xmrig | f0876a44581eccbf9cc514de00fcb2336735f29d2e637e0027d9bbbc625b059f

Analysis

max time kernel
2699s
max time network
2684s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16/06/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Miner100%.exe
Size

5.0MB
MD5

571dd056a02c1a863a0607fedf0185ba
SHA1

0f0d54e4987a0912ba4a9b539b166b5a844172dc
SHA256

f0876a44581eccbf9cc514de00fcb2336735f29d2e637e0027d9bbbc625b059f
SHA512

4b503d3ad690e2d682d3d1dc47aa3faf4127c597e72fefbfc203e7cb6bda4d29b91312d31231b4282573e06cc4193c513cd03c9c85e2e363aa04e57128d4e000
SSDEEP

98304:O4S3icr2ru4b5JXx/AnqLqpNfbb3+0L4mHro1pQ0a69g+TVc25BZ3vevM76u/7d2:bS3icr2ru4zx/AnqWT5lo1O0nTVHP3vb

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/memory/1032-6-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-7-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-9-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-12-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1032-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1032-2-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-1-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-3-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-4-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-12-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1032-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3144 set thread context of 1032	3144	Miner100%.exe	91

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	Miner100%.exe
3144	Miner100%.exe
3144	Miner100%.exe
3144	Miner100%.exe
3144	Miner100%.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1032	explorer.exe
Token: SeShutdownPrivilege	3272	powercfg.exe
Token: SeCreatePagefilePrivilege	3272	powercfg.exe
Token: SeShutdownPrivilege	4924	powercfg.exe
Token: SeCreatePagefilePrivilege	4924	powercfg.exe
Token: SeShutdownPrivilege	2928	powercfg.exe
Token: SeCreatePagefilePrivilege	2928	powercfg.exe
Token: SeShutdownPrivilege	536	powercfg.exe
Token: SeCreatePagefilePrivilege	536	powercfg.exe
Token: SeLockMemoryPrivilege	1032	explorer.exe
Token: SeDebugPrivilege	4504	firefox.exe
Token: SeDebugPrivilege	4504	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3760	MiniSearchHost.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1032	3144	Miner100%.exe	91
PID 3144 wrote to memory of 1032	3144	Miner100%.exe	91
PID 3144 wrote to memory of 1032	3144	Miner100%.exe	91
PID 3144 wrote to memory of 1032	3144	Miner100%.exe	91
PID 3144 wrote to memory of 1032	3144	Miner100%.exe	91
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 224 wrote to memory of 4504	224	firefox.exe	118
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 2412	4504	firefox.exe	119
PID 4504 wrote to memory of 3480	4504	firefox.exe	120
PID 4504 wrote to memory of 3480	4504	firefox.exe	120
PID 4504 wrote to memory of 3480	4504	firefox.exe	120
PID 4504 wrote to memory of 3480	4504	firefox.exe	120
PID 4504 wrote to memory of 3480	4504	firefox.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Miner100%.exe
"C:\Users\Admin\AppData\Local\Temp\Miner100%.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4940

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4516

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3780

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.0.959619410\1279176515" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec13ed64-9e36-47a7-9f7f-f42e0663db25} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 1864 24baa20e058 gpu
    3⤵
    PID:2412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.1.2032682535\1633807974" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {140be005-08c4-4023-8bee-b59c231f23db} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 2416 24b9d586558 socket
    3⤵
    - Checks processor information in registry
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.2.2016278327\1586419373" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2920 -prefsLen 22187 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8bf4b30-0c17-4c5f-8e97-0d8e3462af76} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 2936 24baccf8a58 tab
    3⤵
    PID:4516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.3.896041043\189739742" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3552 -prefsLen 27653 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {072d2c99-06a8-4ee8-8616-6503d8e67277} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 3448 24bae954658 tab
    3⤵
    PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.4.519372054\732242740" -childID 3 -isForBrowser -prefsHandle 2816 -prefMapHandle 2812 -prefsLen 27813 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d460248-2fa9-4671-9d4e-daacae313052} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 5344 24b9d571958 tab
    3⤵
    PID:684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.5.1683825451\388593670" -childID 4 -isForBrowser -prefsHandle 5240 -prefMapHandle 5180 -prefsLen 27813 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {021b90f2-36bd-4eb0-969c-f0f5fae652b7} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 5144 24bacc14a58 tab
    3⤵
    PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4504.6.375086609\865729384" -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27813 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {280cbefc-3520-40ab-98ad-ad41c576af14} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" 5400 24bb11b3b58 tab
    3⤵
    PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-16.1215.3780.1.odl

