Analysis
-
max time kernel
1606s -
max time network
1570s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-10-2024 15:28
General
-
Target
@Cybnux_XWorm_v5.6_Cracker.rar
-
Size
19.7MB
-
MD5
0b87bf0a97079e39453d580707339f8d
-
SHA1
e6cc2b04766f9942c90caba2046bfbd936210d2b
-
SHA256
17ff9f594f93a70b84c110c94e0341d2385260642e4f036cf2fda381c66be4ba
-
SHA512
514c4ee3c37e4f1d92e8ba980c1d64cfd8b2bcb4b5daecffa527bd43850a9bac737e362244bda78970b3d044bca51ebc9ad95bfc868a9808dd44c965913ca2bb
-
SSDEEP
393216:rya9e39neJPF6z48TCtSTNzFpatK/GGQLmHbOoe47Q3pOHT3DEu8tlI:ry33USlWANzv85y7Jeh3kbsC
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
BvnN4Uiu1lHu4rUW
-
install_file
USB.exe
Extracted
xworm
127.0.0.1:7000
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral1/files/0x004600000002ac0f-223.dat family_xworm behavioral1/files/0x001a00000002ac1e-238.dat family_xworm behavioral1/memory/3876-551-0x0000000000390000-0x000000000039E000-memory.dmp family_xworm behavioral1/files/0x002600000002ac25-1272.dat family_xworm behavioral1/memory/3532-1316-0x0000000000E70000-0x0000000000E9C000-memory.dmp family_xworm behavioral1/files/0x001d00000002ad30-2148.dat family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/3876-675-0x000000001C1A0000-0x000000001C2C0000-memory.dmp family_stormkitty -
Download via BitsAdmin 1 TTPs 2 IoCs
pid Process 4116 bitsadmin.exe 6028 bitsadmin.exe -
Executes dropped EXE 6 IoCs
pid Process 2712 XWorm V5.6.exe 3876 scanner.pdf.exe 3532 XClient.exe 5876 Output.exe 2284 XClient.exe 2304 niggg.pdf.exe -
Loads dropped DLL 1 IoCs
pid Process 3532 XClient.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
resource yara_rule behavioral1/files/0x001900000002ac08-140.dat vmprotect behavioral1/memory/2712-143-0x0000029690960000-0x000002969286E000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 10 pastebin.com 17 pastebin.com 18 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 scanner.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier scanner.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS scanner.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate scanner.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName scanner.pdf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion scanner.pdf.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\TypedURLs XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Pictures" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\0\0\0\0 XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 19002f433a5c000000000000000000000000000000000000000000 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\0\MRUListEx = 00000000ffffffff XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" XWorm V5.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\0\0\0\MRUListEx = 00000000ffffffff XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000000000000600000005000000040000000200000001000000ffffffff XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupView = "0" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12 XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 05000000030000000000000006000000040000000200000001000000ffffffff XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\LogicalViewMode = "1" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1092616257" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:PID = "0" XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 05000000010000000000000006000000030000000400000002000000ffffffff XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000010000000500000006000000030000000400000002000000ffffffff XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000000000002000000ffffffff XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\5 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000060000000500000003000000040000000200000001000000ffffffff XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3" XWorm V5.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8} XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 01000000000000000500000006000000030000000400000002000000ffffffff XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a00000002e37a3569cced2119f0e006097c686f60700000028000000e0859ff2f94f6810ab9108002b27b3d902000000a00000002e37a3569cced2119f0e006097c686f602000000780000002e37a3569cced2119f0e006097c686f60400000088000000 XWorm V5.6.