623551779579} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3448 1fb31403858 tab
    3⤵
    PID:4180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.3.1672665936\205985610" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2142107c-fd09-4072-8df2-b6d9011421e9} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 2808 1fb2feb4158 tab
    3⤵
    PID:2692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.4.819973258\511352008" -childID 3 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {406faa1d-9fcb-4e98-8c6e-08ebf125dde7} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4020 1fb20762558 tab
    3⤵
    PID:3388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.5.759042412\775148732" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4184 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08435f8f-0a0e-425c-a788-e9a048f5a20d} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4856 1fb2fe88758 tab
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.7.556565842\1122624553" -childID 6 -isForBrowser -prefsHandle 5292 -prefMapHandle 5316 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfc98893-00f7-407d-8052-94c3aeef21d7} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5384 1fb33df3a58 tab
    3⤵
    PID:4576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.6.1250580007\1080841974" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3cca8fc-2742-4545-b517-e6b3a7dff62b} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5080 1fb33b42b58 tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.8.1005344191\260809439" -childID 7 -isForBrowser -prefsHandle 5956 -prefMapHandle 10104 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33fcbd9d-99ef-47da-b1ea-fea132bff8e5} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 10096 1fb34623258 tab
    3⤵
    PID:5672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.9.649980090\475970615" -childID 8 -isForBrowser -prefsHandle 3724 -prefMapHandle 9828 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1d87303-ec2d-45cf-901c-3e452b122f7a} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4844 1fb32e82d58 tab
    3⤵
    PID:3468
- - C:\Users\Admin\Downloads\inst.exe
    "C:\Users\Admin\Downloads\inst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\AgreementViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\AgreementViewer.exe" /Content="C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\licence.rtf" /Title="360安全卫士安装许可使用协议"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
144KB

MD5
a56df9a66824b7b8eda113e3a0f1d573

SHA1
739c8d6fed6f2aade340e8e4d01986a59af389be

SHA256
51ce66d821ce3040e09afcc841d3dd5f8bb76595ab333f8870e9028aa9a006e2

SHA512
c84a55b38b19043438704fb6dbdd1d5869551b517b834024f583c04c740042b5e473bf1e6431801a3f6eb7aae02c28ee411207d630b21ba2f9b437953da62592

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\thumbnails\42964ed5bfafac82b1fef664a638de18.png

Filesize
62KB

MD5
5ad04fc61c379686c2ebefb3db0010dc

SHA1
6849c9d17f90c7dd0424262b7e5ab395cd606434

SHA256
318a4d063156333ed21cc4abdd413e9bef841c70497bbd5bdfe81645d3a06394

SHA512
b322a21cba03dc3f0f431b3d9f374da4a5dd102bc63b797a94ba9a11d819cc505a142d48bbd3a5ab8d9a9b702745f1af713a9ccc87fee31911ca98a7975b4bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
3KB

MD5
f71959939c3c8170a0144681b57d68fb

SHA1
e370d808440c867c5645443e915156c3058e6343

SHA256
60db3d136254e118d72ccc66b5184fa308b70a68fa428bc09b9efcad83d148df

SHA512
5201b4e3e724f03974103e73355a349a4eff53ddb51c664cda855642342e99f1542beee135bc3c50e5b95364522329141a35b97a0d216234b4d2ff6d30c668e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\computer_rescue_icon.png

Filesize
838B

MD5
3090d2de85382dff85b62ba401ad154a

SHA1
ef99c36242f2b16b8f5c124bf045d435cec0858e

SHA256
e4b839057fcf4fa07d8e84e1a83f1096cf36c89a2f19f692d4ffbfd0706c62b4

SHA512
05d16c277259fdcfada9aa2bfdb88de1356e7b1384ea24686821af3bf3c127d4ed2c1f26aeb4b87d23747fa4ea6e46f95756c980bf7501221384495219149665

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\custom_wnd.ini

Filesize
2KB

MD5
9b112c4f740a4e1454b5c799f858727d

SHA1
40349402d12d0de24332a99baf007054f6d46b1d

SHA256
045219484debeafdcedb04e6fd0c914cb4db13a712b2abdad75b33696f28f7ac

SHA512
5d2c68cd2fe2444100a1a3031d33b1f6c186384af40c943d711e5b39a29bf9592e59e45d5b35fab59415db86b5abd926ee58aadd857a3868672ff3e648a63907

