Resubmissions
03-10-2024 15:47
241003-s77adswhlg 803-10-2024 15:39
241003-s31l2ssgrr 803-10-2024 15:35
241003-s1stessgjn 803-10-2024 15:25
241003-strmsasdlp 8Analysis
-
max time kernel
519s -
max time network
522s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-10-2024 15:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/JackDoesMalwares/Gocullinator
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://github.com/JackDoesMalwares/Gocullinator
Resource
win11-20240802-en
Errors
General
-
Target
https://github.com/JackDoesMalwares/Gocullinator
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
Holzer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Holzer.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid Process 9060 icacls.exe 5260 takeown.exe -
Executes dropped EXE 1 IoCs
Processes:
Holzer.exepid Process 1800 Holzer.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid Process 5260 takeown.exe 9060 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 62 raw.githubusercontent.com 58 raw.githubusercontent.com 61 raw.githubusercontent.com -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Holzer.exedescription ioc Process File opened for modification \??\PhysicalDrive0 Holzer.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 11004 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\Holzer.exe:Zone.Identifier firefox.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 5324 6100 WerFault.exe 168 11148 10872 WerFault.exe 418 11140 10880 WerFault.exe 419 852 8648 WerFault.exe 611 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ARP.EXEbitsadmin.exebthudtask.execertreq.exeCameraSettingsUIHost.exeCertEnrollCtrl.exeHolzer.exeat.exeattrib.exebackgroundTaskHost.exeBackgroundTransferHost.execertutil.exeAtBroker.exeauditpol.execacls.execalc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthudtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certreq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CameraSettingsUIHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CertEnrollCtrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holzer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BackgroundTransferHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AtBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language auditpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PATHPING.EXEPING.EXERpcPing.exeTRACERT.EXEpid Process 6316 PATHPING.EXE 8592 PING.EXE 11028 RpcPing.exe 10452 TRACERT.EXE -
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 svchost.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 9920 timeout.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXEpid Process 8520 ipconfig.exe 6492 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 9072 taskkill.exe -
Modifies registry class 25 IoCs
Processes:
firefox.execertreq.exesvchost.execalc.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 certreq.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{AA1574B9-725A-4BA9-8892-1882E789B9B9} svchost.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff certreq.exe Set value (int) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 certreq.exe Key created \Registry\User\S-1-5-21-970747758-134341002-3585657277-1000_Classes\NotificationData certreq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 certreq.exe Set value (data) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff certreq.exe Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" certreq.exe Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" certreq.exe Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ certreq.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\Holzer.exe:Zone.Identifier firefox.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Runs regedit.exe 2 IoCs
Processes:
regedit.exeregedit.exepid Process 10816 regedit.exe 10852 regedit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Holzer.exepid Process 1800 Holzer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
firefox.exeAUDIODG.EXEHolzer.exesvchost.exeauditpol.execertreq.exedescription pid Process Token: SeDebugPrivilege 3760 firefox.exe Token: SeDebugPrivilege 3760 firefox.exe Token: SeDebugPrivilege 3760 firefox.exe Token: SeDebugPrivilege 3760 firefox.exe Token: SeDebugPrivilege 3760 firefox.exe Token: SeDebugPrivilege 3760 firefox.exe Token: 33 4852 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4852 AUDIODG.EXE Token: SeSystemtimePrivilege 1800 Holzer.exe Token: SeSystemtimePrivilege 1800 Holzer.exe Token: SeShutdownPrivilege 3712 svchost.exe Token: SeShutdownPrivilege 3712 svchost.exe Token: SeCreatePagefilePrivilege 3712 svchost.exe Token: SeSecurityPrivilege 5072 auditpol.exe Token: SeSystemtimePrivilege 1800 Holzer.exe Token: SeSystemtimePrivilege 1800 Holzer.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe Token: SeDebugPrivilege 4656 certreq.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid Process 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
firefox.exeOpenWith.execertreq.exepid Process 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3760 firefox.exe 3800 OpenWith.exe 4656 certreq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid Process procid_target PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3484 wrote to memory of 3760 3484 firefox.exe 78 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 4116 3760 firefox.exe 79 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 PID 3760 wrote to memory of 1548 3760 firefox.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/JackDoesMalwares/Gocullinator"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/JackDoesMalwares/Gocullinator2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4f901b4-8da8-4b67-a8c3-e817742b9d9c} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" gpu3⤵PID:4116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89f308c0-582c-424b-93b9-9f919efb790c} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" socket3⤵PID:1548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3228 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8e08d65-83c9-48f0-a3ac-29a81ac67129} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab3⤵PID:5016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18617fd-ec78-4a79-8e0b-ad1b04aed10e} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab3⤵PID:400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4704 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84b89f38-1935-469b-9091-c4a700261a74} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" utility3⤵
- Checks processor information in registry
PID:2716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5356 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab03baea-a622-423d-9fcf-b0812ed55fa6} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab3⤵PID:3820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f96803fc-7380-4b51-905f-eeb1d312d610} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab3⤵PID:2044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5856 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cbd94b5-0374-4b8e-9b3e-6177ac9e3789} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab3⤵PID:4704