Filesize
706B

MD5
6b61b7253c6f6630b77daf902809fbe8

SHA1
8d17b436da6a9085c9636dea1f0f5016aa7cfec8

SHA256
d0d60f9c14ff9ba1454afb10f20d72d6f2dad16b45a092419bfe85d08c4ace30

SHA512
15c5ead838c061afb62c1e02078534abb2f1884fcf5ef671e4d5b60b974bee0ba687866622fe1c1389714ff665ef7f65906e6dcaf2b0dbdcbda5ac63f6953255

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7l3zro2y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
c460cec061ded8f6b4b9e2dc8b5f468b

SHA1
52bd22a2a49c4718b4080de94de43bde11d9e5f4

SHA256
16a997c4d37bb8ec8c099898b7ca422f269a30baacd987a59de2852d0e2c7cfc

SHA512
2e936637750d388405b46f80325a37a13adff80fd61c15a419a2005d62681bfd59e98d81803d1f89a693266fa90115ed7c62e5ec74a64efee25a02c9ebf3b6a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7l3zro2y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
b9bf1fcde862b5d52f9b2975a8ad9224

SHA1
b7ce9989a910c6c77bcffbe8b75eea1750301844

SHA256
b02d3ae959f2f7a5fbe2d98ce67d4d5cef1d0a34d4c7dfcb24384d02879daf78

SHA512
970208db2988a7cd8d973ba93495abc0013dd07554a44dcd223a86958f51ae56833667b24a6d05d376b1d4716dad52c6d2f0c165c842dd94368adffeb1e47273

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs-1.js

Filesize
6KB

MD5
2bb559f72c47321c7cc09c873da93f9b

SHA1
fc6db53c7273b34fa94ce9436f7f8c497ac617cb

SHA256
c7efe055b57b41d7d8122525dbd010a04f7f100384d3d9d168e43959d729e829

SHA512
a8d8ea35825781973560293c67d3c8623606927ae9772f11fbb4e97ff3cfd36cefb6ed6e046a7f1209448946faff8ee53158fdcbb1c87f9494c984c661ca7fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs.js

Filesize
6KB

MD5
aba4c4008df2176b71acf84b54b8d54a

SHA1
5b04532f88d4f534f1957bd163b02c33f97f0bd0

SHA256
1c5bfb962217b78813a7bfc139773c6cfd9afac75a2f3a51a49db1a71ff4d1ab

SHA512
4e9c85407e0edb3be9221dd1e26526854c57506e7f2626be9abdeae43132f523197d054558f5773a668c95a4b6cf1486236864ad7ef52b50c17416937d24cd9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionstore.jsonlz4

Filesize
908B

MD5
570f28a396a8e0e7567ad1b1f33902fc

SHA1
f2bf2a1cc17ddd1c7398913e460714583ce0f8e8

SHA256
94e6e72189050e1ed4423ff97bc1b8cb54cb1fcf7130888823e5f20383a4119a

SHA512
69791b6321d56cb48e499c2b42ac2892cc4560e9bcef6d9de11f3b1a17dc7291a9363cf7cf2cbc83ae21da1ecd38ca0f53dbca8cabd7824fc914ca1261b41858

Download Submit
C:\Users\Admin\Desktop\ApproveLimit.wmv

Filesize
859KB

MD5
705298e262bb014e081f9e1198518f3c

SHA1
dfec98937d94c53d3c527a0b939f5b7c1607ff42

SHA256
5fed55d6890108a34f6dcf784943c19bd6e8261f145edd28fb6ddc808e1ebde1

SHA512
775943e9d01225ccf0b15190c4c26f41a54450808f783df01b3ea4371cdc0b8cf1fbaf47b128eee09d2373756d6c501b0734d111ca76ee93a205f1e6f6edfe7d