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
1KB

MD5
24aca15844173f67fe643c70e735a166

SHA1
f3a312ffebe2d843bafd9268a746ed9e4d1ef393

SHA256
8e36aecfe39db1df517d9a406bcbc248bf408fbe82c4f3ba871ebb1736eed764

SHA512
2e002d134540dd823970ccbfcb5f0598ba514081a2d95ab1268885d16a8f13aeedd700a34e213bb4ec7b3f7543ac3d00a0a8ed8ce1fbd41fe8812acd5946421b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\soft_manager_icon.png

Filesize
646B

MD5
8f7051f0e9b7b4ce87f82dc64fc57972

SHA1
77b7122ee16b8d7141323e5b66b7a2f390265bcd

SHA256
4c2639778afba2c0d782996ea8a80152ed25ac2a954f3d525960583bddd12090

SHA512
6ebf53ed208c4d6840678074f23fec27735939a948f277f8bf6d2cd6888a13ec6086147d417daf5eab7c3887e2ca4dc64a23579e93238f186faec2d46f8a2501

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5F4AB221-81EC-4b58-BE1F-3E5719D65971}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5F4AB221-81EC-4b58-BE1F-3E5719D65971}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\AgreementViewer.exe

Filesize
1.6MB

MD5
60dedcef4aeef8e6fb1c7c4681a18549

SHA1
6682568533f01fbafb964674b8ae30c586881f59

SHA256
9807254166c93ef975cf68d8cfcaeb3929cf9d15e56ea738b1e8b91b5df78c26

SHA512
a91d310a541794a0ae7810e6214a464a64647611fa0c97bc78380ce54ed165ce3bd1a242b47ac2991af635f36392acf6328d6a335fd0932085ca15b1b1e3663f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\AgreementViewer.exe

Filesize
1.6MB

MD5
60dedcef4aeef8e6fb1c7c4681a18549

SHA1
6682568533f01fbafb964674b8ae30c586881f59

SHA256
9807254166c93ef975cf68d8cfcaeb3929cf9d15e56ea738b1e8b91b5df78c26

SHA512
a91d310a541794a0ae7810e6214a464a64647611fa0c97bc78380ce54ed165ce3bd1a242b47ac2991af635f36392acf6328d6a335fd0932085ca15b1b1e3663f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\AgreementViewer.exe

Filesize
1.6MB

MD5
60dedcef4aeef8e6fb1c7c4681a18549

SHA1
6682568533f01fbafb964674b8ae30c586881f59

SHA256
9807254166c93ef975cf68d8cfcaeb3929cf9d15e56ea738b1e8b91b5df78c26

SHA512
a91d310a541794a0ae7810e6214a464a64647611fa0c97bc78380ce54ed165ce3bd1a242b47ac2991af635f36392acf6328d6a335fd0932085ca15b1b1e3663f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\licence.rtf

Filesize
28KB

MD5
4eb86412dfb3e9112e7497f8c6ea70b3

SHA1
0dc6f6150000c5cc401826b49d703b27892aa6c6

SHA256
815006456287fc480538e34f632f2728e9bfa5dcec4ed10ae19ff2798ed30c07

SHA512
6bc9c58202edc98d9b11e96371736bd0a1b2ba03c2980d5c696b5fa60130d9ec9a465f1456fbbecb06113ce8573c00af9cb3474f185d907b7b7e71dd8d88adb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\sites.dll

Filesize
1.4MB

MD5
b6573421fa6713e7060af7298af28804

SHA1
59a58d8dec778c6937cf261f16a5ef3aad9de315

SHA256
23d2b040f587a2823b2aa35a1de221fa485c78f2ba230a38913ba149a0458b5d

SHA512
431f1ecb1c269bddcc4466f0c60149cab0ea7684a58e0394fb5c80180a7eefa0476f0894c9371fb889e5f20e3487e03b534624e270dba1ce2cb70acbfa248336

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6006F924-C7A5-48bf-884A-F70E06A52FAE}.tmp\sites.dll

