Analysis
-
max time kernel
283s -
max time network
285s -
platform
windows10-1703_x64 -
resource
win10-20240404-de -
resource tags
arch:x64arch:x86image:win10-20240404-delocale:de-deos:windows10-1703-x64systemwindows -
submitted
16-06-2024 16:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://file.io/fEWto2hrZPok
Resource
win10-20240404-de
General
-
Target
https://file.io/fEWto2hrZPok
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
Themida64.exexrLClv_protected.exexrLClv_protected.exexrLClv_protected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Themida64.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xrLClv_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xrLClv_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xrLClv_protected.exe -
Checks BIOS information in registry 2 TTPs 9 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Themida64.exexrLClv_protected.exexrLClv_protected.exexrLClv_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Themida64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Themida64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Themida64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xrLClv_protected.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Themida64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation Themida64.exe -
Executes dropped EXE 6 IoCs
Processes:
Themida64.exexrLClv_protected.exexrLClv.exexrLClv_protected.exexrLClv_protected.exexrLClv.exepid process 364 Themida64.exe 604 xrLClv_protected.exe 5084 xrLClv.exe 7220 xrLClv_protected.exe 7036 xrLClv_protected.exe 5540 xrLClv.exe -
Loads dropped DLL 4 IoCs
Processes:
Themida64.exepid process 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe -
Processes:
resource yara_rule C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe themida behavioral1/memory/604-2437-0x00007FF7638E0000-0x00007FF76421B000-memory.dmp themida behavioral1/memory/604-2456-0x00007FF7638E0000-0x00007FF76421B000-memory.dmp themida behavioral1/memory/7220-2595-0x00007FF7638E0000-0x00007FF76421B000-memory.dmp themida behavioral1/memory/7036-3364-0x00007FF7638E0000-0x00007FF76421B000-memory.dmp themida -
Processes:
Themida64.exexrLClv_protected.exexrLClv_protected.exexrLClv_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Themida64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xrLClv_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xrLClv_protected.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Themida64.exedescription ioc process File opened for modification \??\PhysicalDrive0 Themida64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Themida64.exexrLClv_protected.exexrLClv_protected.exexrLClv_protected.exepid process 364 Themida64.exe 364 Themida64.exe 604 xrLClv_protected.exe 7220 xrLClv_protected.exe 7036 xrLClv_protected.exe -
Drops file in Windows directory 8 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exesvchost.exeMicrosoftEdgeCP.exeThemida64.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\INF\netsstpa.PNF svchost.exe File created C:\Windows\INF\netrasa.PNF svchost.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri Themida64.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
browser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
chrome.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630290865485392" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeThemida64.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Themida64.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "3611" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Themida64.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Themida64.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 9000310000000000d058d18310005448454d49447e312e305f520000740009000400efbed058af83d058d1832e0000003fac01000000080000000000000000000000000000001d41d6005400680065006d006900640061005f007800330032005f007800360034005f00760033002e0030002e0034002e0030005f00520065007000610063006b006500640000001c000000 Themida64.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7547db2d0ac0da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "132" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff Themida64.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Themida64.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Themida64.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "1694" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Themida64.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "124" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com\Total = "122" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "3699" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{3A1D64DF-C89D-4FAB-A734-FD7F2F68C6DB} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\Total = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.msn.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "648" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "23" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "321" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3" Themida64.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "0" MicrosoftEdgeCP.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Themida_x32_x64_v3.0.4.0_Repacked.rar:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Themida64.exechrome.exepid process 364 Themida64.exe 364 Themida64.exe 7032 chrome.exe 7032 chrome.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 612 -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
MicrosoftEdgeCP.exepid process 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MicrosoftEdgeCP.exesvchost.exefirefox.exeMicrosoftEdge.exe7zFM.exechrome.exedescription pid process Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4740 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 2280 svchost.exe Token: SeCreatePagefilePrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeLoadDriverPrivilege 2280 svchost.exe Token: SeDebugPrivilege 4868 firefox.exe Token: SeDebugPrivilege 4868 firefox.exe Token: SeDebugPrivilege 2324 MicrosoftEdge.exe Token: SeDebugPrivilege 2324 MicrosoftEdge.exe Token: SeDebugPrivilege 4868 firefox.exe Token: SeRestorePrivilege 7256 7zFM.exe Token: 35 7256 7zFM.exe Token: SeSecurityPrivilege 7256 7zFM.exe Token: SeDebugPrivilege 4868 firefox.exe Token: SeDebugPrivilege 4868 firefox.exe Token: SeDebugPrivilege 4868 firefox.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe Token: SeCreatePagefilePrivilege 7032 chrome.exe Token: SeShutdownPrivilege 7032 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exe7zFM.exeThemida64.exepid process 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 7256 7zFM.exe 7256 7zFM.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe -
Suspicious use of SendNotifyMessage 35 IoCs
Processes:
firefox.exechrome.exepid process 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefirefox.exeThemida64.exepid process 2324 MicrosoftEdge.exe 3796 MicrosoftEdgeCP.exe 4740 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 3284 MicrosoftEdgeCP.exe 3284 MicrosoftEdgeCP.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 4868 firefox.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe 364 Themida64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MicrosoftEdgeCP.exefirefox.exefirefox.exedescription pid process target process PID 3796 wrote to memory of 4400 3796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3796 wrote to memory of 4400 3796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3796 wrote to memory of 4400 3796 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4868 4952 firefox.exe firefox.exe PID 4868 wrote to memory of 4464 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 4464 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe PID 4868 wrote to memory of 5144 4868 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://file.io/fEWto2hrZPok"1⤵PID:3292