Download Submit
C:\Users\Admin\Desktop\CloseStart.wmv

Filesize
527KB

MD5
db8b541e72155673c1b9b3e3aba7b47b

SHA1
ea02565d7f06187d089c05919cc489155fda65d5

SHA256
d35c2968ce321feb145dd7726ca953ff7c60e46a5e6703347f83352d33ab665e

SHA512
e2efe83fb387650752cbab6cefbdb0493c7f28abf828f3755bdb20512a06bcaf61eb5de5c508f5a6b444814a1988e253e41f95512adbeaae90f2f6764924f3f5

Download Submit
C:\Users\Admin\Desktop\CloseSync.wdp

Filesize
755KB

MD5
f8d84929e5e3eefc486c927c123cf647

SHA1
70b4c62cdafbadd9a293007e05d4fb77cbe5f385

SHA256
b734bab07af0cffc395fec24f43f5a1492ed41b03f2cc4848302df309b71f4f5

SHA512
580c4d1ee7322e7247f2ec59db0c82d73124be14a83a722457b4357fdfff0814ceee043746f168dc2185e572936ad9066a84f4fbdaa24aff85621d126af9e4fd

Download Submit
C:\Users\Admin\Desktop\CompressRename.rm

Filesize
424KB

MD5
f8f9a5fc4d075cd4024665fb60090051

SHA1
e6fc2c5f3dbc45b326e6ca5d6c9473808e59e70f

SHA256
ad6c9d3631fe2baa3221f78b3b2a5778036c824465cad4890657ab9a7fdb913a

SHA512
4f87931f0647f6b916c39fb5539ef1a82acf64591c82cded02c153022c5df06f68e272e29b70778079bb03bac1ea0a642fbd80f6f44d56c0e056af29977ac14c

Download Submit
C:\Users\Admin\Desktop\ConfirmExit.mpeg2

Filesize
796KB

MD5
ea75a72bbcb77a0697c4c8fb954006d9

SHA1
ad5f25b3a4ec2fabc9ced65ea7bd57d5435298fc

SHA256
19fbd16633538d065f75d809dae97df41b0391e936df695e25918bd6d4c72b1a

SHA512
1164e93500b512fd22fd65ee1a4092b8e1b853d84aae1bf4de644c65ff076041a81c55a6cf77f5147bf58c0657d2ddc0fc23d4f25f8fdf5322091f4f7381c482

Download Submit
C:\Users\Admin\Desktop\ConnectMeasure.dwfx

Filesize
1.2MB

MD5
8d6dd97218b455063e1b728a0f8d6e82

SHA1
add4c68065c36f3e6dd7b87bad48fb31cab5fe62

SHA256
cf9da00428b7e9eaea6f36aa3f30cdd6128123ea532a6be4f88db529fc5c1cd5

SHA512
84e89c9f66f28bec419ad41b2edca45733ec3f2973a0a3409397c4ee615c53f546d89713055eedcf12fc66db112a4e536a1f588e06888da6451e5a6117e37625

Download Submit
C:\Users\Admin\Desktop\ConvertToConvert.asx

Filesize
486KB

MD5
e6d7554d0012b8c3ba911e6c302474a6

SHA1
5acdeeeeb88adf635fd2106718040d635dc9deec

SHA256
6ba7a3f1180ce7bbf199ca8dbf54630a03f507b74f32dbf1a0ed0572628096df

SHA512
a05ad881c721d0cf7018bafcc4ad688044eeda04851707cb3f4b002645ab10332ad0c8a5c5fe65bd7bc9d9f0344973e4a51eb1aeb395823685c8032543381701

Download Submit
C:\Users\Admin\Desktop\EditAssert.txt

Filesize
610KB

MD5
2b337e796b9aa3e49db7991fa07ae233

SHA1
df6bc2f33feb9fcef06244764143776fd1045a47

SHA256
8e60c0cc1cfd627d46a6783a56caa55c25afb7ccceef9bed6de6fc826a24fca7

SHA512
ad9eea4ac1b2ee4d238a30468ca5df7eb1f45f54179492080bc6a27c7c9008cf5442c46af481f60b62adde00a162c98f5814ce3e8686349ce185bd70b2731d0f