Filesize
1.4MB

MD5
b6573421fa6713e7060af7298af28804

SHA1
59a58d8dec778c6937cf261f16a5ef3aad9de315

SHA256
23d2b040f587a2823b2aa35a1de221fa485c78f2ba230a38913ba149a0458b5d

SHA512
431f1ecb1c269bddcc4466f0c60149cab0ea7684a58e0394fb5c80180a7eefa0476f0894c9371fb889e5f20e3487e03b534624e270dba1ce2cb70acbfa248336

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Filesize
1.4MB

MD5
a2ff2c72e739e0cf4c73b623444ca39d

SHA1
ff886e63c894a20f30c136a8264cfa33d41b8331

SHA256
c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

SHA512
844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Filesize
1.4MB

MD5
a2ff2c72e739e0cf4c73b623444ca39d

SHA1
ff886e63c894a20f30c136a8264cfa33d41b8331

SHA256
c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

SHA512
844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui

Filesize
1.1MB

MD5
44c8df596b52856eb1d3fe2e37cbde4d

SHA1
4aadbeef9dc6cd4ccac758ebdb852915c09545df

SHA256
ecdda2fb9eb27f1b56349e2abfe90ce2f8741b982a3dd6d248e7d93e6b75de2c

SHA512
ea94ed1662efd2f6d91b4d05059dfadd8f290eedbb45433e33f3b4e3729822a40e0c63d319f2041f3f1738650219200d594ced9e36b558aff0a494fab53a0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml

Filesize
27KB

MD5
8074e9740a0e3cfda172ad1983c72a05

SHA1
b6d006adaff1fd059268517b6bd5610ef15d3ba9

SHA256
e4ed337a562aac81005d451cfd4aef721cf067ecbc6d1057601aefc41ee83e26

SHA512
f6680cf19b512060b6ed1c0f88c8ee31a1be456a37204cb63073e0ac58a2b0f544dcc0dabf0829f28687c2842043d21d41b2f172cb15698316ebf0f2bc89c445

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
ab9a78ce7b9a25b3f4da6c8a1bb1835f

SHA1
8942ff38743ba172c8ab4ef5076d6006a0d34669

SHA256
f118a9c5733dd39acd4c8237e316c4182cd0a070eac161b57b3db2c1380bb44e

SHA512
1c30e1db4ef3b54cdfe3f8c9081d12dbe023c90707abc304e69a2b50502081a9f63b6a4f8f4c2b9f33818111a03103c58a2ebb7a34086b9b278700174db8205b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
205b1f7e240445c51e649aedf8af8cc8

SHA1
fa220a40b4c565e076577cdbfc46555314103a5d

SHA256
d6e40a5794edf3d20ae4bbaea36c33e8b072f7b3d206b01eafa37e3237a84b91

SHA512
42531fd7737ea6141ab9bc850eebad6edf8c3bd9c92b992635ea83feecd6f2a74717145c22a5d6b419a0373d6164cd6ddd19daeb46c7d69e0bd9221e45ff2ead

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
c374fdabd012255c24f2cdecd1840c37

SHA1
5ad7ece50c47c6f86e1b23a7a21040e60efb64e5

SHA256
1542e9401fd522edb305f223419dd674f0cc2a884af867db31bbbb93e4c9b0dd

SHA512
5df60030c024b9a518417a037e28d78a20934775bf445b7c1839dc5795b1c585286e2bf688d8639e1b8fc57b6ac85012a571ccb26f39a66c8e03998965c677dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
52bee94eb6e55e474e2bfa8eb7429b20

SHA1
c75a8d33c5ee83f871fb76abf2dc4dadd2be8e69

SHA256
231c18029ea26c93b4bb201a99a0d32268a3fbce158be3d2e40e74f8d0f3197b

SHA512
6ef9e5644329ac84b07fba500a9a47b88725ef0e1b99b2e6f62e05f554baeb2f2ee41e9475dcb4caeabc1c36a72f80ebe2839e232771f49171047cef202ac2d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
77f3f326d56baa1254bba480dc2805aa