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4736
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4400
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:4752
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:2344
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵PID:4732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2944
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:2204
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3284
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.0.456095056\183796661" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69d37d3a-ed41-4246-a785-1dfdb68e5685} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 1764 1a2cf8ce258 gpu3⤵PID:4464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.1.659335164\207256087" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da518727-b4b8-410d-a1c9-21a144a13755} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 2120 1a2c4872258 socket3⤵
- Checks processor information in registry
PID:5144 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.2.776133665\1686335531" -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 2788 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a264e0aa-3caf-48ad-9f2a-1f28a0584675} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 2684 1a2cf85ce58 tab3⤵PID:5552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.3.369668541\705015257" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3400 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6b1bc4f-08f9-4138-a9a3-3a036ab42077} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 3452 1a2c486ee58 tab3⤵PID:5664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.4.1616530708\282712781" -childID 3 -isForBrowser -prefsHandle 4192 -prefMapHandle 4188 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c045ed8-084e-48f3-a713-cb6ccc4bc81d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4200 1a2d58adb58 tab3⤵PID:6008
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.5.940163582\825776445" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c974dae5-36a8-4580-a0b2-93712759c045} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4836 1a2d6044658 tab3⤵PID:5716
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.6.107650641\386046970" -childID 5 -isForBrowser -prefsHandle 4972 -prefMapHandle 4976 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {617706fb-4118-4978-aba9-8f6164db9bcd} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4964 1a2d6637558 tab3⤵PID:5728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.7.1879411051\1327639729" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0f6d1a4-9762-4d7b-8038-122b7ef7a0fa} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5164 1a2d663a558 tab3⤵PID:5736
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.8.844555288\120142238" -childID 7 -isForBrowser -prefsHandle 5032 -prefMapHandle 5388 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aafb6dfb-2d28-4e82-a299-55e6fbce619c} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5536 1a2d780a258 tab3⤵PID:1920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.9.1729937139\400894989" -childID 8 -isForBrowser -prefsHandle 9680 -prefMapHandle 9684 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dae362ee-1c48-424b-9497-b6b15ff81c35} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 9672 1a2d7fb6258 tab3⤵PID:6520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.10.563993512\1089456400" -childID 9 -isForBrowser -prefsHandle 9040 -prefMapHandle 9052 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb34e3ea-b4c8-4c40-910b-8090a6845a44} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 3488 1a2d6022558 tab3⤵PID:6220
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.11.836434496\1013520959" -parentBuildID 20221007134813 -prefsHandle 8908 -prefMapHandle 9040 -prefsLen 26464 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acb694db-3613-45e7-b8a5-8bbcb587389d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 8876 1a2d72f1958 rdd3⤵PID:5820
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.12.1945353421\1180524167" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 9188 -prefMapHandle 8896 -prefsLen 26464 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0f5faf-5e2a-4262-b76b-761dfa1e56ab} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 8832 1a2d72f1658 utility3⤵PID:6424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.13.376712276\1312352645" -childID 10 -isForBrowser -prefsHandle 8588 -prefMapHandle 8696 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32c724ec-95e6-46a3-be36-629d5142889b} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 8576 1a2d458d158 tab3⤵PID:6636
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.14.1742034339\1038768812" -childID 11 -isForBrowser -prefsHandle 8352 -prefMapHandle 8348 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56d70a58-b4ab-42dc-9e44-3c23642950d1} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 8364 1a2d780ab58 tab3⤵PID:5368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.15.95905660\1372755915" -childID 12 -isForBrowser -prefsHandle 8384 -prefMapHandle 8280 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65e8f366-9343-443b-9405-787d4d457842} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 8188 1a2d9daa958 tab3⤵PID:5380
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.16.164408489\1730769102" -childID 13 -isForBrowser -prefsHandle 8204 -prefMapHandle 7964 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f270856f-a82c-437b-9ca2-7f66e63a0e50} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 8216 1a2da26c658 tab3⤵PID:6760
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.17.2128971531\927668264" -childID 14 -isForBrowser -prefsHandle 8248 -prefMapHandle 8244 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30d9ee2-f062-4aad-9d2e-87c55f102216} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 7948 1a2da26bd58 tab3⤵PID:6768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.18.217909128\112151227" -childID 15 -isForBrowser -prefsHandle 7968 -prefMapHandle 7956 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d0d31fa-1898-44d8-b238-2a2a18e06bef} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 7836 1a2da26cf58 tab3⤵PID:6776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.19.1441239982\924365580" -childID 16 -isForBrowser -prefsHandle 7268 -prefMapHandle 7264 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74944497-e346-41a2-b26c-28d22d44f170} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 7284 1a2daae2658 tab3⤵PID:7240
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.20.1288210307\846770643" -childID 17 -isForBrowser -prefsHandle 4560 -prefMapHandle 4596 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b4bef3-e085-47ad-a0b5-288eb4dd1ebb} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 7292 1a2d22b7558 tab3⤵PID:2088