-
-
C:\Users\Admin\Downloads\Holzer.exe"C:\Users\Admin\Downloads\Holzer.exe"3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\agentactivationruntimestarter.exe"C:\Windows\System32\agentactivationruntimestarter.exe"4⤵PID:2080
-
-
C:\Windows\SysWOW64\appidtel.exe"C:\Windows\System32\appidtel.exe"4⤵PID:1028
-
-
C:\Windows\SysWOW64\ARP.EXE"C:\Windows\System32\ARP.EXE"4⤵
- System Location Discovery: System Language Discovery
PID:4668
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\SysWOW64\AtBroker.exe"C:\Windows\System32\AtBroker.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3800
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3052
-
-
C:\Windows\SysWOW64\auditpol.exe"C:\Windows\System32\auditpol.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\System32\autochk.exe"4⤵PID:5104
-
-
C:\Windows\SysWOW64\backgroundTaskHost.exe"C:\Windows\System32\backgroundTaskHost.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1408
-
-
C:\Windows\SysWOW64\BackgroundTransferHost.exe"C:\Windows\System32\BackgroundTransferHost.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5052
-
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4524
-
-
C:\Windows\SysWOW64\bthudtask.exe"C:\Windows\System32\bthudtask.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\SysWOW64\ByteCodeGenerator.exe"C:\Windows\System32\ByteCodeGenerator.exe"4⤵PID:4320
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3408
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1296
-
-
C:\Windows\SysWOW64\CameraSettingsUIHost.exe"C:\Windows\System32\CameraSettingsUIHost.exe"4⤵
- System Location Discovery: System Language Discovery
PID:816
-
-
C:\Windows\SysWOW64\CertEnrollCtrl.exe"C:\Windows\System32\CertEnrollCtrl.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1292
-
-
C:\Windows\SysWOW64\certreq.exe"C:\Windows\System32\certreq.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4656
-
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Windows\SysWOW64\charmap.exe"C:\Windows\System32\charmap.exe"4⤵PID:3704
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exe"C:\Windows\System32\CheckNetIsolation.exe"4⤵PID:4496
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\System32\chkdsk.exe"4⤵PID:2432
-
-
C:\Windows\SysWOW64\chkntfs.exe"C:\Windows\System32\chkntfs.exe"4⤵PID:4284
-
-
C:\Windows\SysWOW64\choice.exe"C:\Windows\System32\choice.exe"4⤵PID:4320
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe"4⤵PID:4884
-
-
C:\Windows\SysWOW64\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe"4⤵PID:2860
-
-
C:\Windows\SysWOW64\cliconfg.exe"C:\Windows\System32\cliconfg.exe"4⤵PID:5144
-
-
C:\Windows\SysWOW64\clip.exe"C:\Windows\System32\clip.exe"4⤵PID:5160
-
-
C:\Windows\SysWOW64\CloudNotifications.exe"C:\Windows\System32\CloudNotifications.exe"4⤵PID:5200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5240
-
-
C:\Windows\SysWOW64\cmdkey.exe"C:\Windows\System32\cmdkey.exe"4⤵PID:5300
-
-
C:\Windows\SysWOW64\cmdl32.exe"C:\Windows\System32\cmdl32.exe"4⤵PID:5348
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\System32\cmmon32.exe"4⤵PID:5368
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\System32\cmstp.exe"4⤵PID:5380
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\System32\colorcpl.exe"4⤵PID:5400
-
-
C:\Windows\SysWOW64\comp.exe"C:\Windows\System32\comp.exe"4⤵PID:5436
-
-
C:\Windows\SysWOW64\compact.exe"C:\Windows\System32\compact.exe"4⤵PID:5480
-
-
C:\Windows\SysWOW64\ComputerDefaults.exe"C:\Windows\System32\ComputerDefaults.exe"4⤵PID:5528
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:5584
-
-
C:\Windows\SysWOW64\convert.exe"C:\Windows\System32\convert.exe"4⤵PID:5740
-
-
C:\Windows\SysWOW64\CredentialUIBroker.exe"C:\Windows\System32\CredentialUIBroker.exe"4⤵PID:5852
-
-
C:\Windows\SysWOW64\credwiz.exe"C:\Windows\System32\credwiz.exe"4⤵PID:5880
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\System32\cscript.exe"4⤵PID:5920
-
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\System32\ctfmon.exe"4⤵PID:6100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 7525⤵
- Program crash
PID:5324
-
-
-
C:\Windows\SysWOW64\cttune.exe"C:\Windows\System32\cttune.exe"4⤵PID:1032
-
-
C:\Windows\SysWOW64\cttunesvr.exe"C:\Windows\System32\cttunesvr.exe"4⤵PID:5360
-
-
C:\Windows\SysWOW64\curl.exe"C:\Windows\System32\curl.exe"4⤵PID:5584
-
-
C:\Windows\SysWOW64\dccw.exe"C:\Windows\System32\dccw.exe"4⤵PID:6032
-
-
C:\Windows\SysWOW64\dcomcnfg.exe"C:\Windows\System32\dcomcnfg.exe"4⤵PID:6216
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc5⤵PID:6240
-
-
-
C:\Windows\SysWOW64\ddodiag.exe"C:\Windows\System32\ddodiag.exe"4⤵PID:6316
-
-
C:\Windows\SysWOW64\DevicePairingWizard.exe"C:\Windows\System32\DevicePairingWizard.exe"4⤵PID:6408
-
-
C:\Windows\SysWOW64\dfrgui.exe"C:\Windows\System32\dfrgui.exe"4⤵PID:6568
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\System32\dialer.exe"4⤵PID:6744
-
-
C:\Windows\SysWOW64\diskpart.exe"C:\Windows\System32\diskpart.exe"4⤵PID:6936
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\System32\diskperf.exe"4⤵PID:7040
-
-
C:\Windows\SysWOW64\diskusage.exe"C:\Windows\System32\diskusage.exe"4⤵PID:6440
-
-
C:\Windows\SysWOW64\Dism.exe"C:\Windows\System32\Dism.exe"4⤵PID:6388
-
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"4⤵PID:7048
-
-
C:\Windows\SysWOW64\dllhst3g.exe"C:\Windows\System32\dllhst3g.exe"4⤵PID:5224
-
-
C:\Windows\SysWOW64\doskey.exe"C:\Windows\System32\doskey.exe"4⤵PID:5212
-
-
C:\Windows\SysWOW64\dpapimig.exe"C:\Windows\System32\dpapimig.exe"4⤵PID:6568
-
-
C:\Windows\SysWOW64\DpiScaling.exe"C:\Windows\System32\DpiScaling.exe"4⤵PID:6324
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ms-settings:display5⤵PID:6480
-
-
-
C:\Windows\SysWOW64\driverquery.exe"C:\Windows\System32\driverquery.exe"4⤵PID:7360
-
-
C:\Windows\SysWOW64\dtdump.exe"C:\Windows\System32\dtdump.exe"4⤵PID:7448
-
-
C:\Windows\SysWOW64\dvdplay.exe"C:\Windows\System32\dvdplay.exe"4⤵PID:7580
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe/device:dvd5⤵PID:7596
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon6⤵PID:7640
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT7⤵PID:7704
-
-
-
-
-
C:\Windows\SysWOW64\DWWIN.EXE"C:\Windows\System32\DWWIN.EXE"4⤵PID:7696
-
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe"4⤵PID:7888
-
-
C:\Windows\SysWOW64\EaseOfAccessDialog.exe"C:\Windows\System32\EaseOfAccessDialog.exe"4⤵PID:8016
-
-
C:\Windows\SysWOW64\edpnotify.exe"C:\Windows\System32\edpnotify.exe"4⤵PID:8032
-
-
C:\Windows\SysWOW64\efsui.exe"C:\Windows\System32\efsui.exe"4⤵PID:8060
-
-
C:\Windows\SysWOW64\EhStorAuthn.exe"C:\Windows\System32\EhStorAuthn.exe"4⤵PID:8076
-
-
C:\Windows\SysWOW64\esentutl.exe"C:\Windows\System32\esentutl.exe"4⤵PID:8092
-
-
C:\Windows\SysWOW64\eudcedit.exe"C:\Windows\System32\eudcedit.exe"4⤵PID:6728
-