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg XWorm V5.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 XWorm V5.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000 XWorm V5.6.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 1268 msedge.exe 1268 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4032 msedge.exe 4032 msedge.exe 2844 identity_helper.exe 2844 identity_helper.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4372 7zFM.exe 2712 XWorm V5.6.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeRestorePrivilege 4372 7zFM.exe Token: 35 4372 7zFM.exe Token: SeSecurityPrivilege 4372 7zFM.exe Token: 33 868 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 868 AUDIODG.EXE Token: SeDebugPrivilege 3876 scanner.pdf.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 3532 XClient.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2352 firefox.exe Token: SeDebugPrivilege 2712 XWorm V5.6.exe Token: SeDebugPrivilege 2284 XClient.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 4372 7zFM.exe 4372 7zFM.exe 2712 XWorm V5.6.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 2352 firefox.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 2712 XWorm V5.6.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2712 XWorm V5.6.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 2712 XWorm V5.6.exe -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2552 AcroRd32.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2352 firefox.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 3144 AcroRd32.exe 5948 AcroRd32.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe 2712 XWorm V5.6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2920 2712 XWorm V5.6.exe 92 PID 2712 wrote to memory of 2920 2712 XWorm V5.6.exe 92 PID 2920 wrote to memory of 3100 2920 vbc.exe 94 PID 2920 wrote to memory of 3100 2920 vbc.exe 94 PID 2552 wrote to memory of 4188 2552 AcroRd32.exe 98 PID 2552 wrote to memory of 4188 2552 AcroRd32.exe 98 PID 2552 wrote to memory of 4188 2552 AcroRd32.exe 98 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3056 4188 RdrCEF.exe 99 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 PID 4188 wrote to memory of 3792 4188 RdrCEF.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\@Cybnux_XWorm_v5.6_Cracker.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4372
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4184
-
C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\XWorm V5.6.exe"C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\XWorm V5.6.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdjhtwjq\fdjhtwjq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAED74D4C5F50478B961EDAB4AE7A636.TMP"3⤵PID:3100
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5z1jpnkj\5z1jpnkj.cmdline"2⤵PID:5208
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc737A268C8BC549C981FC7FF32EEA0FC.TMP"3⤵PID:5408
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dh0aawez\dh0aawez.cmdline"2⤵PID:5396
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB146BDECC82407AB34754249D1E476.TMP"3⤵PID:5244
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/necrowolf_coder2⤵PID:2208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9dba23cb8,0x7ff9dba23cc8,0x7ff9dba23cd83⤵PID:5520
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ik1e2nnw\ik1e2nnw.cmdline"2⤵PID:3960
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50CDAFD760F14528BFFB22B4E41899DD.TMP"3⤵PID:2308
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v55pgall\v55pgall.cmdline"2⤵PID:2136
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DFC95DBDFCC4455A1B7CE3FAC461A1.TMP"3⤵PID:1888
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3792
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\scanner.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46D701CA9EF0A534C43BE31FE3DC2BA7 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C7E42C916ABABF81C2961FBD617DDF86 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C7E42C916ABABF81C2961FBD617DDF86 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:3792