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.21.2062598956\1020096291" -childID 18 -isForBrowser -prefsHandle 7396 -prefMapHandle 6900 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc3e0663-855d-4a24-85a7-865764f5eada} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 6876 1a2da31bd58 tab3⤵PID:2872
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.22.1254577574\464377914" -childID 19 -isForBrowser -prefsHandle 6608 -prefMapHandle 6604 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d06e70f3-a030-4c0e-96c2-9b41b190b1ea} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 6624 1a2d4109158 tab3⤵PID:7268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.23.1664219326\1721124832" -childID 20 -isForBrowser -prefsHandle 6620 -prefMapHandle 6616 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24fe00a7-7962-4faa-a36f-edaac344ec73} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 7288 1a2d4109a58 tab3⤵PID:6856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.24.1004782750\1232701846" -childID 21 -isForBrowser -prefsHandle 7564 -prefMapHandle 6732 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a92ca7d-5c82-4466-913a-b0c3c7214fb6} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 7112 1a2d410a358 tab3⤵PID:7300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.25.1183511128\410703583" -childID 22 -isForBrowser -prefsHandle 7964 -prefMapHandle 7420 -prefsLen 26785 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f8a70d9-0173-412d-a269-ec17bb79850d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 6620 1a2da536e58 tab3⤵PID:4908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.26.66283982\1723047125" -childID 23 -isForBrowser -prefsHandle 8632 -prefMapHandle 9412 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f25f9e75-1469-4e03-bf53-3f746b5a8348} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5844 1a2d6638158 tab3⤵PID:6440
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.27.1223018639\1133571087" -childID 24 -isForBrowser -prefsHandle 4880 -prefMapHandle 4896 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {001cb870-a272-4155-8a8e-7047f282d4e0} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4872 1a2d41e6558 tab3⤵PID:8132
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7716
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7968
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7224
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Themida_x32_x64_v3.0.4.0_Repacked.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7256
-
C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe"C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:364
-
C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe"C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:7304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:7464
-
C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv.exe"C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv.exe"1⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4768
-
C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe"C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:6504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:7428
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:7032 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9fe139758,0x7ff9fe139768,0x7ff9fe1397782⤵PID:5052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:22⤵PID:4548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:3296
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:7628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:12⤵PID:7928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:12⤵PID:3752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4460 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:12⤵PID:4700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:1424
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:2172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:6468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:2236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:428
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:6560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x64,0x68,0x6c,0x244,0x70,0x7ff64d2b7688,0x7ff64d2b7698,0x7ff64d2b76a83⤵PID:6580
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3840 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:12⤵PID:6648
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3032 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:12⤵PID:504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2944 --field-trial-handle=1784,i,8837714469934870470,12333665424192067068,131072 /prefetch:82⤵PID:5940
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2436
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2832
-
C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe"C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2280
-
C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv.exe"C:\Users\Admin\Desktop\Themida_x32_x64_v3.0.4.0_Repacked\xrLClv.exe"1⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_FB36B182AA2C738AF31A8226070FD104
Filesize471B
MD5d62e0079963a18ae34636c8f958730b8
SHA12d51a1b09623819a88b53902d1414b7f5df55f78
SHA256de48a8cd20c104fed05cd435c0c4600539c83dd16e63817d9193c079154885b5
SHA5126bdc277d74d3623ccdc1be968c7e99ae72e8c7c12b1532336685f95cb484a8498c81bbba89abdd8d9eac3bc5bc1eac9ed861f52eae4ccc25c6588c6d5b4a534c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD52ad4008008fb00c77eb3e4e2a308665d
SHA1fa238f6902fb9e2481c08ab664c15b3759475686
SHA2560a6f99da9ae3ac0d2613d9fcf30b416ea7c35c744cfed124dfa803565dcf9ae6
SHA51293d7531dac94bf20d32f2d26850311c255541227fc3720a3fad8ab1a1b4069d6407c78157cd63e6c9d7593018477594c20098ad3eeb5ae61266ccd0538b7323e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_FB36B182AA2C738AF31A8226070FD104
Filesize400B
MD5e6e29e36d505ac8461c4efb899d23a61
SHA1e1a3ec6e28cf27b6142dee2fd31fa3e2b69cee76
SHA2563f5ec71824159ec36c17ef57d6ee486bf6e3a720875036b854f824744b4f12bf
SHA5129ae6171efc77e3f08cf39cc750106b3bd456ce4613d711838596a809b156d6f6f588d5894e67cf2fad6ce35a5ee593b3649dbb50f15f46644529071a1dccf7c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD55bf7ef4ddcccfadcc7cc9d2f023ce223
SHA1be760f17ecc13626dbdc4b9393c957cf8d07fd7f
SHA25677fb1b6be29640bf9791a8f01b7898e3b1a934249beefafba6e5002daf3d9481
SHA5125129e9c3cb511e51294182f69b14b845627a57e74a8c7997fa9321e35ba3bd3f2a1d05f726e1ff91adb54e67b9bbb882db5bb564c8bea5ae82bf7c3d5c71d74f
-
Filesize
284KB
MD562f1f7d4bbae0bb4aef7733b2e625022
SHA1a13a4956977a1c31ed4788782fd4cb95664202b1
SHA2561b41122d1b82bef3a30463750162d0a216ddaf119a404c830f04adacc7374c55
SHA51273b2d5c19ec0b377cfd7e432abaee54be576c8a8725d9ef301832e63362b7197ec56a0da8bd84ef0b2a4c4ba06bcb0db262c424860e0c99c04a097211feb688d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8d760060-4217-4915-ad6e-f772f72e5e98.tmp
Filesize6KB
MD52a43da1e6aeb982e4137a2e43dedd9b4
SHA13b7c183d355b0ff23f23ad300ccef7cbabf241c4
SHA256f6d9f8e618cc8189b6a47ce70f4b3baca3d4453bacef9b9d73be2d6afea19cb2
SHA5128b48ec977f5344bb43f84955e40ab5114234ab6f202940297142a735bc762f9d41d8f2ba244d63c609fce5629b098afd0b340efd33aff43ba558cce97654883e
-
Filesize
40KB
MD56b7a12ca95dcc09deda6531b4d4a9e47
SHA16145c8c14d42b19e8471b9e2fa2ab9a6c36862ef