-
C:\Windows\SysWOW64\eventcreate.exe"C:\Windows\System32\eventcreate.exe"4⤵PID:7172
-
-
C:\Windows\SysWOW64\eventvwr.exe"C:\Windows\System32\eventvwr.exe"4⤵PID:7236
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"5⤵PID:7396
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"6⤵PID:7484
-
-
-
-
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe"4⤵PID:7572
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵PID:7668
-
-
C:\Windows\SysWOW64\extrac32.exe"C:\Windows\System32\extrac32.exe"4⤵PID:7920
-
-
C:\Windows\SysWOW64\fc.exe"C:\Windows\System32\fc.exe"4⤵PID:7940
-
-
C:\Windows\SysWOW64\find.exe"C:\Windows\System32\find.exe"4⤵PID:7752
-
-
C:\Windows\SysWOW64\findstr.exe"C:\Windows\System32\findstr.exe"4⤵PID:7840
-
-
C:\Windows\SysWOW64\finger.exe"C:\Windows\System32\finger.exe"4⤵PID:2432
-
-
C:\Windows\SysWOW64\fixmapi.exe"C:\Windows\System32\fixmapi.exe"4⤵PID:8000
-
-
C:\Windows\SysWOW64\fltMC.exe"C:\Windows\System32\fltMC.exe"4⤵PID:7720
-
-
C:\Windows\SysWOW64\Fondue.exe"C:\Windows\System32\Fondue.exe"4⤵PID:8016
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe"4⤵PID:7416
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe"4⤵PID:5740
-
C:\Windows\SysWOW64\cmd.exe/c echo "ApproveDeny.doc"5⤵PID:7672
-
-
-
C:\Windows\SysWOW64\fsquirt.exe"C:\Windows\System32\fsquirt.exe"4⤵PID:8176
-
-
C:\Windows\SysWOW64\fsutil.exe"C:\Windows\System32\fsutil.exe"4⤵PID:8144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/4⤵PID:5788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb77d33cb8,0x7ffb77d33cc8,0x7ffb77d33cd85⤵PID:7320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:25⤵PID:7824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:35⤵PID:7772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:85⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:15⤵PID:7968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:15⤵PID:7704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3968 /prefetch:85⤵PID:8304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:25⤵PID:3128
-
-
-
C:\Windows\SysWOW64\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe"4⤵PID:7936
-
-
C:\Windows\SysWOW64\GamePanel.exe"C:\Windows\System32\GamePanel.exe"4⤵PID:8392
-
-
C:\Windows\SysWOW64\getmac.exe"C:\Windows\System32\getmac.exe"4⤵PID:8532
-
-
C:\Windows\SysWOW64\gpresult.exe"C:\Windows\System32\gpresult.exe"4⤵PID:8628
-
-
C:\Windows\SysWOW64\gpscript.exe"C:\Windows\System32\gpscript.exe"4⤵PID:8684
-
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\System32\gpupdate.exe"4⤵PID:8724
-
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe"4⤵PID:8812
-
-
C:\Windows\SysWOW64\hdwwiz.exe"C:\Windows\System32\hdwwiz.exe"4⤵PID:8920
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\System32\help.exe"4⤵PID:8948
-
-
C:\Windows\SysWOW64\hh.exe"C:\Windows\System32\hh.exe"4⤵PID:8988
-
-
C:\Windows\SysWOW64\HOSTNAME.EXE"C:\Windows\System32\HOSTNAME.EXE"4⤵PID:9004
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9060
-
-
C:\Windows\SysWOW64\icsunattend.exe"C:\Windows\System32\icsunattend.exe"4⤵PID:9104
-
-
C:\Windows\SysWOW64\ieUnatt.exe"C:\Windows\System32\ieUnatt.exe"4⤵PID:9148
-
-
C:\Windows\SysWOW64\iexpress.exe"C:\Windows\System32\iexpress.exe"4⤵PID:9208
-
-
C:\Windows\SysWOW64\InfDefaultInstall.exe"C:\Windows\System32\InfDefaultInstall.exe"4⤵PID:612
-
-
C:\Windows\SysWOW64\InputSwitchToastHandler.exe"C:\Windows\System32\InputSwitchToastHandler.exe"4⤵PID:7408
-
-
C:\Windows\SysWOW64\instnm.exe"C:\Windows\System32\instnm.exe"4⤵PID:8396
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe"4⤵
- Gathers network information
PID:8520
-
-
C:\Windows\SysWOW64\iscsicli.exe"C:\Windows\System32\iscsicli.exe"4⤵PID:8544
-
-
C:\Windows\SysWOW64\iscsicpl.exe"C:\Windows\System32\iscsicpl.exe"4⤵PID:7392
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,05⤵PID:7388
-
-
-
C:\Windows\SysWOW64\isoburn.exe"C:\Windows\System32\isoburn.exe"4⤵PID:8668
-
-
C:\Windows\SysWOW64\ktmutil.exe"C:\Windows\System32\ktmutil.exe"4⤵PID:8716
-
-
C:\Windows\SysWOW64\label.exe"C:\Windows\System32\label.exe"4⤵PID:8632
-
-
C:\Windows\SysWOW64\LaunchTM.exe"C:\Windows\System32\LaunchTM.exe"4⤵PID:8600
-
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"5⤵PID:8960
-
-
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\System32\LaunchWinApp.exe"4⤵PID:8988
-
-
C:\Windows\SysWOW64\lodctr.exe"C:\Windows\System32\lodctr.exe"4⤵PID:8948
-
-
C:\Windows\SysWOW64\logagent.exe"C:\Windows\System32\logagent.exe"4⤵PID:9004
-
-
C:\Windows\SysWOW64\logman.exe"C:\Windows\System32\logman.exe"4⤵PID:9060
-
-
C:\Windows\SysWOW64\Magnify.exe"C:\Windows\System32\Magnify.exe"4⤵PID:9160
-
-
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"4⤵PID:8908
-
-
C:\Windows\SysWOW64\mavinject.exe"C:\Windows\System32\mavinject.exe"4⤵PID:8452
-
-
C:\Windows\SysWOW64\mcbuilder.exe"C:\Windows\System32\mcbuilder.exe"4⤵PID:8980
-
-
C:\Windows\SysWOW64\mfpmp.exe"C:\Windows\System32\mfpmp.exe"4⤵PID:8484
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵PID:8484
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵PID:9236
-
-
-
C:\Windows\SysWOW64\mmgaserver.exe"C:\Windows\System32\mmgaserver.exe"4⤵PID:9324
-
-
C:\Windows\SysWOW64\mobsync.exe"C:\Windows\System32\mobsync.exe"4⤵PID:9420
-
-
C:\Windows\SysWOW64\mountvol.exe"C:\Windows\System32\mountvol.exe"4⤵PID:9544
-
-
C:\Windows\SysWOW64\MRINFO.EXE"C:\Windows\System32\MRINFO.EXE"4⤵PID:9612
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\System32\msdt.exe"4⤵PID:9668
-
-
C:\Windows\SysWOW64\msfeedssync.exe"C:\Windows\System32\msfeedssync.exe"4⤵PID:9732
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe"4⤵PID:9744
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe"4⤵PID:9808
-
-
C:\Windows\SysWOW64\msinfo32.exe"C:\Windows\System32\msinfo32.exe"4⤵PID:9824
-
-
C:\Windows\SysWOW64\msra.exe"C:\Windows\System32\msra.exe"4⤵PID:9868
-
C:\Windows\system32\msra.exe"C:\Windows\system32\msra.exe"5⤵PID:9944
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\System32\mstsc.exe"4⤵PID:9972
-
C:\Windows\system32\mstsc.exe"C:\Windows\System32\mstsc.exe"5⤵PID:9988
-
-
-
C:\Windows\SysWOW64\mtstocom.exe"C:\Windows\System32\mtstocom.exe"4⤵PID:10044
-
-
C:\Windows\SysWOW64\MuiUnattend.exe"C:\Windows\System32\MuiUnattend.exe"4⤵PID:10104
-
-
C:\Windows\SysWOW64\ndadmin.exe"C:\Windows\System32\ndadmin.exe"4⤵PID:10168
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe"4⤵PID:10196
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net15⤵PID:9228
-
-
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\System32\net1.exe"4⤵PID:9596
-
-
C:\Windows\SysWOW64\netbtugc.exe"C:\Windows\System32\netbtugc.exe"4⤵PID:8940
-
-
C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe"C:\Windows\System32\NetCfgNotifyObjectHost.exe"4⤵PID:9780
-
-
C:\Windows\SysWOW64\netiougc.exe"C:\Windows\System32\netiougc.exe"4⤵PID:9984
-
-
C:\Windows\SysWOW64\Netplwiz.exe"C:\Windows\System32\Netplwiz.exe"4⤵PID:10160
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe"4⤵PID:5748