Download Submit
C:\Users\Admin\Desktop\EditFormat.mhtml

Filesize
548KB

MD5
738c3743576c186669364e303f440543

SHA1
ff307653e5bfab6a4f7685823a465c014d4f31eb

SHA256
c093a973817c014a2217ed264c806e4ba520971968afd02689951b79972d623d

SHA512
cbcd1c4f34b0b31162eec1af2f5beb5ec89565b370d9615384847ceb382a4bea8ebcb5d5525cc4674c44775875e46c5e0ed701f8e7242059c877ae1140eb8eba

Download Submit
C:\Users\Admin\Desktop\InvokeAdd.M2V

Filesize
403KB

MD5
5d3659fefaba781337707afaf7392872

SHA1
3169e9016c5877b384e301e81773b88b04ce9f8c

SHA256
5ffb8cdd85a3c30bc616d548ef9ea7b1db941e49bc0baa461b0a9f929a33c370

SHA512
41691ba7be710c8a0f1ecdb9feaaf5b52e2981d217901cfbfb0f98cc03078fcb2a5d62da4a8bb55f93051d39b2e9ef1c9b034086dddd9b4f0ba0ecd62ef658e4

Download Submit
C:\Users\Admin\Desktop\InvokeExpand.avi

Filesize
672KB

MD5
f15a659c5b5cb74279e81629bedadaef

SHA1
8c56c5bef15655576728dae50a11dda1551feb55

SHA256
bf7742a2be3febc90317e03de1db8fd2ec113f46ccec15b9917f1131a411c8a9

SHA512
180b92edfb84cce7b52ece4992082bfe2b090e900029e651cd0e4534e5472154088849d6a9caab9f812c4e51e0331f473983c3ab45f91736c01b0338a0dfb313

Download Submit
C:\Users\Admin\Desktop\JoinDebug.ram

Filesize
320KB

MD5
d8108be1b1f6d6f729c4af75925e866d

SHA1
007220384f724728c883cccf6ae16b18bf22f1a4

SHA256
a323cd8f82c30a12de98afa262a023ef603fd2355dc7c143deb06ca442bc0cc2

SHA512
abe9c0c0235c6d38e314fbe4164d241108326d341530276583410479bb8639f176ebcdebce74e27214610614bb37f81819a89d8bb9bc5df3757d78727120086b

Download Submit
C:\Users\Admin\Desktop\JoinExit.wvx

Filesize
589KB

MD5
7d718dbdb4165dacf51b6055602f683a

SHA1
39f14f33feadd48b598460795231da690ac6516d

SHA256
27489c26c29fce4505c2d8b77a7a1425d5d247c3c376c96f7ea6ae68eaedfe27

SHA512
120e269c9f4b0c37738bd6fca9fdd89be97790822f93050e49039efdc74b56eac60af7bb2e0665bc0d79849756cf2fbae815e787b1087cb251f3eb751f14c4f0

Download Submit
C:\Users\Admin\Desktop\MergeRemove.xht

Filesize
382KB

MD5
2996446525cb7b38a76d28803c18aaf8

SHA1
7f2a7f1de177e68c40d73579817fb6884bf92329

SHA256
adbb59a8fee79a3588074207f32c201a517de7c984f54b13eedbbdacd2baa426

SHA512
af82ccb183c1786365601f2b29b2af745cc33f97e5b4dde42ab7df1b53f179bda7cf0ec9a974137b9cb80d4f6546b564dd6a50a7730fd118727232d8dd3fcb16

Download Submit
C:\Users\Admin\Desktop\MergeRestart.jtx

Filesize
569KB

MD5
da6e6a94cc0377a5f23ba62bcdb90055

SHA1
9926bc5f4c79f241914fb83e2f4ec42327fa875e

SHA256
92e4063bb81e48adacd93f0326e4c5cd02cfd8b52eac501c4a4065376660ea68

SHA512
992f41a4b18b3610cc8c2bdd41caba7919397f397621c2bbab0367973ef566c21220c9cbb06188b8d792ff1b9f18a17017eb3dda90b46237628b8e0d4ea91e78