SHA1
5d1f97704772336a5faa49585d6feb561437efc3

SHA256
04bf47ea074617ee8797954090841b95e7f47777b5851637712394feaa97f5ff

SHA512
7dc18b7eacf9a27fe4b12dfcb48485c95ba582464da3340e9bd11e5ca09b783bc3938180a23489038b291cea07d0c7a559b0c96280e3f5cb3dc939beb79c4be1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
7ddfc426f499b8593b75c557e0a0f7d0

SHA1
5f4111909aa555fc96349c3accdf1f2fecc5a94d

SHA256
986d053cd8278784f2b2583f1d72904b909a4daf535007682d95d939343947b0

SHA512
1e2ae03d8bc33ed30dcd06ecb973d25b17b8618a5813a4085effb72f11b81828ac13fd3ac953d5a67830fcf26e49670d75fe3380d37394ebed690fe41bf6bfb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
cc9493d5dd1f0dd5bf16efe79830f035

SHA1
04e4dbfc4b9836ee4d8fb378d1951e8c58f35636

SHA256
fa16e10e0d6d8e7a2b4974e7f8c8d199cc6b4f15efa647fa0f571cb3b63798ba

SHA512
baa83fb754bd179cef868069d3c044fa629b64ae7536c2f651f969dba9bf8e4737dcbe91a74b210baa5dc4fefa9be4ad9b8b99035ee1a2310ffddd31a9616157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
7ab0c0572ed956aa349f249918050189

SHA1
66f71d0f2c7f17b8a54831f799eeb81a09c6a477

SHA256
a4d06c0042bc93bfabf59d4726a9c0f2d26732b5f9254aa3259c4aaccdc85c53

SHA512
1985439078af9db32d37525b9af8f9985984951f08e0bc6216a3e91a17db16402117455e5532b900298aebd376face1f1e1cd712c35b2e5742ccb5a7a5b9abb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
01bec84c21c1b714741be383f4b26777

SHA1
89003fc2b24a25ec78ed517a8ca34c7be5336977

SHA256
f2d1b4c8f3e6789ed41535f734113b80f1b3188d6ea5522d6bce85ba12b13e36

SHA512
44e8364bcccc5d3dad5462d1e3c5ae3e68899e2cc0ff4b5ccafa1b2744a679883a0d6bb26d621affff5d65f0119554c2f508a90888d1c53a5345774f49cd673d

Download Submit
C:\Users\Admin\Downloads\inst.N8xkLgKe.exe.part

Filesize
63KB

MD5
472d323fca5c801cf8b3b1b97c0acd93

SHA1
cc5c7159a5e8349f9859a846de851741302c475d

SHA256
76542418940747a619040e859c38a8f6ecbca1ca8a9edd6e972194c503ae433f

SHA512
cdb7da85fd18863ab4921539c2608fc2fbe09537be249ec5349d0b20806e240a7b8f8e4ab5423d544ca448d53d4fddb84a1f978f451f17cc6285c8c72b829de3

Download Submit
C:\Users\Admin\Downloads\inst.exe

Filesize
3.9MB

MD5
b431b949c46ac41e2c4b06736900cf75

SHA1
1201f444c88466f753d6959eefe42969d77c9775

SHA256
d58d8de5d7cfd33c0f9aa6d1ef7f2ac6fe32769fe7f08efc95d5cdf82f1bf825

SHA512
3820071601e0dc463886fdf0ab20770b96836ff3f876ba58f0f757f0f5330f4eb3ff01333cf85f14a642d5d28407d76319e0d8c31024856190c341009d084cbc

Download Submit
C:\Users\Admin\Downloads\inst.exe

Filesize
3.9MB

MD5
b431b949c46ac41e2c4b06736900cf75

SHA1
1201f444c88466f753d6959eefe42969d77c9775

SHA256
d58d8de5d7cfd33c0f9aa6d1ef7f2ac6fe32769fe7f08efc95d5cdf82f1bf825

SHA512
3820071601e0dc463886fdf0ab20770b96836ff3f876ba58f0f757f0f5330f4eb3ff01333cf85f14a642d5d28407d76319e0d8c31024856190c341009d084cbc

Download Submit
memory/3604-1399-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/5056-1498-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/5056-1278-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download