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\System32\NETSTAT.EXE"4⤵
- Gathers network information
PID:6492
-
-
C:\Windows\SysWOW64\newdev.exe"C:\Windows\System32\newdev.exe"4⤵PID:9504
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:10144
-
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\System32\nslookup.exe"4⤵PID:10128
-
-
C:\Windows\SysWOW64\ntprint.exe"C:\Windows\System32\ntprint.exe"4⤵PID:9680
-
-
C:\Windows\SysWOW64\odbcad32.exe"C:\Windows\System32\odbcad32.exe"4⤵PID:6420
-
-
C:\Windows\SysWOW64\odbcconf.exe"C:\Windows\System32\odbcconf.exe"4⤵PID:9548
-
-
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\System32\OneDriveSetup.exe"4⤵PID:10072
-
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-970747758-134341002-3585657277-10005⤵PID:10872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10872 -s 13886⤵
- Program crash
PID:11148
-
-
-
C:\Windows\SysWOW64\OneDriveSetup.exeC:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe5⤵PID:10880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10880 -s 14446⤵
- Program crash
PID:11140
-
-
-
-
C:\Windows\SysWOW64\openfiles.exe"C:\Windows\System32\openfiles.exe"4⤵PID:9556
-
-
C:\Windows\SysWOW64\OpenWith.exe"C:\Windows\System32\OpenWith.exe"4⤵PID:9656
-
-
C:\Windows\SysWOW64\OposHost.exe"C:\Windows\System32\OposHost.exe"4⤵PID:9768
-
-
C:\Windows\SysWOW64\PackagedCWALauncher.exe"C:\Windows\System32\PackagedCWALauncher.exe"4⤵PID:9772
-
-
C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe"C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"4⤵PID:5792
-
-
C:\Windows\SysWOW64\PATHPING.EXE"C:\Windows\System32\PATHPING.EXE"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6316
-
-
C:\Windows\SysWOW64\pcaui.exe"C:\Windows\System32\pcaui.exe"4⤵PID:8748
-
-
C:\Windows\SysWOW64\perfhost.exe"C:\Windows\System32\perfhost.exe"4⤵PID:9612
-
-
C:\Windows\SysWOW64\perfmon.exe"C:\Windows\System32\perfmon.exe"4⤵PID:9560
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /325⤵PID:7072
-
-
-
C:\Windows\SysWOW64\PickerHost.exe"C:\Windows\System32\PickerHost.exe"4⤵PID:5792
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8592
-
-
C:\Windows\SysWOW64\PkgMgr.exe"C:\Windows\System32\PkgMgr.exe"4⤵PID:6576
-
-
C:\Windows\SysWOW64\poqexec.exe"C:\Windows\System32\poqexec.exe"4⤵PID:10268
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\System32\powercfg.exe"4⤵
- Power Settings
PID:10276
-
-
C:\Windows\SysWOW64\PresentationHost.exe"C:\Windows\System32\PresentationHost.exe"4⤵PID:10320
-
-
C:\Windows\SysWOW64\prevhost.exe"C:\Windows\System32\prevhost.exe"4⤵PID:10384
-
-
C:\Windows\SysWOW64\print.exe"C:\Windows\System32\print.exe"4⤵PID:10408
-
-
C:\Windows\SysWOW64\printui.exe"C:\Windows\System32\printui.exe"4⤵PID:10456
-
-
C:\Windows\SysWOW64\proquota.exe"C:\Windows\System32\proquota.exe"4⤵PID:10476
-
-
C:\Windows\SysWOW64\provlaunch.exe"C:\Windows\System32\provlaunch.exe"4⤵PID:10492
-
-
C:\Windows\SysWOW64\psr.exe"C:\Windows\System32\psr.exe"4⤵PID:10536
-
C:\Windows\system32\psr.exe"C:\Windows\system32\psr.exe"5⤵PID:10576
-
-
-
C:\Windows\SysWOW64\quickassist.exe"C:\Windows\System32\quickassist.exe"4⤵PID:10592
-
-
C:\Windows\SysWOW64\rasautou.exe"C:\Windows\System32\rasautou.exe"4⤵PID:10660
-
-
C:\Windows\SysWOW64\rasdial.exe"C:\Windows\System32\rasdial.exe"4⤵PID:10800
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\System32\raserver.exe"4⤵PID:10864
-
-
C:\Windows\SysWOW64\rasphone.exe"C:\Windows\System32\rasphone.exe"4⤵PID:10996
-
-
C:\Windows\SysWOW64\RdpSa.exe"C:\Windows\System32\RdpSa.exe"4⤵PID:11184
-
-
C:\Windows\SysWOW64\RdpSaProxy.exe"C:\Windows\System32\RdpSaProxy.exe"4⤵PID:11260
-
C:\Windows\SysWOW64\RdpSa.exe"C:\Windows\system32\RdpSa.exe"5⤵PID:10508
-
-
-
C:\Windows\SysWOW64\RdpSaUacHelper.exe"C:\Windows\System32\RdpSaUacHelper.exe"4⤵PID:10444
-
-
C:\Windows\SysWOW64\rdrleakdiag.exe"C:\Windows\System32\rdrleakdiag.exe"4⤵PID:3572
-
-
C:\Windows\SysWOW64\ReAgentc.exe"C:\Windows\System32\ReAgentc.exe"4⤵PID:10520
-
-
C:\Windows\SysWOW64\recover.exe"C:\Windows\System32\recover.exe"4⤵PID:8200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe"4⤵PID:10748
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:10816
-
-
C:\Windows\SysWOW64\regedt32.exe"C:\Windows\System32\regedt32.exe"4⤵PID:10936
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\regedit.exe"5⤵
- Runs regedit.exe
PID:10852
-
-
-
C:\Windows\SysWOW64\regini.exe"C:\Windows\System32\regini.exe"4⤵PID:10928
-
-
C:\Windows\SysWOW64\Register-CimProvider.exe"C:\Windows\System32\Register-CimProvider.exe"4⤵PID:5280
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe"4⤵PID:11088
-
-
C:\Windows\SysWOW64\rekeywiz.exe"C:\Windows\System32\rekeywiz.exe"4⤵PID:11060
-
-
C:\Windows\SysWOW64\relog.exe"C:\Windows\System32\relog.exe"4⤵PID:1356
-
-
C:\Windows\SysWOW64\replace.exe"C:\Windows\System32\replace.exe"4⤵PID:11144
-
-
C:\Windows\SysWOW64\resmon.exe"C:\Windows\System32\resmon.exe"4⤵PID:11160
-
C:\Windows\SysWOW64\perfmon.exe"C:\Windows\System32\perfmon.exe" /res5⤵PID:10920
-
C:\Windows\system32\perfmon.exe"C:\Windows\Sysnative\perfmon.exe" /res6⤵PID:10476
-
-
-
-
C:\Windows\SysWOW64\RMActivate.exe"C:\Windows\System32\RMActivate.exe"4⤵PID:11148
-
-
C:\Windows\SysWOW64\RMActivate_isv.exe"C:\Windows\System32\RMActivate_isv.exe"4⤵PID:8340
-
-
C:\Windows\SysWOW64\RMActivate_ssp.exe"C:\Windows\System32\RMActivate_ssp.exe"4⤵PID:9444
-
-
C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"C:\Windows\System32\RMActivate_ssp_isv.exe"4⤵PID:6012
-
-
C:\Windows\SysWOW64\RmClient.exe"C:\Windows\System32\RmClient.exe"4⤵PID:8336
-
-
C:\Windows\SysWOW64\Robocopy.exe"C:\Windows\System32\Robocopy.exe"4⤵PID:10768
-
-
C:\Windows\SysWOW64\ROUTE.EXE"C:\Windows\System32\ROUTE.EXE"4⤵PID:10936
-
-
C:\Windows\SysWOW64\RpcPing.exe"C:\Windows\System32\RpcPing.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:11028
-
-
C:\Windows\SysWOW64\rrinstaller.exe"C:\Windows\System32\rrinstaller.exe"4⤵PID:11040
-
-
C:\Windows\SysWOW64\runas.exe"C:\Windows\System32\runas.exe"4⤵
- Access Token Manipulation: Create Process with Token
PID:11248
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"4⤵PID:5448
-
-
C:\Windows\SysWOW64\RunLegacyCPLElevated.exe"C:\Windows\System32\RunLegacyCPLElevated.exe"4⤵PID:8764
-
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\System32\runonce.exe"4⤵PID:5644
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe"4⤵
- Launches sc.exe
PID:11004
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"4⤵PID:10876
-
-
C:\Windows\SysWOW64\sdbinst.exe"C:\Windows\System32\sdbinst.exe"4⤵PID:5032
-
-
C:\Windows\SysWOW64\sdchange.exe"C:\Windows\System32\sdchange.exe"4⤵PID:3524
-
-
C:\Windows\SysWOW64\sdiagnhost.exe"C:\Windows\System32\sdiagnhost.exe"4⤵PID:8304
-
-
C:\Windows\SysWOW64\SearchFilterHost.exe"C:\Windows\System32\SearchFilterHost.exe"4⤵PID:10656
-
-
C:\Windows\SysWOW64\SearchIndexer.exe"C:\Windows\System32\SearchIndexer.exe"4⤵PID:5508
-
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵PID:6300
-
-
C:\Windows\SysWOW64\SecEdit.exe"C:\Windows\System32\SecEdit.exe"4⤵PID:10512