SHA256c39e57cea5a81f5e34f0222fb6d6d3e55bf788fc6a436483244171737fd98350
SHA5121bdd64d036bfd6875d9bcbf62aa4bcdb39c125831cd96f0da7fa5af9a244e471f79b5647acefa952f43d7add3df77479912c012f32ed7a1a943d5a8bd6ebc22f
-
Filesize
576B
MD5d3d90cb1b9aa2bedbde845cf8164f307
SHA11dfdd499824eed958bafb70e3a98a40b99e47d66
SHA2569d9944998d7459d8abe2671002203fa27135b037218bf55757b82b1fa405983b
SHA512a996be8e1aa348d588d9b126596b396d69bf054e46ceaa57d789ee885d142880d464568254aa50fc885bc46f27085421986881ac762f6f829e909e4783f4bb75
-
Filesize
600B
MD52d65d7492a85ceba6b930a398498eb7e
SHA1bd03b2f39f6e2cc40a1ffabaa5c9a2828156112a
SHA25683f125550a60167ee727f3dcf55adb7cf04133ac72962445d17f063230b75325
SHA512a8ecc7b263a84ee0377faf71c84998a04dbbd637d950e4d2baf682e3bc463cb651023c870076a3a75f1ad05706359e899a49dce76d0b9ad0a5b110295873d837
-
Filesize
264KB
MD5c50465364dffb91528f37a0070427e7e
SHA11def332aa1c09f2e6ba2c472a76cdb4f5b55189a
SHA256a57b21d37c100616b972e4c1fe4db7c5888ea99fd5bbbdeb520b2fb2af1d802f
SHA512c1e10599d9c0a4add8470ba2afaf8680e923a9a2d9e8c50046d7f868e5f642a53e4d23db9e38b1bddda66ed4a656ad9e40db58fa74163e4118ea51d9aadc3ad3
-
Filesize
2KB
MD5d15a7dda195d6e8d04d7550e78064560
SHA1a89b3cd4beb1f3c343238e281ddd45a63de6e2dc
SHA2565bec2c98183257aad0c05b904a77d672c67137a94dbc640dc87b69a89cdaf03d
SHA512c1ee464c35776dee877327e921eac5525f0e79ea9c13c3296dcc00352df217e363aa7fadf61b000205c43104dc89ecec90de213046b5bc17c2df263847f2ffc0
-
Filesize
538B
MD50e9ce36c887ee5df29cabcca206513c7
SHA11b37ebc197ee47f74d890db76b6944676ad21124
SHA25677c8c7f8f83242c9dbe2c10260d60262b57c00037a24fc89be8860ec38cc9d95
SHA512ff55ce87fe0de913304f27ce10b65083fda6f122037546e8c38de3aba963ce83459fa91785f30dbff0160cb5e1d6e1809ba5a68d60203ecd31143df5ef7cfa3b
-
Filesize
538B
MD58ce92495da4c97032be8051383a268e8
SHA1b6d62bc570689d8ac5f98ff3e3608b43c9b85b37
SHA2563e57005d371711de8160bb6a3c1af58afb401181c55ccbe0933eeedecac3033d
SHA512b6bb80046f95e0d4554f6a9afd30895d3515bfbff440af2ee55efaa2b7a1ecdb54ee155d690e99dece4e10dc42689dd36182bd3cb3cdd74cc2dde3610cb477f0
-
Filesize
6KB
MD5c2005b068065ce686f0b556fdb7dbbae
SHA18afeadad1f828f80fa5495b7957746ffb2040b41
SHA25680411e2261c76b3c5bb240d29a7e28fb6e3a3db0b225dbae2ba08997473a1640
SHA5124b39c8d4f2e410ab3579fac636d3de8deb65b694e0961ecdffd685e0eb5b2af8042576054182cf4cf1a41ea2402277ba2fb74ae2cf9c75b058ec40947d5ba101
-
Filesize
7KB
MD5b61e15f8721e6824fd90e04544352200
SHA1190616aec56dce3ba8e6df294003899f10c0015c
SHA256a1e3dd1fc7507b7798a1ba60e58e3105042cd3a447401b4bf28010491915cdbf
SHA512d4a82950dd0498e4fb2589372161406c1d1973f6b0c3ef1f0eef10cd3df8ce1e3cb993e981e8936534238a3df7a45955281f2e0e5e9eacbfcc89f7223fb7d90f
-
Filesize
6KB
MD5b3b5d1bbea1e6b9703fc26142e206225
SHA1d5b61b14bab3b07461c1b4eb28264030bd8a3596
SHA256a9247ec81f257151477f17334c91b0e3ffa06c3e8c35f0723ff5ab7c6b398867
SHA512db2d22cff851eafe9f897e761d46fdd4ccfbb45ca17858b90ea06325a6373fcc6a2322222a83f54c4c97fab7cccb06b43a571f770b33a1987673f73b987509c2
-
Filesize
12KB
MD5633c21611d5a92c8082144e5d6a188f9
SHA13ea0065bd621b53b0c19f36ca91aed9e3a5a35e6
SHA256ffe2028cc1485bfbb0da90c5b5dc4737d8122708d2fa7ee699b69283b7739096
SHA5124172fed9d5e262204648d8a4ccc836cacffd849426ae39103f304b3a80a6318ef8598dec42928dfc55de63aa0f411fc29dabc8124779ac91dc70aeb2f1a80ea9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\55dd229f45b2580be81f90228cc8cb5a4c3003c3\0a7ade8a-a99d-423c-adfd-1db2e9a5b41d\index-dir\the-real-index
Filesize1KB
MD56bfba9e1dbfd232a2383c32158c91509
SHA102fd1e8449a48c4b6f33af7a811f44b1c328d858
SHA2562dea4ea2fb1ec9c085796834f6c169c2355e9d92c645afcfd5f75d512689720b
SHA512f06418f47cc4b188ae9b7a4c234aebc8d58070b71716b8558961e9e8c3490a7ac92bac1a99e192963ef95813888f0a0db698d3c006e192f6d7cb822749baaea3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\55dd229f45b2580be81f90228cc8cb5a4c3003c3\0a7ade8a-a99d-423c-adfd-1db2e9a5b41d\index-dir\the-real-index~RFe5ad41a.TMP
Filesize48B
MD5079b9e5484ab747dfb28f29a1f03f207
SHA10a72d7a0d16cdf004ab14ddbc0f28f66e8978825
SHA256179b393c1a224d1d3b64e18b265acd353ea2a156c5e310c5932ddaccfd101469
SHA51261d605742adf30a9d7f7364d71431e3115a4d8ebf235bb2af93551ba61f7603b3b6f37b38caeec079da64a9b6f519a21c96083c8d9c705f1805a5532661425d3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\55dd229f45b2580be81f90228cc8cb5a4c3003c3\index.txt
Filesize130B
MD562231870f64a006136692d0bb53ae20c
SHA120962e73150ea8948a18865f482d9a900725d447
SHA25627d541cfa18eea26e4d50aee0227c7bc698d647eaf04fb62ee4aafe53d044b88
SHA5125be1453e34ebd85a09b817bb620abf1c595e9a0413a9bd9f7cbc664eb9e33850194e92fce06df1233a137e6fb082f65a864b5016c55f5a36d3fec14301948ea7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\55dd229f45b2580be81f90228cc8cb5a4c3003c3\index.txt~RFe5ad449.TMP
Filesize134B
MD50c2a03e4e888648a879efa0fba8a94fa
SHA11e3d5e1b36bafc70744813ed6bc13a8f38cdc05d
SHA256d362972f0a9494e9c8b2c10234e75018144e2e8071c6613eae508a3f14a07b85
SHA5125c3468a667bc220f3aa8336acade446920ae6ff48e64118bcc0b5e5c9ad26beb4beb769ed148041f1865533d381db68a86773dd589fd621f618cb352cf3432c7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD544160c7fb66ec16746b3079d2bda1092
SHA12d0fb2fc4787e1b462c06b10bb7869590e3a073a
SHA2561613878e1513fec25d3673643108b62e2c80fd41974592c68e811e9d8c23c79c
SHA512dfcb9e8a23ce99e07caee7adf941b677d39ae83669f0086f47b1507239631605e2e98399b2fefc9078f781325e964251d5d1c9d79d5184b1609a3649f7047a93
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ac824.TMP
Filesize48B
MD5e8233457342edd09daf3209ba9e8db7b
SHA11c574e2c29d8118c97cb3261e8a6f204afd74b56
SHA256596ae63a48a2f6ad2b530b1e421a2aaad0bc747c7990a05abad14804914f490f
SHA512f87dc89310264b1e33a22b063de3f3a244ee079da4dc36b262b32c62163b291b8029ef8b573baa49c9c3ffcd991ab11da22464fd49ed4bf9fa3a131331664795
-
Filesize
284KB
MD5b790d38d41dab663954d7a5da72bd020
SHA11eeec4ba7fda4e77859a0194aafcc7dbb6976aa7
SHA25682fbf556d50ed5d39c583880e25b2c90b882bc5955f6615592bea174268a8a2c
SHA512931819de2bc93a7ab3459c0c27815185dad69796600c7ca9b302dc50071d02db2dfa7185b257c50234819b86151c39066fbb4fb7825ed68270b0f492943e4dfe
-
Filesize
284KB
MD506afed09f1cdf013a5bd712f288d24fa
SHA1f0bd6d047b8df6574bd5729e7dbbb635468616b0
SHA25654424f9057a40219ff37befcca143d239b7b611b3771c987fcbe8a24b1df1cef
SHA5122f2759091d176ced7337ec0f251732935ec0d0aa2dfc72cad9fdf078ff55bf87fc48db8b3d379619c8df055aa733c5740726c6b8a2c97574c3674f0100ea408e
-
Filesize
94KB
MD54114aef6dcd8831d5fb77ed5e810739f
SHA16cbfb811468bb3b3760ce3e209d2008b45a2c857
SHA25699b2bebcc6d7eaca2d53dcc0ae16d770ed406bf677ec340845a303cc4c13b9f5
SHA51249c182ff8be20033902bdf72059f1d0f1824720a996c4cf57fc84732f2557b0024d9da98a2a2af63ea75ebdeddc892c079dba64b195de804c81c8455b86b5f11
-
Filesize
93KB
MD5cce1df28a2104de2f24ab3d3d7378f20
SHA188a25a9868098aa127496e90e25a7650af77495d
SHA256528ea5d85614c4413a234fbdbb4cef47b344da8c9d65f7d5cb0bbb72f3fbe7a2
SHA5122e1cc0505564d190bff45bff81795b5fb8cd73e06461b11c365a42aa52d57d41c8b0831f99530b543de29d6e31ede5638fcf721a8aba09ae0396af390c3002ac
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
3B
MD50b0ec9f1cc28b3c19dc6c36dcd5af7cc
SHA12afe7d50c10921ac0f9f899939231a737e7dc2b2
SHA2569c193c604ad7de942961af97b39ff541f2e611fdf0b93a3044e16dfbd808f41b
SHA5122540f7fbc4d88c94deb5e0b92813bc9a1a637096dfc36b617f5e3cce355d7af7e4ce0469bc5be63483ef99b0ac9484258fa2bc798afa11fd313dd33aea566677
-
Filesize
64B
MD5ee8fa4e6025fbdbfb2af2ddafe5388b8
SHA1eebbbbf604b7a29a53ac6b084d255c4003c5e59b