Download Submit
C:\Users\Admin\Desktop\OpenConnect.m1v

Filesize
445KB

MD5
b23c9a47fc5baf390784aa618c1ed8fe

SHA1
bd79ed6fc92edf97d7972cb0252c60a225898d60

SHA256
75e0063f75b97b8cb02790d929cf3bd2536438ffd32256134b90cf7796cc8f94

SHA512
31efbcdb1d5265875a21b639854a41e9a7f4912dddbb6c58e525fe25ab327ef53570a18acd68203ab197c55fc3a9cc7275c9036be1c786d0d195441d07b76d36

Download Submit
C:\Users\Admin\Desktop\PingPop.cab

Filesize
714KB

MD5
608145249285e4768605d613ff1a5365

SHA1
7037b946298406abf7812edbc452c06b36b9cea3

SHA256
eb9ceb62fc0c78f7107141aabdcf4aa7311839e5be136a522831d05877f414cc

SHA512
9935ac15a8fcb28be098cd3ccfcab9280c5df6b74b1a5c59bac71861b30158b80c8a0c44dc6232a1674ae700553da0f4ef7aa956be67951daee983d557181339

Download Submit
C:\Users\Admin\Desktop\ReadSave.raw

Filesize
631KB

MD5
0c03794e102770e9832ef41c031f7048

SHA1
8ae6e5bbbe5ef6510252c4332358fde4dfff2585

SHA256
bd28f4858550ad3f3d806362b4a376df5fd01501e10dd643b3d592191d2491e1

SHA512
7210347f39298579ab0d84c318f590a2ae81667f49a5fd71579e768bd1e2d8d1d749e6374f499720ec34a0592d4d216b396ad877e3ca18ce2bfd54dea0dce423

Download Submit
C:\Users\Admin\Desktop\ReadSet.lnk

Filesize
776KB

MD5
9fa16ecb15860f1171f85ad6f462e4ca

SHA1
2b3774f362eb87f719cf40b0d9a76f142e6f5a87

SHA256
ec9297813878e11420aad83ebcfcc7a41ce5385935fd85ae0917fcec127c395d

SHA512
43466349776bf254b9f06fd9a00e7a5c66d9ef6277a020177d050045ea559df8dc5278f0b8660ec34a46a6637ee5125d3b6b95d788e580ebcb62e64d3cf74f28

Download Submit
C:\Users\Admin\Desktop\ReceiveRevoke.wmv

Filesize
652KB

MD5
3164cb4d379326a806c78b9afe034819

SHA1
8f229cd0424db882e3e5ecb012202f66790955d6

SHA256
73faf86d461cf1f68a653fd3f30cf86b924e0c34d7b8f1bd77e0671cc05f48de

SHA512
66701c82be058800ba7f67db73f949db7785aabca724f19eca8af927c105b7049286379d2fac6b9d7ae37bf3bb73c53ba4b691a333e24515f4d2bc5d678f807c

Download Submit
C:\Users\Admin\Desktop\RedoDeny.pot

Filesize
838KB

MD5
ddb04b5608e51e58c5411ea4de60ffa4

SHA1
90c5724c88dad39f02dcfbb6ed06650c4cc6178c

SHA256
6fdadf5781735c5c08ac9ab785f0aa6f0d56780848ef8db5d8f5eaaa98d28613

SHA512
02854589e632deae824ca3651ac744847b622b80e54275da08d46ebcfaecff079b39f1cc0ad93e1cf9f70299c7529cdccbbd37932bc7f5f28715e867e622957c

Download Submit
C:\Users\Admin\Desktop\RepairOpen.exe

Filesize
817KB

MD5
2f1531616a682dd67797c00f47ea4cdb

SHA1
a0ef994c6f60d3ba67c69a62e2ae4a845fa49230

SHA256
dc1187981e74882ca8b6cd2f821fa2ecbd06f0043b99000aacdd6acb2322c3f3

SHA512
829b0a9653f9b95cf226502dd34ef564bd1e3cc4bf01c8a49c8af071192784d32b63d7d5f571d0fea231cf66a013b918ceadf13852dce1fb772bb84e872db80a