-
-
C:\Windows\SysWOW64\secinit.exe"C:\Windows\System32\secinit.exe"4⤵PID:10936
-
-
C:\Windows\SysWOW64\sethc.exe"C:\Windows\System32\sethc.exe"4⤵PID:7044
-
-
C:\Windows\SysWOW64\setup16.exe"C:\Windows\System32\setup16.exe"4⤵PID:10788
-
-
C:\Windows\SysWOW64\setupugc.exe"C:\Windows\System32\setupugc.exe"4⤵PID:6796
-
-
C:\Windows\SysWOW64\setx.exe"C:\Windows\System32\setx.exe"4⤵PID:11076
-
-
C:\Windows\SysWOW64\sfc.exe"C:\Windows\System32\sfc.exe"4⤵PID:10772
-
-
C:\Windows\SysWOW64\shrpubw.exe"C:\Windows\System32\shrpubw.exe"4⤵PID:8000
-
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe"4⤵PID:11108
-
-
C:\Windows\SysWOW64\SndVol.exe"C:\Windows\System32\SndVol.exe"4⤵PID:8584
-
-
C:\Windows\SysWOW64\sort.exe"C:\Windows\System32\sort.exe"4⤵PID:5924
-
-
C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe"C:\Windows\System32\SpatialAudioLicenseSrv.exe"4⤵PID:7196
-
-
C:\Windows\SysWOW64\srdelayed.exe"C:\Windows\System32\srdelayed.exe"4⤵PID:7188
-
-
C:\Windows\SysWOW64\stordiag.exe"C:\Windows\System32\stordiag.exe"4⤵PID:6552
-
C:\Windows\SYSTEM32\fltmc.exe"fltmc.exe" volumes5⤵PID:9080
-
-
C:\Windows\SYSTEM32\fltmc.exe"fltmc.exe" instances5⤵PID:7256
-
-
C:\Windows\SYSTEM32\fltmc.exe"fltmc.exe" filters5⤵PID:9876
-
-
-
C:\Windows\SysWOW64\subst.exe"C:\Windows\System32\subst.exe"4⤵PID:5352
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵PID:3776
-
-
C:\Windows\SysWOW64\sxstrace.exe"C:\Windows\System32\sxstrace.exe"4⤵PID:10680
-
-
C:\Windows\SysWOW64\SyncHost.exe"C:\Windows\System32\SyncHost.exe"4⤵PID:480
-
-
C:\Windows\SysWOW64\systeminfo.exe"C:\Windows\System32\systeminfo.exe"4⤵
- Gathers system information
PID:7560
-
-
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe"C:\Windows\System32\SystemPropertiesAdvanced.exe"4⤵PID:6636
-
-
C:\Windows\SysWOW64\SystemPropertiesComputerName.exe"C:\Windows\System32\SystemPropertiesComputerName.exe"4⤵PID:6704
-
-
C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe"C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"4⤵PID:1928
-
-
C:\Windows\SysWOW64\SystemPropertiesHardware.exe"C:\Windows\System32\SystemPropertiesHardware.exe"4⤵PID:3188
-
-
C:\Windows\SysWOW64\SystemPropertiesPerformance.exe"C:\Windows\System32\SystemPropertiesPerformance.exe"4⤵PID:10676
-
-
C:\Windows\SysWOW64\SystemPropertiesProtection.exe"C:\Windows\System32\SystemPropertiesProtection.exe"4⤵PID:3056
-
-
C:\Windows\SysWOW64\SystemPropertiesRemote.exe"C:\Windows\System32\SystemPropertiesRemote.exe"4⤵PID:8756
-
-
C:\Windows\SysWOW64\SystemUWPLauncher.exe"C:\Windows\System32\SystemUWPLauncher.exe"4⤵PID:5152
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\System32\systray.exe"4⤵PID:9732
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5260
-
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"4⤵PID:7884
-
-
C:\Windows\SysWOW64\tar.exe"C:\Windows\System32\tar.exe"4⤵PID:8648
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe"4⤵
- Kills process with taskkill
PID:9072
-
-
C:\Windows\SysWOW64\tasklist.exe"C:\Windows\System32\tasklist.exe"4⤵
- Enumerates processes with tasklist
PID:10872
-
-
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"4⤵PID:7592
-
-
C:\Windows\SysWOW64\tcmsetup.exe"C:\Windows\System32\tcmsetup.exe"4⤵PID:6776
-
-
C:\Windows\SysWOW64\TCPSVCS.EXE"C:\Windows\System32\TCPSVCS.EXE"4⤵PID:10808
-
-
C:\Windows\SysWOW64\ThumbnailExtractionHost.exe"C:\Windows\System32\ThumbnailExtractionHost.exe"4⤵PID:10936
-
-
C:\Windows\SysWOW64\timeout.exe"C:\Windows\System32\timeout.exe"4⤵
- Delays execution with timeout.exe
PID:9920
-
-
C:\Windows\SysWOW64\TokenBrokerCookies.exe"C:\Windows\System32\TokenBrokerCookies.exe"4⤵PID:6704
-
-
C:\Windows\SysWOW64\TpmInit.exe"C:\Windows\System32\TpmInit.exe"4⤵PID:9416
-
-
C:\Windows\SysWOW64\TpmTool.exe"C:\Windows\System32\TpmTool.exe"4⤵PID:9608
-
-
C:\Windows\SysWOW64\tracerpt.exe"C:\Windows\System32\tracerpt.exe"4⤵PID:10212
-
-
C:\Windows\SysWOW64\TRACERT.EXE"C:\Windows\System32\TRACERT.EXE"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:10452
-
-
C:\Windows\SysWOW64\TSTheme.exe"C:\Windows\System32\TSTheme.exe"4⤵PID:10180
-
-
C:\Windows\SysWOW64\TsWpfWrp.exe"C:\Windows\System32\TsWpfWrp.exe"4⤵PID:5392
-
-
C:\Windows\SysWOW64\ttdinject.exe"C:\Windows\System32\ttdinject.exe"4⤵PID:6700
-
-
C:\Windows\SysWOW64\tttracer.exe"C:\Windows\System32\tttracer.exe"4⤵PID:5176
-
-
C:\Windows\SysWOW64\typeperf.exe"C:\Windows\System32\typeperf.exe"4⤵PID:5032
-
-
C:\Windows\SysWOW64\tzutil.exe"C:\Windows\System32\tzutil.exe"4⤵PID:11068
-
-
C:\Windows\SysWOW64\unlodctr.exe"C:\Windows\System32\unlodctr.exe"4⤵PID:10660
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe"4⤵PID:9920
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /REENTRANT5⤵PID:10212
-
-
-
C:\Windows\SysWOW64\upnpcont.exe"C:\Windows\System32\upnpcont.exe"4⤵PID:10908
-
-
C:\Windows\SysWOW64\user.exe"C:\Windows\System32\user.exe"4⤵PID:6616
-
-
C:\Windows\SysWOW64\UserAccountBroker.exe"C:\Windows\System32\UserAccountBroker.exe"4⤵PID:5620
-
-
C:\Windows\SysWOW64\UserAccountControlSettings.exe"C:\Windows\System32\UserAccountControlSettings.exe"4⤵PID:2004
-
-
C:\Windows\SysWOW64\userinit.exe"C:\Windows\System32\userinit.exe"4⤵PID:32
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE5⤵PID:4192
-
-
-
C:\Windows\SysWOW64\Utilman.exe"C:\Windows\System32\Utilman.exe"4⤵PID:4608
-
-
C:\Windows\SysWOW64\verclsid.exe"C:\Windows\System32\verclsid.exe"4⤵PID:1172
-
-
C:\Windows\SysWOW64\verifiergui.exe"C:\Windows\System32\verifiergui.exe"4⤵PID:3336
-
-
C:\Windows\SysWOW64\w32tm.exe"C:\Windows\System32\w32tm.exe"4⤵PID:820
-
C:\Windows\system32\w32tm.exe"C:\Windows\System32\w32tm.exe"5⤵PID:2824
-
-
-
C:\Windows\SysWOW64\waitfor.exe"C:\Windows\System32\waitfor.exe"4⤵PID:1972
-
-
C:\Windows\SysWOW64\wecutil.exe"C:\Windows\System32\wecutil.exe"4⤵PID:10528
-
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\System32\WerFault.exe"4⤵PID:5364
-
-
C:\Windows\SysWOW64\WerFaultSecure.exe"C:\Windows\System32\WerFaultSecure.exe"4⤵PID:10600
-
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"4⤵PID:1144
-
-
C:\Windows\SysWOW64\wevtutil.exe"C:\Windows\System32\wevtutil.exe"4⤵PID:5552
-
-
C:\Windows\SysWOW64\wextract.exe"C:\Windows\System32\wextract.exe"4⤵PID:2484
-
-
C:\Windows\SysWOW64\where.exe"C:\Windows\System32\where.exe"4⤵PID:11124
-
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\System32\whoami.exe"4⤵PID:10808
-
-
C:\Windows\SysWOW64\wiaacmgr.exe"C:\Windows\System32\wiaacmgr.exe"4⤵PID:7560
-
-
C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe"C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"4⤵PID:10452
-
-
C:\Windows\SysWOW64\Windows.WARP.JITService.exe"C:\Windows\System32\Windows.WARP.JITService.exe"4⤵PID:8648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8648 -s 2365⤵
- Program crash
PID:852
-
-
-
C:\Windows\SysWOW64\winrs.exe"C:\Windows\System32\winrs.exe"4⤵PID:7736
-
-
C:\Windows\SysWOW64\winrshost.exe"C:\Windows\System32\winrshost.exe"4⤵PID:5624
-
-