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2E53A765C47B849FEC22830DA60BC9C9 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:3256
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6520FEC78413310D49BEE22C8A106D76 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D3CE4647930549C494AC9D2E1C213F5 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:964
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9dba23cb8,0x7ff9dba23cc8,0x7ff9dba23cd82⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:22⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4748 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:12⤵PID:1832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,17295361681340146760,8528600472031783570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:5704
-
-
C:\Users\Admin\Desktop\scanner.pdf.exe"C:\Users\Admin\Desktop\scanner.pdf.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4760
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c1216e6-82a0-464a-a696-750a92ffe8f9} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" gpu3⤵PID:2440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2344 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab86149-78a0-46ee-8f89-8f70a8ed2379} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" socket3⤵PID:3432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 1 -isForBrowser -prefsHandle 2684 -prefMapHandle 2680 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e239d0b1-2bcd-41b6-91e4-df372b0b4478} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" tab3⤵PID:4308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67f42931-c226-4ac6-af35-abe6f981d427} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" tab3⤵PID:3168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4428 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4356 -prefMapHandle 4380 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ceb0f8-91da-4c05-868d-ec0f10282d4c} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" utility3⤵
- Checks processor information in registry
PID:5548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2137c4a7-a8ca-4381-a065-5a9bfd0af0ca} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" tab3⤵PID:6032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b2e372d-b50c-4e3c-abaf-cfc213beb483} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" tab3⤵PID:6044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b0529b5-8a70-4819-a23d-591f4f87f650} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" tab3⤵PID:6056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6172 -childID 6 -isForBrowser -prefsHandle 5740 -prefMapHandle 6152 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2984977a-74f7-4d5e-bd40-566658eeb84e} 2352 "\\.\pipe\gecko-crash-server-pipe.2352" tab3⤵PID:5324
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 C:\Users\Admin\AppData\Roaming\result.pdf2⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:4116
-
-
C:\Users\Admin\Desktop\XClient.exe"C:\Users\Admin\Desktop\XClient.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\Icons\resultdescanner.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3144
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\Icons\resultdescanner.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5948
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Music\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 C:\Users\Admin\AppData\Local\Temp\tester.pdf2⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:6028
-
-
C:\Users\Admin\Desktop\Output.exe"C:\Users\Admin\Desktop\Output.exe"1⤵
- Executes dropped EXE
PID:5876 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Users\Admin\Desktop\niggg.pdf.exe"C:\Users\Admin\Desktop\niggg.pdf.exe"1⤵
- Executes dropped EXE
PID:2304
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD509d5a2e68239e9db3c328d71f55a4d0c
SHA10a7d6dcbbb6d47edf58e5d85891daffdc1bc6db0
SHA2561757ebb0016244015517605b02576ede0c1fd15fe79dfa6f502ac887962d984b
SHA5126e36a2539ada75fa1bdc914f7e86935bedc17801440584445cef7a6f444d39bd1cb33d0add6ebb463ca1900a95594664629c14bf24cf7f28e735a0ea06a6b9f6
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD58efc0a98152c835c359d022846936c2f