SHA256065f0552d062d2238645858e4065523abfcbb1f89d247937869a2993c5c2bd09
SHA5126c597bc6133d3be5be44190ac86ae1725c28183a28d444c37cc57dfa070e33768197bce17a16433633bdab36f611ae9f86e2ba4acce79bbdd5e5458bbd2383d5
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
8KB
MD5214ddd9f51cffc35919d7a96f15576b1
SHA1e31ae119f327c8f55d963ff3dfa03a5e8394987c
SHA256de583f99f73df2a4909d49aefaf93f59a23f4043593c85c4a0403517ebec57cc
SHA512c919064206f8b36cc2a692e757177d36d601e212be0072aab66659137057e9e22853440dc5e8a48413870c957aa528e0638aeed2ec1ff828a73d02f70fbda454
-
Filesize
8KB
MD5225acfc8b708b2138c43bf010e82869f
SHA1d75b392e6b54d9b958d5415c8a9da55118b402ec
SHA256b171831d3ea70b3498d16a7ab018ecbb8b6d3f18f3a8d0482138c9749f542a9e
SHA5126107f4242c40d12973922fcd6015545ade7407b4fcfbcf06026abe444d33e61a188fceb46097c19892d024100e207a4cf739dedba87f8daf78f6927e94352d91
-
Filesize
8KB
MD5812066c7338373ead7eb8ee0e136c087
SHA19456a403dfb90c12549ae6a11f13dd7b7858730b
SHA256317a2505531d6a063b302a5dafb044e8d94d7c9c2c4c9b5b0227238be5bcaf5e
SHA512b36665b4f113b6df4bfb1ec122b93ccb0cb7a98d764a1ef4d77d3e3d395ccde81c7b99562e2b41d225d3c201ebcb52863eee9bccdc732b74ba58daab6837ffac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\7C3011E186E64FFFA59029CF876BCC19626D5F8B
Filesize212KB
MD55291055b0a39af5c3cccb8f61bc4b6bc
SHA1c21c365674d485e178cd823ca658c8b7a0c10940
SHA256456aca56385312abd80422536751d6c7962c0abf95c52d8f89137c02013216aa
SHA512765b947b5dafe27d2fa6f1aa475b51f78fd4ca3bddcda67718f39ecf111f62ca6803718fd32a0d2379f3531a894784c7a4f982f5cfc11760f1ff758e968beb45
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\9B24426B14255724BB970821B06831453F3F2074
Filesize57KB
MD56934248104ee9bda5145f2e33688245d
SHA18f0803d50bc29b35b9225d92b18f2a5eb378eca3
SHA256a793adb1816cd9178d7796cc1d2948c1db8dec2f500d8ce482a9d49ee7f80245
SHA512d33c3f6e46e4c0027f2b3693a329ec529fc488444245fcf99b5abac49c12543f8c4c65be8867a55cc143fd8d4cb6257515e62a0535788b2bed8f923d1959b092
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C4B4B42BCB4DA663C4602824D78C87C313F5FD6E
Filesize260KB
MD5e87e91e7d89ececfa2872cc659dec2e9
SHA164386ce0b39ec853553266ad1ebfb4c58f5ed023
SHA256d7f9c81e2b1d3bfc29fecfe5a781dd283aa03878c692106054ae38b2fdf24d6e
SHA512ff989b57c3edaf419bb3a2e048fecc6befeed05196a0bc100eac2ed476d45f8e3d851172bb5d464fc3c5e8b93bfe45eac5033d9fde81a60785737476d5cd889a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\FA2083489969D30038DCF1A73D2A1DE76CE5D9FC
Filesize192KB
MD52b97054b2c04d4eae6e833a491f3ec76
SHA1e23b81f805ab0d8fa5e784532218b23fbedef7ea
SHA256da986ae6981818e5c54c81b98ce79618866641cce234e3a2f5188a84866e3426
SHA5123366f394c2f4b47c9c1f1e6d1401eafeb1fc90cb0a15f02fd33c0865734b6dc11da0cf9e34b566e83afd68725efe300619404a5c7754db6ce13343105b4cb1c7
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\SJQZ8MQQ\warmup[1].gif
Filesize43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\G6E0IZ4E\favicon[1].ico
Filesize1KB
MD5ed885416386e5d652b8a740a39d83190
SHA121566c30c29f5bb3f3c837ff85220fd0cc90952e
SHA2563f536bef77664cfc9422814bc241691947ea3a91fac3d62b0ccdaa086a8a5d6d
SHA5127eb82e6a0d72afadb92148d0747c590b0cc3d959bba326ebc686f4652d4dd7e4699ec8e8a4152dc763a9d3a1efe933fb461ea3637058ec03e073f6caf5ea5d97
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TAJNILJV\favicon[1].ico
Filesize758B
MD584cc977d0eb148166481b01d8418e375
SHA100e2461bcd67d7ba511db230415000aefbd30d2d
SHA256bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c
SHA512f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF776C5588C253F3EB.TMP
Filesize16KB
MD5aa9a01705530f3df98cf1f8568b60463
SHA137af8ae138489fa92489ba6ae8657a06fb24b170
SHA25682ada93f53daf610ac892b786f6eac5f3e6ff592e013075a74cc65d432de86e0
SHA512704cbddb7b0d4133fc47b56a474ee05e6983f9bed9c2d5eb21adeb41269cafa511bf2f5a057ed11b63fe265f67b15a5db82f0a81c878df7296103bac2685e791
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\CBuilder\Unit1.ddp
Filesize51B
MD557f2b3b109407d3960a67d63f233edca
SHA1a8d2eb898525df24c20faad482700e787252f2cf
SHA2568b69bbbd2d66c190368104ae96efce2329d3543372dbd7b89ec393068519526c
SHA51268ce597ae8288e45e0d1b4aab2a0897a1cf20dbe74f0525b2bdf42f5aff3741ffa3b95f91c6b47f5d75c638e6f3c259a8d6d7d98327fa8ca18fd9bfcbd42ec65
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\StdAfx.cpp
Filesize297B
MD5655e31044e0445feffe7a5431654759d
SHA1d010fcc7e53f1bb161cd8a8860a6ee11fbc6d2fe
SHA256e3ba7a5bb80289f2df81dd97ec6deefe6ea7f4deaaeac4f6fa74d9227877b336
SHA5124ec69dfcdb050a706c2ed964a8067c7ef8e676f5fc1d5b8ba37fb6d9e63661ae4b7e1c29407df39d78094dbf3c3716641a290b29f5a0041379a50fcaef7d3d4d
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\StdAfx.h
Filesize936B
MD5d8f70756fa63b48d342c78b5696637c6
SHA1e9184c387407eed091a3d69b0cf390e30a88e824
SHA2566d05d8fd8c979597d06351a0757d3e9feb68b746f81cc9237235df68555e0c0b
SHA512162a54b745ae13d3c58622e2503d7f331e373db4b805dae5898023df5efb94cc130c2ea05fc1f8c71db9847fcbcd0ef2fee8c0cd7e478a55c56ee030207e2f86
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\small.ico
Filesize318B
MD5400a96dc12b5c76c8aa7d5f214333b07
SHA17ed821ed1f16b673e1374ca922fd4dd1311208c4
SHA25639b71ad96ff7062d1f97c48475b1933b83b3e2e43a0f2e9d46e007238f8c9a26
SHA5129136cbcb0f6a907aaf4795c3dbf1ea8d450111c2bc23e39d6acd4f50e55030e730222db2a0825ae46aad1f1fbe22cdf8e72d9d9e2cb7983ffb131124b3b6ed0e
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.dsp
Filesize4KB
MD5743840db22036c0e8ba7715d00435daf
SHA1fa279c02b7650ec3954061cc5b2672aaaa3f90c2
SHA256567fdc866f0f5f6933933945a827094bea6aa2cdc3b1d1b0635b093b9d237e3e
SHA512c13d06eee652f47c953fa76d13662fec3c1ce0413bdf9d5760f1d2eda2f4c9a3314ceb98c63774bbd5f897687b048c94971fb09b2e4ffbf601c5e20bc3454cc3
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.dsw
Filesize545B
MD5a675bc6625359e27740535f335484f96
SHA11cd7e7b530f52dc5415e7a79bda580ca97966da8
SHA25675e13695fbcc5c68c9ddc3cec62bb503c57379be5bf4688aba16d8c13ce948a5
SHA51292a76aac68df7c9b29943a33d1eeffa4b3b70fe739c2dd7d8d896a9356f16619aa2416a2acd200c961f9915afa4e67952ddce8e74dfaa303c5b776b20629d947
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.h
Filesize338B
MD5059fd006cd016709382a8fd21a2067f1
SHA1f2b7f4f4240f4949af8fcf6fa8ed2af101649fb3
SHA256d1ca36fccfbc2850c88ea73ddcc3b1b55ce52ba54fa01658bea0fd8ca2a15df0
SHA51243a1410d24d65659e02a5fb3b9468aad9e339dfa6b1ba7f295a6dcb9f20454252e3350b025840461511e0bfcd0fe8e32550fad8505731d490cd68bfd4354053f
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.ico
Filesize1KB
MD5ce88316e8b1c5dc5991d1b2682b4af93
SHA1756a3c177a7c9ebabe00d76208824dd139707435
SHA256f4036cf01997162ee1728dd141957b37b1ba7d1f7c786a9764429803d96c459b
SHA5120d425cff8265ed0fb4807872558c0d49a0e704a08b91c5e95e4caec323e0837b29ceb51ba238be789e7401192cee86c588062f0a6dc5d1565d331652248f713b
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.res
Filesize1KB
MD519922f225c3014ca446e0325326c0068
SHA1025feba245179f2c147c097f02934cabc2cb4531
SHA25671a2e62811dbe3f22e5ada74408c0dc169a99e0da337d6e5bec510c94afcec88
SHA5121598e250522283ac11014107ca39cda835c84a104ede82f499b7f25114d433d74f679498d6e9ed30b51d643281940f386d9a9b48de2ca872b34efff8bd83f358
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.sln
Filesize1KB
MD5c4bbcfe5b406731ab962766cce03047a
SHA1eed97d3b25f17c017c40f45b532ac8acf34cd6d2
SHA256126cfbe2503ebcc23b875b627d38f25f5ff65647bf0ea978c6dab52c5e2a2de0
SHA5125554729a57f8b1a3de5e9a2a3f1b4eb53bff5d8ea18537f04078367283396b7d39fe15e3f15126d34541c4064595d9e2b6f9a7c3cd297dfae1cbd22c0dacc92c