Download Submit
C:\Users\Admin\Desktop\ResetPing.gif

Filesize
465KB

MD5
93a5e19edc9a1173dff2542f464979bf

SHA1
2298bab634482977acb411c01fde9ac30e75d586

SHA256
1a8646af97a6bf20c7dfc52e6af48951879733fa499118f5c84506bef55b1b58

SHA512
cd4c47d39efcc03363882d0bbcaf256dd6db5ee17e0dc94f6ce3931cc9efdee01784313d95ab44b2f22cf72451f2aeee33da428bcb6664c21344cc4d99731b81

Download Submit
C:\Users\Admin\Desktop\RestoreStep.xltx

Filesize
362KB

MD5
24be72369d8ba2cbef7e041e6757a388

SHA1
1465eaffb638ffb1e70edb90dc2133efeefa9a3e

SHA256
7586b925b15b072d88b9392a678411c8b32228e8b833b1631d7cb6ad1cf2e558

SHA512
55549cfaacdf86a1f11b21aa95dcd8fefb15dd44dbf632e277242d5ba6d0a204dce77532d4fdea8a6fbf71d2dda81b3fc4da9feecaae483085e40f907618c1ce

Download Submit
C:\Users\Admin\Desktop\SelectImport.docm

Filesize
507KB

MD5
9142e90116fe38d73dbb7a0bde4cf022

SHA1
ff6fc3e7594d7cbe5c9d394f6dc4d7352da2b633

SHA256
9fcc59bcc96765f90ab68260d34fd940427c1293445338c58b8fe2430db4d798

SHA512
4e43d8f0321a00be3436eb85e0b16ed3f57fd2f30d683a1420885bd61b1f5a11844bab1e15bee71a3da52b324248fcc081a55152fa76f44beefc2a599a89291e

Download Submit
C:\Users\Admin\Desktop\SelectOpen.htm

Filesize
300KB

MD5
f3e9f4742538214d925017f41313125a

SHA1
1d726cfac2738d54d697331ef4e09a7b734a9ffe

SHA256
a924c2ebf61ac1c361261d7f1a03aed8078940aa38a385b96d0864dc1015ccff

SHA512
86b28ddb004cf616862024daac9927771df664bc87b974c7ced53fcf81eed6c027ab771defe85b59511c0397d2adb7d8a5d0847a77b9ebd7eae319ee10bd1fdd

Download Submit
C:\Users\Admin\Desktop\UnlockResize.xls

Filesize
693KB

MD5
3ff220ef48029caa0b582a0af2825c9d

SHA1
4ae19241f897059dae7c63da8827e4e0693c5ce1

SHA256
d4fb2a53af126e71e697dac023d9ab458f214c737aefef62b086564569896df1

SHA512
3610c2964cc33b3231725adc9e73752317e416af47db1a7a71d91a390036d0cef94b2aa55491b3554df0490c76b71e2e059f335a756256e66b2e65086fe62dce

Download Submit
C:\Users\Admin\Desktop\WaitUnprotect.dotx

Filesize
341KB

MD5
500718c3222cc34792dbd8065e4b8045

SHA1
9f5f4f0e8f3937fe0ab0f68f438bc7883a617c53

SHA256
053350a165b55c04d29424bf966a7a5c33faf368e51df0aee6e48f4f13d4faa0

SHA512
018494be12f663384e1e252119e666287f8c84486fb9683bf1f1c92de63bd14a4c4de1ad00ea6f13a94926cb2376c72dc329386d76521b8ff1f421024ddc835c

Download Submit
C:\Users\Admin\Desktop\WatchPublish.vsdx

Filesize
734KB

MD5
31868d5ae45c89e3c1543b9b33e18971

SHA1
56fa2cb4add443ade6a639d3f096cbc40069c407

SHA256
19cf7c90075b7660e4109de09aea4149c829d957d0115655e2de32d3f719c845

SHA512
dd6612b05d13a67c247fb64a9a8c1dae5d9d7bb27bfbb8a16104f8e4cfb320f2a8d0f263da9118910447e062d0c0089102702c808d48d3e9a2e7339474084a3a

Download Submit
memory/1032-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-4-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-12-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-2-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-3-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1032-8-0x00000000013B0000-0x00000000013D0000-memory.dmp

Filesize
128KB

Download
memory/1032-1-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download