SHA1c795ecb98b848eb624ba93db8b6d290b0ebb32d6
SHA2569fa11ef1e645e10195f562f3def0b0f76ae552faf39af13864f17ede7a2fcabd
SHA512f5c8d3b04da220110ca81150158d486d687841569331f5030815e0bf2bf3f9da029271624c8a7de2191575eed699a2225b390a00ce490d6923abe76469cc8981
-
Filesize
312B
MD57e5384443a19d97fa3a62f452619c4c5
SHA14af248923d8598fd897773860e1ed63362015cc5
SHA256c9a2935336df4fa2dd464f34c280f6b45f01db7b70c71cae0c12abc220a5bc04
SHA5127ea798e2e1f5e477c69a90bd7237f5a815b6ee5eca2f546e395f64868cc21cb56e3aa0e6e3fa6fcb0a3c1e338f4c47bed10e3e63198190bc8cdaec76c4b1075c
-
Filesize
180B
MD5781f712234169a3d5217d656b97944d8
SHA1d5a92c7938ee15cba8e6533ec411891af74458f1
SHA256654d03bdf36ae7dde6005259a0e4a916ef40a33d8f0b90c2b7127fdff88a9338
SHA5125b8169ac078a32bfbb58b2c444717832cf094d244cee9a93cffc9e068612554d515bd5cd2f919f3e447c6fea6df12e8d5aa5e385684aa2a7cbaf1c6eae042e2d
-
Filesize
5KB
MD5df98367270c3241822b022583b9e3dcc
SHA19f0ae2edd8b6e0d227af9af8a37080c22e8e0183
SHA256b0559d223dbc64065d7f214573bb13b45031f238f11e38c63548533696cdee71
SHA512a3d16b6af7161bde5ea2e77ef596796ec585f35c9d53510b71ca934b115c6073e50b74b33f6b1bf9f5cf59cc450408d0aa70b5b43ed7586753312f5b3dd7370b
-
Filesize
6KB
MD504ba52c5ea5b3ae6e616d10cc482f5a6
SHA1041ef0a015702bdda19dfd4299aa46fd81158997
SHA256ad0835ad26e407ee69130b684db429f851b6cd7bdf7e4f14104e0076544859d8
SHA5127988255c6ead57e9fe8b2b6117d845d1dbf0b62e05920bb346d60241c699bf716815e49a6487216e461c7ccd10dc3799f70210e1baf81dc3b31ad02e0389f631
-
Filesize
6KB
MD5f6fa84b22854f0f2961001bc77b102a1
SHA1df36e7aa87194650fbbcc7bbd0c78f0c698f86c1
SHA2564180ec92f6e0bbcdec761292ef07753c3f5e0672b45567d7fcc0a35fbe2620ad
SHA512c2f4142ef5446a4640def4fb53404f14fda7d54e1acc99f2c08674fa6bda22259cca5f4eaeeab6ff3f556e56d3831373950b040da11b74979733d8445f62a66c
-
Filesize
6KB
MD5882d53be8b5cd8b69ac3a58a96ab7b4f
SHA1a631d86008f53fc1e9b00663e53f85af2722d36a
SHA25608f51eb75c147c90cee9eb9b78058d33294806bd301d8e780293ed4f886a858d
SHA51259ede0258dc73f70341a23379963b2e1f1f1df52697db35976e99fceccdf560e5af626b24d4b4726b02bdd0034e0a13b311f8bf985c2790de4355eb9f8034720
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD504df35656df7129b10f1dd05cd0337e2
SHA1539b5d607c988ba61f67e1f15f0baecffc26d2e1
SHA25671507236f58ae8bb267e9b9ce9e93fd1eeb43866a34db24a4e5142c81a94dc3a
SHA512d328af472a25399394846120a273a253bc30b38d20850dd4c4e4012a7a1cdde17ac13db587aa24a60129314ac7f5bd6e9fbf825050ad64580b89acacf3c9f519
-
Filesize
11KB
MD5cbc0aaef90447791eaf298ada9e99b10
SHA11e61af2eddf11d5965fe16c65c02b08d3eda1af4
SHA256a7a6958abbde9137f9ce98d895724be5c354e7ab17225c7e909878d420d9ae9f
SHA5124478712979416ba1dd09628afe7565ffd512072cc1427f56ed1a93417207d9915db4ece747fd275095d51e238c2bccb1055b2eb242fb98073ac6ce2138e1ba32
-
Filesize
11KB
MD5afc7fc71bc9cff7d99b808bb4724c524
SHA19831ae793985325313e6b0bb840b49b388204c5b
SHA256715d983cc2e59a1fdc35df9facecd5acc3053c4001bca9df6521b25dc5343adf
SHA512a347eeeac1b1803342b3e68893cd028a7e124fd88a4a75251284aa1090e0b952bdbc277243e031d7e555acf57c4f3e1f7dea226baf14bfb630a22c15c5cbcdc1
-
Filesize
11KB
MD5b331dcef7ccb1866f01f222dc13d5ff7
SHA142721737ecdb28f0af254cf6b5a5f85210c58c39
SHA256e3f0220d977fa9704e6ef8252513f5cc9f80b351c61e60d264fe92826d04bfb6
SHA5127aa76dfae055bc18b27e5af1d3b99203721735321c25439d08f60b2621142c3e6116d171ac43174abbb20c9ef6ad98e115a4269a4482f7e9f12176f3f5a4c145
-
Filesize
28KB
MD5f691deee231cc72fc83a8c34aa053502
SHA19652de8d4c8746e96ff4d847fc2dcb062b916f2e
SHA256cc00145c4910799c08f7ead2293aa110d27aceaa2c4838efa2e6c36d9f52b449
SHA512864fd50bfa512c9d89c2a2f6a436328cc231b18f4ba29cee7a1939cd56722f11d60da1988067e0e34a53bdf148e5e598df76405d3f639ae51d41aa52adcc9a1f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\activity-stream.discovery_stream.json
Filesize20KB
MD52a72ca34398d49eaf055a645336d99ed
SHA13d586c97b731d63191a77d79858163adffb601ba
SHA2565ca028287f0e188a2baee6f935dfd18d80026dc8f9a174e0f85b5b95731a2e75
SHA5129d1cb62356c0ed98d47b7ed75bb55b53a63e31e7538001e7826fc889c4871074adda5a270a9445071fffdef262c6b6980ec854511cd92d36f550a8a437bd32be
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
1KB
MD5846d055d90dd1852b9710d7e8975991d
SHA1ca3ac43f87ab75493eff084a9d647c1cbb8febc9
SHA2565880be7350a10537939c5bdac54f7ceb87284ad5200d4d5425400f95f21b9f0e