C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe"C:\Windows\System32\WinRTNetMUAHostServer.exe"4⤵PID:5696
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3992
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵PID:5796
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:5996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 6100 -ip 61001⤵PID:4912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:6544
-
C:\Windows\system32\dashost.exedashost.exe {8f2c8669-9cc5-4f33-9d99fbe439020899}2⤵PID:6656
-
-
C:\Windows\system32\dashost.exedashost.exe {9a67948a-716e-46d4-bbf330c1b70c9faa}2⤵PID:6924
-
-
C:\Windows\system32\dashost.exedashost.exe {1b3af844-aeff-48a8-927c08dace1d9ffd}2⤵PID:6180
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵PID:6592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:6812
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵PID:6904
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:7084
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:6276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k McpManagementServiceGroup1⤵PID:5960
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:7248
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:8276
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:8444
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:9584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 10880 -ip 108801⤵PID:11060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 10872 -ip 108721⤵PID:11072
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}1⤵PID:3564
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵PID:4692
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23}1⤵PID:3324
-
C:\Windows\SysWOW64\wiaacmgr.exeC:\Windows\SysWOW64\wiaacmgr.exe -Embedding1⤵PID:1424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8648 -ip 86481⤵PID:9884
-
C:\Windows\System32\wiawow64.exeC:\Windows\System32\wiawow64.exe -Embedding1⤵PID:8576
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Accessibility Features
1Power Settings
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Event Triggered Execution
1Accessibility Features
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9a6fad9913a30e0476c200ab13f96c2c_99ef8723-b5cb-4d6a-b7a3-7e98e5e6f2a8
Filesize106B
MD5666ea65934b820274adc4c5c344bff32
SHA1d23a25d65fa435eb01c6de837656a8d61a58620f
SHA2564d0d8cbc6fb59c8e081349f09f3f82e65540b64b50969e4cea5948624fbec604
SHA512bb2eed9cf9b508711acb566f180cd329e4b0c7de7acb9a614e25d866b683f6e297675c025dc3910176816202aaf12749411112dc42059fbf5f15fa8929accc37
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9a6fad9913a30e0476c200ab13f96c2c_99ef8723-b5cb-4d6a-b7a3-7e98e5e6f2a8
Filesize2KB
MD5de9c37ebc68009a25fd9c68a3be80d43
SHA1ec0e281208599e01f94b4e9c9ed5bfbd8bd59990
SHA25614b3f481d35450e9638e0777f39a041a0e6c372c1f0d1a4c0ac5668c67deebe8
SHA512999098db86ab487a83300fc14f96b93de6d5264b53d92eeaff207b7379162a26f0789938b60fb58b34405411db08df10acf40f5eee97ff3fcf8020a2c1de3a5f
-
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-970747758-134341002-3585657277-1000\CERT-Machine-2048.drm
Filesize28KB
MD50a4d68adf3f5f4f034f196486623a15d
SHA1c8b72ffb8e686db3eb8eb194484748f5836780ec
SHA256dfc1a228efa1909380bc6a6ba4d6d9d0c252b3fa42be0c74ce744cfcb833e064
SHA512e63980a65c779a442aa54e451e6d8c64ec1a9685a0f872c931a027ee13cd77db954109167a1c3c6e28e565e67e8fd1644d31b2a1e892fa421ee510402704dfb9
-
Filesize
25KB
MD5d6a0117695b6b9ca261a2cf718412ae3
SHA14134bb84ef4e38c206ee45e50e6315239c0bb9df
SHA256629f69a8474084f169a9883b1a7842d3859f4dc99711297fc2988bb3c393ed4f
SHA5129159cc0bd9e9b04c4afd37bde683612bcaf41d8dc81e5aa68b4a13d558f65d25ed110ddca4a3acda1896e8a1fe5add3b7d68bc86931b9b6a57b5aecbfbbe49e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD5ab1dac5515bf0a05daf86ee858dc074d
SHA14ed9a5502533419df4284122cd663c269b1ae874
SHA25651b9f182f48639cd9db8eb63d447842a932223f2ff9227f24aa60b4893bcf8b2
SHA512657398763990d1d347cb22772cd3f680bf4089fdbdf16c220ffb88bc1e38936fee9a2198ea9154719a1a86d2a45f373b492e75d48f16209b557dcb8a523ee771
-
Filesize
28KB
MD52600ec4ed8d7b523bb33b773b31a7320
SHA16df88ebeeea513802690d610328fbf41c3bda227
SHA256d0cdc3c4ee6015cf64d602c297ff2fd779a5b9ad50d00e99cf73f87ad45fa53c
SHA512081ee419a5486f4fe609d2d3f6c3f335294fd34aa6b67b75b398023b7e7e07ac1a3222e2c4ab03a245206705116cc8a8af6c5ce1212d759600db2457ce7d30f0
-
Filesize
25KB
MD5730e9e6b157b3fc400acda6e2c5a442f
SHA149d86eb71df09098f4a72aea3169c3901aa09f37
SHA256b3566ee1acd85594e5e46ba431a53aec10027474ca0482848a2d1c58c8b3dc34
SHA5122634bf858f5885787506bd75b29faef99b219ea9ae883777475e73bee14fbabee28a771e359e2bf748a0f9fa41d2f252a3778b0bfa8173e1a78eba52e3fdf5de
-
Filesize
152B
MD5058032c530b52781582253cb245aa731
SHA17ca26280e1bfefe40e53e64345a0d795b5303fab
SHA2561c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e
SHA51277fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f
-
Filesize
152B
MD5a8276eab0f8f0c0bb325b5b8c329f64f
SHA18ce681e4056936ca8ccd6f487e7cd7cccbae538b
SHA256847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da
SHA51242f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918
-
Filesize
5KB
MD5d359fc87a72a204ef3e8d2c653151960
SHA19a72efe7dd852b8d38d310efcfc10cbc5e991be9
SHA2563ee0068f52bbc41670faea1863b844d6e8947bddbcc18f11ad0e329e66ad1664
SHA5127e6b9050fcc3587e930426c95aca4467e986570f8c0a878f035d51a85d1d88dd75b6890d2ba4bb5880bcde1a7736b16bd07ba1430b928c39a67838e56d982d1c
-
Filesize
5KB
MD525917f3d8e5b0107657d275b89f13466
SHA182d42c8e9d39042645674eabd45f8d1a254872b3
SHA2565f3b369697453e0a22c5c3ddd803704b1cdfaa4dc9e69e7776097e8a80819221
SHA51227744448b220696b8439b420d34d1db5199e1b344692baf6411f39cc7655e924a296ac2d0a592186d3f533324274d6e8e78386d2fa79f7e79fc32ed583f20b84
-
Filesize
8KB
MD5b488ebdfe805dde8d86d842a1bbab9a3
SHA1aee05ac83be6599c32adb35114b2f71f5681b702
SHA25614002e3249721af094c1d6785abc9bec7c0213d23de79aef8378a6b3cf6eadcc
SHA5121bf13216ae18cd09c5479443e87300fe4989eb09197095874e7b11751769bb47565a2e24492a5686f9696a23c32088ea404ead486a0b45817d09eaa608a86aef
-
Filesize
768KB
MD5d0fd2204de0ac29061e7314ee45b0bfa
SHA1471ff9a39c0a4fc814844153bf4a368eec952433
SHA2562143b38a332f1498bd717bf10e22390cb6f8e1d90a6e89a8b555fa6d1198df66
SHA5121bf4e2b85ade5bad92ba1e467469059bb0001870adca11f065edf52ea4cd7cae02e578b21d184d9f3965a6ad619cc7e1c65110a37d204573d0dff79d20c63141
-
Filesize
69B
MD552c9473193b9bddc1572ae9277c16a01
SHA1a8a83b1fc37e4cbe1f68b104fb1c1b0f00f8927e
SHA2563bc4df39d8cd1ae6d79bfcc522bc8cab561908cc8bb107bfed35e1128e0329e0
SHA512b2e5361592912f9f223000c9846c59ebc25cee95449ecf776dc89d52dc06d03a130665ac622f779ae617fc2963158dbc97ec0843b73e477e94bfe03d705bff1d
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD5a205c9b0f926aacc0ffbb6e5db61ca63
SHA1a86c60df3b391f55e08111ac88e36011dd93a179
SHA2560bf0b9985a4eb09ef7cf97fec02a5f44efc28b2c5c1900b1582845687f0dbea5
SHA512f5efaa86c6b69d505b213f299193ea3a10298eb277956371998af3831052f9be0b69d63afea944e25ab6afba3e4ca7d48688abb5878dde2e3fd9ba5fdbc01cc2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3
Filesize13KB
MD53f3901416c07f41fd63b8e4eed090451