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\Delphi\Via Functions\Project1_Icon.ico
Filesize766B
MD5b2bead7a8f94a1f60602c24134eb0918
SHA11ce25697fa205e4cdb5f8ac5d64ee23a9bb6e183
SHA256825a023b7c300661918e9ea03cf5d508f27a6a9eb6e3770e9845cc17304c5bae
SHA512aab4227012349a4ee09b111f1f0fae2cfc5af41b6208d3697b006195ae0a4669f5772f3269ffab2a756798002b66175f39dd532e5faa9599f9fcfdd3443e8e07
-
C:\Users\Admin\AppData\Local\Temp\7zE85C7EFF8\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\Include\Delphi\CheckVirtualPC_Epilog.inc
Filesize84B
MD51b6927de492d864c686ee9339a07dc02
SHA18ad9f7b6423cdc5af012ccd6dedcd5d660a3b80a
SHA2563ab3b6919efe515076288307d0f0061e5d6d391bb9749d6427c97c49b728a919
SHA512336a600aa19e84cbc9d600b8e08a41f930bf571f8e5da4550e59212381001fc2bb0925107d34226eeffd557ab15b5b5aeb3b075b037b53b24ad3d362053b00d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5ee60230362948a26d78145046a41ad8e
SHA10cc76f235b4d927517618d008432aed883d024ff
SHA2562c37a816ea8145d0c08a2d1f409deec8f0b3e4f722a1d9b990640b0b4a718b59
SHA5123fb56a2e6e13c7d094f58cba2bcdaa241883de92cd931ce5e78e7f808b098fb15ad809e6ca4b61a9c3d9d7ae3a360f68b2278fae3b8780333e705cc863eb9a43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\83fd3adb-ab12-4ae8-9e95-d154971886e4
Filesize746B
MD55aa3600b1c759ae9bacfe1bb5f163dab
SHA1cceaf780318132a75d953d561dac281d3e5dce61
SHA25628442b74451f7889f0d2b8e264a8d8ce2b59a16f1bcd7e32b83f81a3ec21eabc
SHA51239f70ed4cc8fb6dd1f3519dd712adf7dd0d57f32e0e23a9d3bfd72cf977defa97f72b52c24db9bb84b131fcaa6feb15445e7258875b175bbbacae56f9fc90797
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\dbb71c8f-fa47-4e08-b4fb-771a32aa119f
Filesize10KB
MD515c2f6a6d5beea5e8af1eb9e577fe0d9
SHA109056e5adecf2c99335b7a1e4760c909174126ff
SHA256afabec44002cdf5d2ef7aaf012abe5f383c183ad9d0ad78d92cf6b3c0323448a
SHA512178d8f6eca4a0a72d182e2d90090c5e3bb847ea4c3f6e68c267946fa79cca1f0eaebdb6fc3806d4de89cdcff294632cd0ea8d04ab68ff82a77001a57954ee084
-
Filesize
6KB
MD5efd5f8a46ca5b689dda44838c2eb005e
SHA1063bfc7357bd8aead4a053282a2caf883857fff7
SHA2564c6d9cb6224ec89facf3c912e2297c0a322a069384454bee484b807fa270b9d8
SHA512b3677b923a84d25a3db34cd199fd5b9c73fcfc506a03fd8dc5151b6d61ef794fbeaa7929a1fa337d6397e4464c65179d6599f9c266d935172a4bc2be37bfc3e3
-
Filesize
6KB
MD55958e213d4dcb5531c5bca3b9c6dea2d
SHA1e21bbba2d941185a17d4108a6d86a7b6524154e6
SHA256140a1fb67ba93ae7201e9cfa3bcc001214395ca547080c4a24fac681db6bd1cc
SHA51290293643a37e573fbefac514296a12188bbe205508c88831c84d68a12dbd8f67da9d779f2b643984ce37a76407871252f2ca1ffc3355c4453f84dd30dd7c3905
-
Filesize
6KB
MD5e7720ca1c5ba2e9c5f554c54e5554819
SHA1db6f84747c7c938c919d75c8eda3d556216e61e8
SHA256059ba88541207e63bb22a0b7d8a4b006c8ebb6712cabd234eabe1c9a3f8e9337
SHA5126281c6888235a8fb3e9fe42cadb5d73c7538f15ffb7d4a74eb6c77dcaf2ff9c31677836e98362a620359aeb0e4ecc8840fe407c1136bca29c573fe4dfe012cb9
-
Filesize
6KB
MD532113d2c8f96bae02902b508d91380a9
SHA1b9f2a4b5f3a18c315d0f33cf78f04f4fecba310f
SHA25608924efd38a97718c6a4313a19909545b72248a03a89931ecc3f50ea781e6334
SHA512f043fde8e82461a336130c7df25d67717286e464965d07b6b692a48e734d2e5bebea227d42674257c7d709b14eece462d964b484d8fb0d6e8af2843f99ea2af6
-
Filesize
6KB
MD5b1edfa44cb033336e325004791b64645
SHA196956dea04368881ed40ba199277b214a36a000a
SHA256c03e4ab028daec79b1debc593e14a55c25e506abd9161e4d801b6f6fe54f26a8
SHA512e5ba60b1a899c5fe78fd4c28b1428c3361b3ae30a31674e5655f95ab1f95dd6494c14d6ae30df4f9daa24a645829987f944d4971a42e5264062c491360c47fc0
-
Filesize
6KB
MD5d545f1d2dd9a76f5320d45e15ee5a29b
SHA1f4c91cb999d64fb0a48a2d2c1c95250293227d26
SHA2567e6324cfd3b5dae0f1d1f0bfc4a6729d2608f6bcee6de55959e679b90094a683
SHA5129312211df126ff28f89606c5abeb97776d936ac98625e133897740227a4fefe86b97ec879ce7b1afa0249233fc3b3c3bce1d0b53d16d3d1b3ea5493e6d4a61eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5e3d900dfc2b243756cd860fe701cc7ec
SHA1a912c33ce59783b99121e92def02e9143767cdb9
SHA256abfbc40024ce1872cccd45458e18f90fa0aa89cc88bf6790fe4c02864cbbc7aa
SHA512d1a8c0ced3571ed103aa33c81db48a9add172872979ae3e86224a5768b73c8ceb4597a1a656693f123e2b38d8ee9db389c6a91b4e658a48c0aeecbddf0e0fb61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5883549e3e7f03029de63f9cbd7ec5e89
SHA1d9f83f2cced6627172e056606af25f62940636ee
SHA256f2e2c194c0ea8fdfad87c6f1aa6ae6da85891b1b4c1a982606ed30051ea627f9
SHA512506786b196ef8c6dbc0bb7e2790d2885db5f6fb38bbe07edbb36e4ae690f1adf577c4e52a2db86e40c04ad8fdc7ef079af68968a4480414cf80baf4ccb3e8328
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD5abe25e948cb85b8206a1d45925c6212e
SHA198dd50956a9bcfea05b981cf324e094f080abd53
SHA25675bdebec8b37134abe50c3ef6e0e58c9e57ee49467d633b48e997ac2661c1821
SHA5126b7366b8c7fad5412fbeddaaed2976ce22734d3d8901149915e9eb37e785a0ab501f37ef0b391970c66f8a85b2e9ae68805442d5c93e9c32b05cc5901acff473
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5d1fcd94928e6879211b76d1186fcd610
SHA19cd63a509a25f2fd394fec52723dac3298cdc9aa
SHA2560b8f1f20bf30246da46fea0d5e307b2b8c7b833ea44f28e63a9a94e47d66889e
SHA51249f2e8bca0f845b9af5062411b7fba84b25c2bba257164f1cb27d87b9a4b5480082c491147bfeddb8b882566e0035050250d67ee0fd3a1ee27811a76c6973b80
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5a78b329ce66430424361eb8c6439031f
SHA1ad7548e2d21b4b0cd9436624fb5b5f1bf1cc5914
SHA25600afd32b502f13a53530397e7085e72cbba6e66dfe717339bfbe236add642de4
SHA5123f9e751d0d0f59022c687099d36cf4afd0288e7849edb986f65951ecc4725291a1f3220dbf412ec4762eff44f551a3b8c4096bb35c0b32d4214c5f3278b3a0cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD506661def7a639e3225abdd9921238733
SHA102073404c055cb5470a329590bd7c5efa357f868
SHA25654b9a88b923c243bc703919330f0bad3fe798010dfc159d4d319c5730d08a5c8
SHA51218180732017d25c1fa0fc2d8a32d01a676b8d73bff8138e7fdfc5134528133d274ae99aa06a77b32766fb4334c1c235d6e82b5709113c3ed4b38a27d02d0e33a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD59ed5b23790e067d727b32b3811035963
SHA19615867426afd41cbf3355f2fbce742d354b0b85
SHA2560f9407e8dccecaa42c31f1cb5cb4ee6848dc434a045bffb101ab1f7287f04731
SHA512ae7c9a1667acbc3d0db2e316352acf5ee95b07ae6aa5fc135ac0215b1f614daa4b70fd8c4b40eaade0ce9aba423405d6e61ba5a4584c40a062eb3c40ba62652e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD53ffb3a231626727ea4a4507263abc86a
SHA1491d00635c2cb7b43c51990655b5cb6197f865da
SHA25637b0f76588460c31eae462db1fb7b9e40bc669368dc8f961ca32a81bda61a370
SHA512ee44d129de47792997f984dba098448340156e6a4b475c84fbfcf9298db675f0221dd49281a98d3283a4652795da6f90d884ffd3502e4c3048771290d7885e51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
Filesize5KB
MD52276c207285f9165e74d277e0ef9dfd7
SHA10485dbbd2327ac8bb72681b83c11ed4d8db8bb9b
SHA25668cdf18563afc6d5f1a7a25549901cd5184ab13fc256cab5dd6759c236931678
SHA512dd2aeedfed9d08dbcbc81139d8deab68fa5ded05968b3a61b031450cc16453bc04027b2c9fd162614e22f7f8973d26d3dbb784285de86aa92a1c038353dacbfd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++www.file.io\ls\usage
Filesize12B
MD51da1106e19dd7fef59c779150c43841b
SHA120aab1b1cbcd8ca1171960c8e459c90e2fc0a004
SHA256258ebcbb0b42c4514e30a41a3e9b6ea54b7cc53459f4c916f6cb15da65d48117
SHA512bf7c064c8c4b15f5593e8c752760fb0d46e18517b0cb8cae8f08af77f136e295928b2efc1057cd80af50713473b1da6b7a738eb523c9d1620846d0b45a3d6f4b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++www.file.io\ls\usage
Filesize12B
MD547003ba29b649e2f619b409192a0db1f
SHA1325bde1ad1f82fff476e87041531be1a4b5d8dd9