SHA1a89cbcee7d2dc409e54ca4bdd2b3cfdf1d409f69
SHA256f16f21f18be974b2d55b4a03cd47a1d6883ae977f84f89581a41814bb1eacb9f
SHA5120d3ffea8601ffda917fbad9af7f00c7e65c1fe37aad15dd6bd65aaebe8ac441c3a55c413f336b0c015ab7f6aa8e88fc416d2a9d7d5e0ecacb3fd5f9a1a48a042
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37
Filesize13KB
MD535bf371c3ded7b5f80f6c05a2c982d83
SHA17e43073e8080be6cb9f943e3ade49b4feb60afaa
SHA256de7a75b3fa4f75ae23d7b942f7f21e8ec542429bcb837ca1a63a970d175ac63f
SHA5127790bc8c9d19af117b383e3c41f407f027d19a2018a783e3211be6c6c246504698ff34ae7bbb6513e008bde0582c7bf33dc98836b4cfe3a5b18017ec0799a78e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize15KB
MD54af193b60820d64144b9cf3bae4a1c6a
SHA1daed69f0ceb1b20049f0d0604fd7ca64dbccab37
SHA256ea00cd7dc22e2cd8448d9bc3388fbddb88f098e5237e7421a4a94c4f5f89b7f4
SHA512fde2fbe419f4c691de235f774f474be855d08f1ed6b386d63f79ba2c5c4b8ea2e8308ab51637a326830b8baca2df60abd87dd752f04309ae3278b3ffb977235e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\jumpListCache\5_EUibGBtE1cWaOjHYogj0xa0h2u9gU0PvprH9KF0J0=.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
17B
MD5407aab8c27cf7081eece071c90a65b83
SHA1d9ec9f9d3768fb1c3646284d77f519f74ee6b8cc
SHA256568269850dbb3f5f52e0e38e3c0b29be06c70c58fe425b39746f5ccefdd668a4
SHA51288a35933e87dbdd298577bdb33afb1f878dc68f43e7916c4102e893fe04812a9522ed66755df03105fd199fdc3c6bd197051c22b2ea2765d0adba5c375ddd35c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1KB
MD5d907ae181b4304fd35b69481c8d49ab8
SHA12fd13fcd8aaa3790d8617fc9aca5158616a83f71
SHA2564d746ffaba7dedb97a18fe0d17287b5363e4b13d7d108f3f3a7c95bfdbb16cdc
SHA5124e0df72f934769a24351dd8b8da615b0abf6f7b115217d16188d9b344b2a4594ca4d7997893310ebb7c04d39a9060e69f668ad1176c6e1142efebfa4f459a90a
-
Filesize
1KB
MD54f24c5ff55d3b042ff310bc9b3587c2a
SHA189656d51dc7ab9be2d6a318c9f56109e3e2e6dda
SHA256b8401d2b0e9b8f5f6ecb53c7d9b0496345de1120508e136a98fdfedb08cd4e08
SHA512214927dbe5e002451c6a62133bcdd7439502e060b596bb2516518b0d8e1b80327e07fbaa84afa3cc7fe7a2bfd5457a3122d2558159a2ae30ea77cd8d860e9421
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize9KB
MD5bed12a9a5311fd5a2cda9cac8fe5ce2c
SHA15c292f0b1c50b71927ba6de4cfd8d8c24ceb3d2c
SHA256ccc9600c691dfa5c3bfa1f86b4ef214a4a56efc3710854e8bf8d329dcb96427d
SHA5125945f3227f032e58fab9df5361df4614d041cb0492e157bde9c5b735474d24b76a3ee0fe8853aa9df491d63f38b3564bffbc43eee0026ac142a4fe339709389e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize9KB
MD580ad795b95657dad8598f79e5dec28bc
SHA16709737c0c7d14ae89b586c2142e0213e64c87c3
SHA25635d3fd1d5f22ce3e671251a10d23a23d0858b18d1967b29f7d9f4249d6cd649d
SHA51244744d03a371691b916339f798a2603e2b43ebbc8c1d6bd2f72f867e5e5959a38844a7d4ef3f976c9537e5d5a310e66a1d8d7da2e220bff5fc18b5ee75ea190b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMD5BAJCGYLPV1WGKGT0.temp
Filesize9KB
MD511778686476d3c860cd944345d7046d3
SHA151c66aee3b9294feecf0375dc70d15bde2f1bd29
SHA256f550b216d09bfc33fa56186a92036be8fe771fefd1e2a8feb4fb710602f9b5c2
SHA512fcc95b9c8850e6c1412856bbd9c9ec29e7a60997ff31b85211ea48719f1cf730151c801b7b2b034cacd5d887903b30e5bda41f9163e9ab3fab67045021d5e934
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize6KB
MD55717a70c26c34f1528368556fb1c0010
SHA15bd6679a0a93dd1baad51de05944b46c6de130c6
SHA2560d5c2ef1b91e6d9b9d02b29366023a2d12c2be4c5a0bf90da1c5b02cfce754df
SHA5125ff3d1e92f59b1e3dbaa556cbb97d4b14d15eb8e07456557a0537799eef8134720006aea8e8748bbb95803838818223464105b4252ab8247fc510db3619d0113
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a56ceec811118ab8266556c74d14bf47
SHA144e666ad44934ff7375d34dc9b7e2a3f31733dff
SHA25698a95e813d03c086aa2832c2a2724719f5097ccc41083d1c43a390db20752ffc
SHA51217d4b8071b6d6ae7acb987c9bec36f5598434893c99e69cda504e317f35e5753566ead1bdc9237df7bf1239bd04a2f6d539c165a8bf8a91463bbdcd88f394fdd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize38KB
MD5f474b50d79c114854d3b551a123d0822
SHA1ca4d4c70ddcd087324d48d8f0a3fd47cb998adc6
SHA256bd0f53a93f4193ffa245d8a8d6d8c9bb3a8ae81a5a56343c33d134e4ce32afdf
SHA5127de38ddad7a908bf78b3a0b3a5b78fd23316a21f8f17e9c86882f2d109b78ebe70b4d2018b7bee08c62a2e785fa7ef6af735731f4b488762078a2e253b69b543
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51c2395efa4c4d3bbeee8b0995947df22
SHA1f8a96f4d43993569076daacf5561e0b1d3ac549c
SHA256ceb86511e5f57275d27892b485808d377eb396de4499ae6b1bebc8ca89de0478
SHA5124b71fc4eefb3f6d24af32bb62098acf10e9f75af3ab5595b43d3a75b36bd7fbaa0fc137e52f9b489b560f2a862c4904ec738ba385108ff58ccf3864df480f057
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD58ef063c09ce1fcaa9df89ce884ca438b
SHA1c9a10fe41cf5b64ef86698e00d55b4a5c1be1fb3
SHA256c6d869f3237aa7103e2539c99c29c03a1b6a6a7b149c2f47e840690499510ea4
SHA512073ee861078da4fe7091bb3ed5ee79ff8b8fb866cd0ccca8941a2e502e603df7342f186cc00bccaaf2a684b64089bbb4474d5cca37c1b340a9dbf275e372b00e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5509a38200a49f1dde4bda5946349e190
SHA1bb9c7e47c0c599ab3e66fca167e673ca82012f8d
SHA2563773570833b9cc7ec0ebbe20b9a6f855955e66afd8659c01d58fd24c45b8658e
SHA512611fc9427d368f51a49cf0305f66f9550618372ab068975226418a20b4b3a0d4bfb61f027e725862ca7cb54d7764f50ae2e8e6a8fd666fcb5238dd8625cfd9c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\30ce2edc-cf62-40a1-a178-d915df9066f6
Filesize982B
MD590d2580fca12a4af4d541f3004962989
SHA197c865948fb6f8e47dd8f216e9529967634550f2
SHA256081e5bb44a202557465171cce2bfa8e712e43bbc20486a51d2c6c78bae9f180f
SHA512f8978f2eb7d142079d36a82d9fb75d503246a4113b7ef6d648e2521ddc9950b80f9ef3f1e95154bebb70cd7a26a4531eddd9c8f170281b73213c78a73a4c5f23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\6b6bc8cd-639a-4aed-84a8-bb1eb190f0d0
Filesize25KB
MD51227904bd4f29748011f988b4a7b4552
SHA145ef549cf32e16d8e0fc3dc766fd6de0d2b5360f
SHA2564ec44ca6e51d9397941fe7017cbb876f183afda29535cad453dad0d5bef85f2d
SHA512d393146a9eb30e96ed8f4766740ab25f52b6085f7e1b45f4f76271540241b6d69d34a7e77ef01821ca216868e37af56593ddef25a8f14846bfb39098be10ef61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\9161e448-f207-4813-8a57-84ca73fa462d
Filesize671B
MD54d8c9a498f1206d9e7a7d3f50b30d2f7
SHA12730aaa45fbba6e389dabb9ca8ccfbb2b8e97ffe
SHA256b2dbfe80862a03564bed7cc968743170675389d0185823a614bb13d5a0927406
SHA512f63b7438516bc667bf3092474cd70319b8b28092a40d1ce3b5f754f2c1f2ab4fdbc0e1999d305e5448b1592307766151d3e4487c359901378d44ef63b9b6aba6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD572bd32c514762afdab335fd9133ec93a
SHA1f66098ee22f13c19a8a4797fdf67d70d3167ef06
SHA2567fe43c599e3e9c22470507e2796f209d8e8531c3968c6fab2c9521dc5ec42d14
SHA512eccbdc2c372515fd75d76f0b2cd28e81538a630bb20f4e25cbb22ae716fcefdfe9452384ab91dc5529cc2901e8396beded99affbc4ec52af7473c6bd2981b5f4
-
Filesize
16KB
MD553f86526221ef014c8c63fb05b598c54
SHA12fde583cf1cc591433804519aac0710b7a91d2aa
SHA256505f8f65c1f549355878a95fc8b5b65daf650872e03acf7020b9d5cbe257a4aa
SHA512308a459cd531ac44e92eb02cfdb144147e2261dd7aac18eb5ea5368071a074075c2c673b24602d809587f1f38df63cfd5cc4bbadd6e789c55cc9c2edaca7ec18