SHA256789d13342cdaa8775df1ba3c40b9f7c83a03159b9d68817b9c518d30381259b0
SHA512f5f6ca4c4de69c0820845318b98dff26fc5f6f6738443ab836548acbea114a30531dfe4e1f05129409a93ba534e212c7768d38ce85e427236e5b493d6fae74da
-
Filesize
5KB
MD5625a216bd1102dd18e348e94dbc5109f
SHA1e8980a71bbd533ec6670237874267bbe036b9224
SHA2562c85d7b888eae3d36a51ec96e3c0e44702b1e93334af23f371d4bb8b26023e1f
SHA512582dea1c1105730985a85ec3ee9352c620e894f1980fc5e8cb21b86ce4d41da924caf605486eeaddb60da5c5018a11314118c9c386b2fd1fa66ab132eb16958f
-
Filesize
79B
MD547148e380097ea4bc6d310af5ae1ba15
SHA190f3c653885aa78998579f5029e3e93a585726e2
SHA256baff9f7e11f9f28c5ef1d484fe4576f186c1560adb089ef8639c396b8a0bf42e
SHA5125c762269d89abbddcc5e04818b32f8af82604c8bc373ba0e2eb92a8a5d846a05e32c723221c1911af5535dff3ae0aac9281196e530867bc603b78e400f568de2
-
Filesize
223B
MD510db5602e7038abfaeb0296061ae759f
SHA13cb95a54a5bc49f68c197c541a032cf6285b37c7
SHA2563c72e303337890296046bdca62224644046d6e8a19becfaa783121ef9f2e5ea8
SHA5129a57f8d01bd8c77adf39ea16ba16ca51481629a179028a9526b91d5617de44489860267a2e033746adeb65ec2660dcb3da7ccb13438ee27b2155e998de765e95
-
Filesize
26.5MB
MD51a82ca1cefa8f8149e4863d12bffc208
SHA10f3afb7c7a2a43a7d491d8470f93387f28726c57
SHA2566241962efc369ae229a335c6a9780c649d9fa9cb822f86cea04cd9ac0f9a6ae8
SHA512185a0e528fbe688c37f1e40e5491e8e1231179c8fc4c24ea443c7d77a90ce0956da7d4cf0104daa352ac2ffb871b0e37a9711492e6565f2b322b2389bf4f5748
-
Filesize
5KB
MD550a6388346da3ceac39bfa55e4c81b03
SHA1fb7626e17a4a3433a5d9933d0683d4fc87f3a1fa
SHA2563aba5c503b7bbc42fc8710bc889bb59d30c31f02327db44e1f48c09d985e2808
SHA512e2c875fdef9b7395b9bfa8ca9c21ca39d40f5538889028181e09937c976ad1b48629ccc604544499de793b397298840a82d2c31ebc029c5099f1c548af2f072b
-
Filesize
5KB
MD57c48ecd56634cebc6d9d9647aad1f0ed
SHA17937d106aba23d694bd9142cd796412fc43cbd35
SHA256ae1686f16c4e9f90e195056c3f2d8078189180399b445a70a657b2abed493a04
SHA5124567df86e8eede7aeb7a46133b5a2035b35ca2a85b9696ef82389b14e97d6d580b8562d24cdc238e858f0103dea57a04b7ebbf995663e780c40a1f5260fe60be
-
Filesize
214KB
MD589cf33cbe62f8b7c15d0cb47d3ae4ffd
SHA181ca15044476606cf5ef13a1372c6f5e06ba2eb2
SHA2569063dc5b7a3e57fc94b8b753e4aa869efcab683637776335f5723c4140a751e3
SHA512b8e39e3d55482c707f54f491a11e7f9fbd9f5aca4439b9cdce164b595f0cccb176134d716bbc3f9e29acc856cf6351319769cf3dcc159eb0947912ddd451b8ce
-
Filesize
2KB
MD5a6e5aab0dcdfea5f936403b3324789ba
SHA129a03a6c3975d5a41b08c0875be7c8773f0624a4
SHA2566a50fea38830733aa18b284ec00a1d4a87ac8c185baa4ee39745190e8c40e149
SHA5125cf15f4a03b13fe66071238669eb9b05d7f5a41d2e0307553d0e2bc4a05df4c62369f84db288065774b43e9895477c59310a32a6917e174fb5ca0bd58f5a98bb
-
Filesize
2KB
MD55fb70e4f810d72d77071819b61db071d
SHA1a3791a36274e18608da1b6e27c07e5d80b6768b4
SHA256f0191d6e1cacd7ba63d0af17de2da992f343ce6b54b1072f33218f5050010ccb
SHA512c8217829adcea509a445f85c3e34d699a57ef222ec46f092b1dad8ca65b133d504865e65dafaac973c1c44aaf2114d0a67056fd9c940ca15910dac4ae6d3175f
-
Filesize
2KB
MD5bb174884720a42883533fc12bb78c58f
SHA1c3f05c1f8175fe7ab45f21d057578e9eb9546e86
SHA2567ca0d9a1e4a971d8da434de12f4429ed404b432c57ce1afacaee5accb4353990
SHA5124cf05892c1463fec4733959898111c646077e1be5e14255cda98e3bea590a21f432e19186d745f0c74daf760b4ccadab33166882501e5a3bb3d11c309e01428f
-
Filesize
2KB
MD54072229bd12668777ce76c2d2b582ba2
SHA11369687dff9bd7976c20a639a8031cfe510354c5
SHA2564c5c3e67741b651ee7625768b0c4e8d9b35fc66a738f1db558be07fc48bdd06b
SHA512dabee5f0f9f5ca70d51a3785a2207d5b0452ce46d33f05ee4b736ee4ec6892ea2bec28ebbe25e2626211325ffbe2a2cde0d6bdfe83d6c32be9af4cb0f9c5de53
-
Filesize
2KB
MD5b629a5d05108c097038352ce45b4934d
SHA16efd78ba31f285632d43c5ab6b599b8724a58e7f
SHA256cfe9977238ac61286bb959e58fd77382b01964d4bb28499626028d02f41ef59a
SHA512789937b67c98bdbf8244813b9927eafd914a768419b141625e3555e4130d6d55babb2fd61512298bbe1db4b92353106f0f9b10a4647f5278c64b9587fcb214ed
-
Filesize
2KB
MD5e4bae5af38063a3526759ba68498c18e
SHA1932b96b2b7007e8d38416df69fbc7142ae796eda
SHA25658b08a225b420776420de6df1b3a1ec671133f67d10a81bbdf4e3c4cfacc45b1
SHA51235b6f40dcff7fbfe4c155fc450d19d895d0b82a4a3c85fae1c79a691b2fb98b7d768e51f3f743faae2c5ded4d5211dc91bd39166f460a6b00ce6305025e9f128
-
Filesize
3KB
MD5cbeb2e84dfb1d2359365c43e673db1fb
SHA10ea5a4fcfcca112c2edced26c148dbd6bd7ea7f7
SHA2565d09dc7512372117292822e841f3c5226d9fe20db014281e0abaac8a9072358f
SHA512f69cf26211bf02da3ec42454bd48500c03c2064e8d22cf73b41617c573354fb1b92ac46b068aecda2657e6a1100b81460ce4e9c3786f1a10aa12748a90ede610
-
Filesize
3KB
MD50c8954a48d9b7b3e73f67f736f712b9c
SHA1f3ec98e344a583d6f412a80cfea5ce8ad1a73877
SHA25644824486e1819ff1e96f78a07b692ac14915b821acfeb2f41daad728e4f23593
SHA5128c23cca14671cd325b240378edb772bf605d27316545245ec49a386432782f809e87a8a18db5faaa7dc496f03b9e49862db270e94e42c6c1dece7fcbd809d0d6
-
Filesize
3KB
MD522dcd5403760b82c318afd76ed7e9a97
SHA12d88f5da25deddfc20c907f4316e9e15c84dde3e
SHA25684a89664e6a9751f4d811592df10b9097846df4c54c786c94dfcb8d73800b9cc
SHA5127360e769e334a3480347458b5178c449147cbc4b06381bbc07ad85dfc37ece4836f929e912cfddb24f40de35a4f982966d8bd4362c037e3726679c93c545c523
-
Filesize
3KB
MD5a3441b9017686b32e3be22e1c189ebaa
SHA1ba29ccdfe3860e6f11bc53c2346008e570162b34
SHA25681636409b1759ea512a397a7c393d0976e1dfd2b6dd6dc3f769342777252a973
SHA512d426570470dbc8049ade16ee3ba77e3e4fd0a0abb5e4822a59a365196c5451cf1a4425f60deb7f2b4a74785c38c7cc4d55bb421ca92a63910cc6220095ce2951
-
Filesize
3KB
MD563d99cf4adac70db2ad866aa261caf9b
SHA1a20bc75b310b3e04ca66a539fa4f2c2162c0f8a7
SHA256b8e4e9b6bbd3bcebdb460d4e250fe4525d8d723c9e9c0de937b9cba58e55d0fc
SHA512668fe064de94d77ce9afad583f2853ab6b2f532a007a8fa254ef1e6eb52c6638c34675a18d5a0c77e65a0f961ce8d3131b4f6975a5090f8327bcee3654b319e1
-
Filesize
3KB
MD56b129631ab40630fdeccb08ed01fe7d3
SHA10959c12085398697f341a4214a55f1f5d6c2b397
SHA256fb9e0c18d7bddb6fc29045f5d3f34d24dd8e70fddfae7bd6d3037444ce5ae700
SHA51205f730968a9289f8480eb31c9ab71211c23b259f19232de24eb5a7e229b7a887e602fb43c59e2bac24409bcdcb7fac71886f735c57b4e453e56d91d8e35c2110
-
Filesize
2KB
MD511327658b4bdc55181f668c1714297bf
SHA18f4c904b66ce3431071b18457253b6a9cb8854c1
SHA256dee4ec599fd974992d13a116881bf724e03f735b4a4d6a3e6d95e39c26eadc2c
SHA5125eaa8c902f2302a923fcfbd099aea3700e8041dac1fc925bbbc681903123e6dde77b9e94192b532b3b6d5601c803774b6dbfd12c8f734b5e94b8eb50c9f126e1
-
Filesize
2KB
MD59a39a8c4fa63eb3cd5792b5babcd79ed
SHA1a3e0963728b5ef20df5448193bce4c7323803223
SHA256c4b33d9e40a57d3059c9f92eac4bec2b5fd7d7c3b2a5c16fa090e69eed49ee81
SHA5129693ab488a5584cc0f718517f43cd01d275b79829bc10ff2705d81e4d19aa6a0db76a53239fa560a30571bc78dd2788a419d7342812c3bbe1f868853908f1c74
-
Filesize
2KB
MD5281fad30559432ef99ec9ad410a3ea79
SHA16d9324fc6a2a285a53f4e78a2d684b62a26a8dab
SHA2566232379c0ce94efc1dcb9af56147b999b8c4f1cae352cdac4634823803f7390f
SHA512742fc89321d4933ee0b7ea665b24d5c5d2d17e7f55dc7bacd7fbb449140a72ea43c81711249ae0b182ebc2b1ede553711bac70aeade93f6e0c01c7131fe637af
-
Filesize
2KB
MD5b87ec0d5a64bfc6ad9a2544659aae8b5
SHA11c941c4a08312b1f6be58926814c808e73f150cb
SHA256e7c68d401672835fc55cea7b97f6dd4b204b14bb8c5a4c824b5d856c1d06cfca
SHA5121a47cf51c402239f9802b3f0603e54857b8139abbb5fc711c873d153e5542a8f257550af7f8321c35b267e2d54c818c70a7e93cb534117b877dbb2ff468fa0af
-
Filesize
2KB
MD52512fd9d393388019d59fa763ef83eae
SHA1cb029fdab73e93765281c8fe58a7ca61fa24600f
SHA256a83da4b13344ebd2b52f0bdd99666c3f7ee84b93116f2e27b68bf1a1d666e56a
SHA5120ac707c5cd1ca17907b1731360659c304c7b96d8b69849c5d4823d0b2d2b42b31d3375f536878f574efa2ca4ac59fa0a0c06bb45268642e2b7f2e27aaa5eedea
-
Filesize
2KB
MD5602c33513f508106dd52e71974a46ab4
SHA1b3803b2c1f5bf2c25bff489457c44a6e7583f474
SHA256d1424f4417e113c08287a1cbff400f4610c2791a4b4c3a1dd0fc9852e731fe7f
SHA512048a72f60a3fe33e32610c076f21280baa8afce75c1713bc9b8c94e32719f57151c3a23c187f0deb535dd553bbfda321b71f9e01ed4c2f9857b7d9d2127e2445
-
Filesize
3KB
MD53dedf4fbb2e0a43c94993fead88efa89
SHA103192dac4da521419e47e3c5d05e85bc8f592c2e
SHA256271e987b088a2b168d30df10a82665c38a55572e96010a13c5476892a8ffac73
SHA512090f43b140125a68d8229feffd6a8c9163273c00f8bfdf400355db94351011de1c3b3f4001eb58be2e9ead7aeaa21c82fcd699aca3cccdf5ab4fcc8b9c949220
-
Filesize
3KB
MD574c57c9b71d9fd9ad9d11e5d0024b32e
SHA1cac26a548d0da85c68bb3198c2a0ed33796a5259
SHA256771dbb95e4d605b3847353efce337e91e3f2357dac27fa9a6c8f53cf3f845c08
SHA51279b56275c39376cae07b13288ceeea1647ee65b0a6004fe3bf0fea80030ab5ee887c0bac4c7172cf397249fbbfeff3a80257759ed4f42b1c0c9c20c90c2c31da
-
Filesize
3KB
MD529b4aaec06fe1e4765b1a23b44915d6d
SHA114f14e5f1438df1325632b495b1f51afd4f61d12
SHA256f50810ce6b183b285c11c8ba012610e543879922f8ec241339810f07f07c8b25
SHA512ef1c76948e8762be7d54ff3fd3f85afe1bc32301e21130acde02e2c5d52c64882554ac180847d680c674e30c5ff192a0776eebd1bc8c963fce8be0129cfe9b5b
-
Filesize
3KB
MD52776d33d620808e65d5d15caae1ab8d4
SHA1dc75e46ff696d92a7747c9048ddec17677866ee3
SHA25686fdfdcaff10978afb93f1108fa85c0f9086e5c3bb3775d231f5c9910ec65937
SHA512ee25b4a026bd4dd46e0940a6b8e55a94e1bee28d721b9af3bb6ebd7f920cfdc189c5d77519f0fcf59cac2ab1eae90c2c1624c5689ad227aba3f28be51e904220
-
Filesize
3KB
MD591439f040d2b0cf2d7d293300df7f331
SHA15c03fc2ed81a65804e5598d4c4db4768352580a6
SHA25649660834559e5698bcfde12ae525ee282bcaa8aafb86504c3da35eaa97d5d9d6
SHA51224a2c2dba220d5bca05b1726753c89f99551053344184fb025d59479a8e509de7c0ebff6696421be962f7464f66b23677265c2db53e7996a87d634db3b7112d1
-
Filesize
3KB
MD599dee73f938fd211e913ff9b733c33b3
SHA1579523facfa2f4114c175f5fc2a94ae2cc4fedc0
SHA2566161040a0423f1da576f25ee8e2784425efce686727efe1dd770c6d48e689bee
SHA5121e69eebea59e772312ce1231b94327b9f4e6d7ac2bd9d5b1ca6e70c1286dba6789e56b82af596953547751f9bf4a61e99045448adc4d9e658ba65a9cfcc931e7
-
Filesize
3KB
MD54751dbc42566da935d6a950adc1afc50
SHA10590e83d685b08d7d37e3dd5a135fbd0a980312b
SHA256251414d2033e176d2ff393f5ca7d96a8de9ad6084aa6ff8111a4eba7603e4a4a
SHA512dd9852f90e894ede730582f5a8a4be5e3e78063a83ed020efb7634a6d78edb9eac33325a3523d71548f7d4de7ea6b651f676665fefd75fe3f373b9a9a467408d
-
Filesize
3KB
MD54b265b0965720f6617bc0a8816509787
SHA12260d29e62334ee75226b54e58e46452622d9f18
SHA25673e068168464155f5587efbe55158a8a4cc27cdb82a16527652ebd075ebc10a4
SHA512daa4d2809700cb7302909ef32c080b0b5287f0e82eadd3b0b02315e6725bf4179263a282e0a7e80fd3f5357427a9414a35d9f746e64e517a21f65928894cbddb
-
Filesize
3KB
MD538ffd8b794ade770f157c71f8750ef20
SHA1cab20f5c076954b99b7c8d2c94f9e2ae7d417ac2
SHA256bba5fad22229f63e6ed7ade24b907f55e97752f366df97e9176dc2b223e77b9a
SHA51252d7d643da018fbe1b25d80f3515424e61f5ff37aa78eb843b35769c146a9559ac875d75772323414f9f65ce244aee9d4915b7b473e9f61a22b26c9ee3b1a248
-
Filesize
3KB
MD59415bf1d790b879f14e481b2bf4d3235
SHA1dd3c4b45d82a90581109c376181c31fbc673a933
SHA2568a545b8de4c09eda770be8046bc47e048f2981141a1f75fbb98b5f156bb638a3
SHA512cdff05d99c8164a45c41b58dacb7edd0aa7d9de821eda4d1442df8cad7eefffaf898fcbbdbcfd508c5163133cda69fca4fabb3ba41d425485ea8f4a43c560ba0
-
Filesize
3KB
MD554bc29577ea9408deb0f01bd0343e0e7
SHA18e50b6fced59464f8962d13c8f5ba536981edc86
SHA256a631c5af0f2c868b8d340239143ef5de8b958481d880444ebffe91863fb119f9
SHA512a6d198628a4f8286f53a13f28185f3d22de277d7bcba1151e1e9b3d33aea9fffa4b9ea861336bf5352bc81601446cc4898b428075f677b3d861af07038168eef
-
Filesize
3KB
MD50e393f3a0d83d3fddabedd077128ec5f
SHA1a1628d30d6e24ffdf012c3ac6d48c7eb7daab83c
SHA256e20119e3a0739bae403d302b933562259efe1b8a1f51659650ec9d81bef6bc14
SHA5127b202e54afdc9f1e4813abd2b15c6c5ebc979808766c758731b91518f9cf43a035c8c1ee9d9fb5733f4aadad7d57eb7c7b8bb6d61e6b93ef7e219cc5048fca2f
-
Filesize
2KB
MD54869f9d01618a693d54726c4f69f2c38
SHA1467505c4d378991cbef72de1b9e85c204c33be9c
SHA256449b9160344884f052ba5fb9b013106e98fbf223904fb1f4b86275b330bcfe83
SHA512662630a03b6a7118ae298dbfe942f8883323b8553095fc5a9a9054f5667a98eb4f14dedb15bf0f0fdbd627d44561674f96fadd65cbcad43e417287cf3619692e
-
Filesize
2KB
MD570a4d7e8deef47b69980daa4f6730f4d
SHA1d0cc1efc4e7216b55c77666d8baa581e1d545c19
SHA256e91284e96e8faae4db9cd1df91334e50749ac04bdc1b7bec8e333b149a8e3dd9
SHA51270f09fe7b4b70f1c0ee170fd3f212017954afda9b5fcd27be06352fa89e6567cd3623ada5a2553431d39e2b63713cc65c6856262f5f262b618a93b0500847fda
-
Filesize
2KB
MD53c23f346b210d6ecee2905e98f63d4e4
SHA16a5eb323d3ff179ff0fc4e4cea07c0037ac6d07c
SHA2569e0d061111a3c239552fa8f25d419b005e2994665a39593890eb1ac0bfd17b2c
SHA5121a0d4a7dac37bc210be10bd82525e7cee0f3513835484502bcaa8b9fe0c79a343e8bd1f1cb86639277b266d74eedaf8fd1ca7c68e4c7ac92d1dcafc763b7ccfa
-
Filesize
2KB
MD552a5dd937392391fdd874b944ae887de
SHA1071b4be35957c5a9e7b4c351d65ca9609244c327
SHA2566353b37d1aa06ef175ef2b2f5fbf41fc52ff056cdff59250fe653744de94b4d3
SHA512e9dec32b47c63f75a0070141f4fca3846645e6c152a7f1ecd5c899064b0e5ae47708a352ab5e59c95ae081c2b1817b60115ed923c8c7536d37ae9cc142042c38
-
Filesize
2KB
MD592106dbd1a4285826243a7870f8763f2
SHA18600836593646a265ca0c023d12b13af902baa8d
SHA256a7e89b85f101af348a4c8ddbcef33627357c837a330d83d260c98cd774143da0
SHA5120d3015144680c5a0baef9006e6919ea2e4bdbf2d4f5cc163fbac1623c6b3bdff8c93378ab69cb99fd13c3313d8eb44e6e67fa0e316423ea3cee803ca31aaa1b4
-
Filesize
2KB
MD50e326afc9c59f553ce1b4d242c23d514
SHA163d8e07e750e9bc0f2359ebf17453c61e2e4124f
SHA256abc09860be9415fdfe21835269ed2c9fdcf905bfe634774c05347660cd45b1a4
SHA51215816e5fee25911619a1bcd64649ffa981860e0b762fc68c6685f8dfe11910a5187d6539aed89893b5a20a224ce43651976e9f6ddc010fad4334dd2cfc8b129a
-
Filesize
345KB
MD57f0cbf1fd78977f4057981c4dd21ea4b
SHA142324b5ecca6a69b77e43f57d1fd690b2f6bda5d
SHA2567a9db3abe60bd686997bebfe7bf60bad0ac2f84d592f3dc63bfdcf01e3eca6b9
SHA51244092fe9e8c9aa97616cb22ce747dafddff4f846e5bd793203249adff0d8e1cd4ada0968229888ecca73c4ef7cadd2f606985a2bbcd59b674de6ae223f7c2d75
-
Filesize
3.6MB
MD5b3d423dd9c97ffe8063f30b7d836c422
SHA1f40780735b0d8376bdc4709e194814ac69860c96
SHA256b468a2397fc856094418611b69284c2a4f757058c49a2aad48e1ccc79f388e0c
SHA512bd93d3d18942d13e36df64ffba419d79ed108e756a784c35af7e41f6a883d10b444484b52db25d65156a2981d4802dfcb4354ad6f61426f2f8ce8f07c5a15ab2
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
Filesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5e1db733e43aa8d065fb7e8669db76524
SHA13f9c62ee28959959271632fdc7f5387d539a1d23
SHA2569e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d
SHA5123f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3
-
Filesize
868KB
MD56c8042af9e749f6406b7bd7dcf98d7eb
SHA1b7395c27c72eb4b78d8459bb379c613d5f2bb365
SHA2568338de9a14e5bea902708b00d25c16ec5549639167b96ae162dcdd22f65ec955
SHA512098a8292a4e35fd21bd4f35c729581dd59e5640b46c2761790864a4f6195c78c7014f33201d2b63ab990cdcb66bc9bbc1b7d76fd46df745e8586e111b159c3ad
-
Filesize
135KB
MD56b2739f7a5238c8fb4442355dcfdbb0d
SHA1eff490909fbea9a3f6593fbf401f797730cea8eb
SHA25641db8ab344bde359137d6a7d5be5dbf79c4bf2b52d8263c4fad3eac525606ab9
SHA512f061a61ce4dbc499afbb8f18c2f2af5fd56286399253aa3e2ab86073e22148c56a044167acae81856b48cb03c4cfd060c8e1b74eb958083d182041a7c3e1ea89