-
Filesize
13KB
MD5875ba86639f989f03fc582b435ed62d1
SHA1949f7c5b53269825c5e252d627fd405c011ba109
SHA256f795d8ebf91d0587e73e57619de571da678b7e713af60cffc6b7aa5325009a96
SHA512fea2d5fa28410fbe6cf604e8708f8b1264bb5263995b3f6c92cb63a999299cea1e01526a51d54145cacc8a287354af1a4329ffb30f2fe2dad1f0513aa0ebd82b
-
Filesize
10KB
MD5de11b9976d482a690d6f8f1b499d35e7
SHA1539cc677d5379c2ef979a046a6906a151362e416
SHA256115ee5d12bce738b79c744173cd355570015ed087a9789208162891b6b266ba8
SHA5127b5ca0c1d3915f238559f100b2434bf66b67020a9006e36fb1b16dec95242e002a20ccb26d989d5c6b5d7175457d004d5270e6a53411707fed3596f4aad6d19f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5726cd30bfd4c3a45b74dcf60f42d6416
SHA1221975f8ab61475189a165c4928b8bbd611d5fa5
SHA256cee6d8f7ad3f5a982e875f46b513bd74db75c1e86751e7bf4f23f21f9a23f8e0
SHA512e3a2110f097774fbf6b57b76e2df2891aa01ef63c5d302f451131d2ef706b067fd680bba3d9a51a33b94557cb53da302b28515c194c5fd5e64d91639334213e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5b36d469c7080e6579597b8fd8adb9d16
SHA1f923ebfc301569ec1394065cb9483fb8b3dbe677
SHA256d8b6c3ca2bb2ee3a1c0b7da0eb6f218d1a6bb16c3030b0a897952dae181abe89
SHA512aa8b3c8e7a99bd12516059e967def5c703479acdfdf7b76d88262a37b357814e27ce4b123b46a7fdc872b0d9b8d96daabdb419eba01f0848c8b4d96bbf3dc425
-
Filesize
135KB
MD5c971c68b4e58ccc82802b21ae8488bc7
SHA17305f3a0a0a0d489e0bcf664353289f61556de77
SHA256cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce
SHA512ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
5KB
MD53d4e2f511bb1a60edb3802e0a976f804
SHA17d271e0a5d8237345612e4dbbf48e113c2fe5eee
SHA256b51a3af1f4b6b37b3f2caab11380671387187157e54c80d5990b18e806a677c3
SHA512ee5d2cf3369d5bca083823b5bc6fb1b9a042b285d298d0019808fd4f057e7a3d5de082a63fea0f8adc8e74c407e500bc9470dd699dcf4e9895d29c410e3f0d81
-
Filesize
13KB
MD5c7554053ebc553f2b79eb4fe44772786
SHA1c844315961ad937c030e49ceb38ff36ac8455f63
SHA25600dee8e57ef535822cb0e6f26e90cd625ff788fa8433660ce84d16992dfb159d
SHA512ab8a4fb2d5237b5400efb55100438437a939a8a9d729579b129add3eb1b5632b9957a331b7bca1c5eabac3b2dfa79b31a527396283ae4e20b7c8fc8e1975467d
-
Filesize
12KB
MD508d03e4294be07ea68e2c2f28b9d1ab3
SHA11fc001db3052634a1198c993c2e8f0359ccfa101
SHA256d445c96bf5c1be65479218250c9dc07cec2c548fec7a505aa6fa105a0137beb9
SHA5122827ebdbb66238a601c4153c1ab9adb37846594c864390a2130283b19eccd999c43cccc3076007440197fcdda08e81f5f02e872790d6c350bc658a623906ae0c
-
Filesize
14KB
MD510d06f3a7b012d14ca7c371afdbe663c
SHA1c28bebd616fd89a001761ef038c770983d98f440
SHA256d48b332ef1852f71af824be420bea0e26193d8a033f61bb82d62aa23b9264f74
SHA51219185d834f508cc26f2713969f1cab897bce113f041c2bd571d310bdee5fffa9807fbc4c273834c9cd8f23f509a7efdc7921310a1344d98180d3a71ba61b86e9
-
Filesize
17KB
MD51d3b3c8bba52670f34af7d31d8123dba
SHA1e972ad4c494a079a22ef9e6d4db491335a685321
SHA25615a76b2ef1b8f46a8dae7708a235f2e424370808fe69ba7c225e9ec0f148a69b
SHA512c591fdda56df1f7b3204b8ca7f1d4fc1158360507c1b1b9257df0af15805d0a8a28495b6588f30ec2fb779572192405d7bcde6934ab30b2ece138e62cf288520
-
Filesize
19KB
MD59838ae470f16cf76477234b3596e3136
SHA1f0e2d48fd8a2eacb0839c34f061e5c611fa4f215
SHA256778545782dbaa0169e9c4eb235a4091ca2610ad5593b49c831e5fb3c7715237d
SHA5121c478ffac18e4cddc45707ff493a7145e4c635ae41da99aab4e8242c5e8b350ca9b3e5eb0bc3452ec3efef23ae7ea6940a8d27b431f2466c99f19048df6a3c77
-
Filesize
12KB
MD5bcd5c1967ff6eaa2b832450e97ee187d
SHA1bf1598a43c08eae84944a4eca01461d916585178
SHA256a9d541857747db3fa4e29da5ada66fa122712ec921b09c3d438310d4edafcc33
SHA51255b4832ab1537b53597dfb7d0ba5cfddecb6c08f21e8d4bd36f1195eebf736a48e704b89f8058de5a2e070680291d598e762aa2b1c1f748604791d704da83491
-
Filesize
14KB
MD54d964f2e0c70b80c1c7d6e1fbcc142fd
SHA1c17fd43d42ab97cfde53de1a484656cf429b92e5
SHA2562db680527bf1e34273afcfd69c8c724ba3804963d4d1f14ff54beaa9c7ed1550
SHA512af3549c44790098380774e85a30ce238df3236a580fecfa496d49b21e5a62062ccfe93bbeac6621ea45f1be77fe5c19e4966df81416912d1242e8e9ac4b3f8c5
-
Filesize
16KB
MD5c6e599ece2c3da2e60d2dd72295992dc
SHA16791db33239eb1bf0921a82a546b984e9edd3bb7
SHA2569539627cd25de23087bfc2ba07e76838a5fc5f61081ed283cea7f9df1f325aca
SHA51263605d4eeaeba8e281eb32597589c9d525e22c2bbf99304cd1051273f2f4f4c61c1288f1886e7c4a0fa75805e89f0b822bdaeb761deaeb76f526698d4bbdf9b2
-
Filesize
17KB
MD56f492608545e3aac52ef76e81d5dd0d3
SHA1b59f35e5d96a9a6a6b78337acc1cbce260e60939
SHA25696401e6b9f02bb5891cffa6bbee2d78732f3743fb187415102b4391e516cc0c4
SHA512948dd731a8b950781ec4e24d73f987b0d22847b2d8ca4a72614f5442a64a0812cfcfe07c73769149144d6ca53d7ed5e588274439e1d4490f4cc096a4bb351297
-
Filesize
46KB
MD58a3ad031c995291557dd1ec19f4c58ef
SHA195e472181b4ee94052355368bb65a3e720fc21d6
SHA2565557e196aba7bf493c47ac90b9def00c7c0c1b79e056a1359c3c9a6f37b1aa96
SHA5121b3cf4b6d2ab669ce8c4542997dd5f665eff48416b536b052d20af7a3d70b16c4ff6f36725062431e08669653173c77fe04b6ed2e5ac6189ac8accab61bb5e54
-
Filesize
46KB
MD55e81a68e52a85a197c09696f1aa3c177
SHA1bd2e61a7fcac6b8aa666cf86cd0a4f9bcd3edf65
SHA2560fecc27d5b2884817cfb6a12d8b394ae437a54e95a3f5886f45f0a16859f6539
SHA5127d88b6f0a5e6e63990cf7057c156e5b9e14fc735204c22c6e8a470053f2d861673506223a2f2541f2a929067ba2cb97cd3da92b77f94b828338877612042c416
-
Filesize
47KB
MD5ab6e4712a0ff291915e23640bd5cbe6b
SHA1df6d1443fa18b85fdd37b281fd809b7ce94cfc97
SHA25637bdffdc9c9a2cf86730e66795a2f4e9903d60f549adf09ccae0a4e927b4d386
SHA5127025eb8259b22612b78d5a18b9c1daa393854f1f888f5f902232e43036b0074295eac157f3cb7e66af99482f0f49b87d1c6f08659314e97c8f7b045fbba1a1cd
-
Filesize
47KB
MD560901598d0a3d5e163ab9c096d0c3794
SHA17ffce292486096993a528f167c949c74f4602b7a
SHA2564f0eb3af36143d9674412a8f87b71959e28bf0e9077467c4e1857676e7d7decc
SHA51264e320a84d7706d787210ebb0a41b6ecf854c866bd573b8948e4d24b7770a5069ea36ea6411fede60ec7838c2c8650bd1e990bce7b1a4aff51cfc1987b37c4a0
-
Filesize
547B
MD5d44c332a7da66068f6941be84996c2c0
SHA1eebe55f8355ded1c35f3bff0fa7710c6d073be75
SHA256954ccb999511cbb927bbd482cce6c3ff51867c3b522380492ce6c4b8bd3d5dbc
SHA51265bf3df0464645a0e0f009449f245183e388ed1e58bd2746f27a35f24d13a336a1ab1942c785024ea643ed520553764370c9a24b2c66e792eeeef9335c272b57
-
Filesize
827B
MD5dc673355054bd623676bad5bc5c63bb5
SHA10c2905cc621b15e6ca19a4d111f8488722c9bef0
SHA256b83bb641cab1da368a7e4bdfa686863a02d3001bca26a6d3f6d219914396664d
SHA5123fe645bcd88329f90aaf2aee33c170e6eaf874398c4392b7a2036cad07ba5f1c647cf8449e8d64cdfd0a30cdeff2ce3c9998a2a8ca00c981d3f46f8df152f53a
-
Filesize
1KB
MD58f19be5579a58cb64cdfde341afea614
SHA13086f678bec673eec4df01bffd837f143cc23806
SHA25670cdcf73413663e0129c1943c5f4e0f0b4a5d575d0fff88e9120351326b1e3b0
SHA5128e4fc8b75a48cd47583c57c3d72ac5663d3e80b458334ff69e86123566d6abe134534bc294b0dd017b13509aa46091d64395c9bfcb7336a1c38bd0c72d1d2ad3
-
Filesize
1KB
MD56680d421d537c226f704ab93a78c7594
SHA1c4614c2cb5b24c454b6537122bfe8144ce756e2f
SHA256d751fa458efff1d76404f8a01d34601f8a8afd064bd0d6bfbcbec8fc831c2f19
SHA512537a5c1df833a1c23a4b25726a8c99cbd170259d6d83716cf3c552caab41c6481daff655c4a9803d3fe93fcf92b41c7a6effcfbc4c3a4ce21ca7c0c7d5f9e68c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e