SHA5124323fd5a6303d4f0592c8bc8c140975e45994b23804d39ad20b6f661b0feb7ffa3b54b1fab4a71261e9f6260a2312ae2462d3924b1afdb96fcef4c282167fd2a
-
Filesize
78KB
MD5df85449ab1643a0378210bf1fc7d22b8
SHA10348ad86a70957a05b6db93dc3c68d0a540bcb58
SHA256f8fe29ba6800663fd0b702b9a7c26df342fd0b7160e6b2664e4435710ea26fe1
SHA51266e29468454f14a178d2e92ad200a135ef313e75883686937e3a4b6b9a7ee2364ebd4ba17bec8d777d1bb1bdde2a215a85ed7352256ade5d8e8992ad5b7698ff
-
Filesize
290B
MD5138d1e3de80ba4c70b4ec50be9f0905f
SHA137b7dfd5da0ab8aadd5aa3cc8510605c78a3e2da
SHA2562395416200c56c10cc6ecb2755498c9744169fe01718adfca83926acf4fc4b1f
SHA512344c8cd3010fb1e5513625659f774499515edb306b0dcd701022dc07fdda4081fed5b8a9eed05ff92ae9b36e6a888aee9dc3113151d0175847f7ca851fd5c4f6
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1KB
MD5fd7df08e8218e5180d8a8714f4e6c563
SHA1c884a759b055b584a72a6c679b3658495092383f
SHA256c50d860e730a65ad119145f99684787c665504ec056b6d01c6bcb45ed4edac15
SHA51218a4d5f36e70c403dd911bd9de28b023986039faecf11f4db2a75021da8cd129984157a66ff3f0600bcda647da9e78999a9202eb62ef3228c18dcb2796c04689
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5Y8GA77YIKR7YJE753ZL.temp
Filesize9KB
MD51361e94c59353fdc4c8abc3656f3f5ac
SHA1362bbe27fa705d36956cb3ee166b24eac4ef09b6
SHA25658848680988e521324ec7109ca3c2397f3831853a95b0cb8d1f9e6078693b33a
SHA512a5c3fd32c9e5d161d339c8db60eaf3c54374010c3e3bf7a5d7eaf705fd52af63d3e17454f390ffd12aa02f5e6cef952d83dcfcb8d3897378f1ac67ce0de3b3cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin
Filesize8KB
MD5855e1dc7171fc9811fcf109445fc8fa0
SHA1080fb770883b2b79ae80e4f06cd1936d479ea214
SHA256af621a43cf07cb99a26223095701c6bd733b45708a1e4ddb2dc39beb2b3776ba
SHA512938df8e5e3f7b20480f6f739f78037b4abde3612d0e4406327e097684069867cc8c351da4d0967cd6cdb28fa5902f29ff76ea7ce551bc350f538b05ee470b0cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin
Filesize6KB
MD57b58804ecfb8266e3942b5c61d5edd35
SHA10854baa86b03dea564d504e8b1db3c426e70c624
SHA256273d685163d69deb50a858fe435c3d0b62b3c35c4850a11988b2c082520d535f
SHA5124ed83101c0f0e0db239bdff6ea043bc2bca3013083820428f4b4a0d25c6a747ee60d51003baa1240ea6c7ca328158df8e24487e70c394917f0208d3822c2030b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\bookmarkbackups\bookmarks-2024-10-24_11_HqHz5fhuf3bPXr744nsEAg==.jsonlz4
Filesize998B
MD5a1992523a27b3f65bcf577742be2c5d8
SHA1c20013067a013b3022da8653587d8bf8e3b70065
SHA25666bcafc875b286cff7e4e6ae5f9bc2352557a03753489a189af156d25d011188
SHA512e4eda6e5c02425e0bf2ebdc9d13ebcd67f8e4d41cc9d4b16e60b514c9830e165f4f6cecded34de9d0eb0cd773ff52c744b9c55e351372b43ea05eaf12b92c33a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52516f983f2b70ffda7edb4ea504a4778
SHA1c23f365d85490c3a4061f560f88ea00c4e1319c1
SHA2565361b3ff7fd3526f43cd12b818c6dc64c3f4f3689619a2e92cde54f91256b942
SHA51260bbe55e821f22bf2870b99aabd67e9deaf6df11c6ede7be6755acc2d16f7eb76475b34347de746065f2e5b61e1adf7521a2343c1f27bd4328c792eb9ce0e0aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD570ed5a8108e237a044aebfcb2b592a93
SHA11cefce4b792852e4382b273abf752b921be50d7e
SHA2560eba0b4b3d56f68bfadb31c3ea6837c3fac764d73bf71e49c70b88deb5d8502e
SHA512505bb16c87d6cd1aa67372b1e1e1f032202d08459e0158817dc049f13763702c5a39553b48fc1398fc3177a383bc7ebf2b02aa0c23135827d8be0be856af19c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52652247d7f781726984e87131cdb3d85
SHA16dc538fe883fec43c62d2d9897245e0fac4844b0
SHA25623bffd9589e81fbf22bdb6c8329ed1e1be496bde2d22a056980f194c881d5793
SHA512a0a0b06cd7c1158ff89502b9280784e3b6aa1d41be22a2cdd544479fe7a62653a18757b6247dd9fa02498005b744c13e833f274fc71573eca792bd2d98f5458e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD52323b3f250af2d943dac43fcd3a3a3ac
SHA1ed54db3e50079fb291e1edea7a27a6a4ef035057
SHA25662fa5b84ec48a1ec7901387caddfc54bd1da7854a14c8e43a6c46ba32ab74656
SHA51291cad506fe31836681b6d32f7d2ec98790b4a7e516bd8d8d883116f8b9b4745f3dd8a1bf1a68f953491d9b8c9134b342fc32e5d0b47f7e0b3dbc8eef08202c1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD59bd076bab64a1dc5217fb275850dc958
SHA1b4808d1f34cfb5d7f0bab96452ed394eb263670d
SHA2566163d5df176fca4bebff92a939c10e9098213fc0a286ea114fb455106443b452
SHA512b87fee7517d7c3b13230cde92771602282a777d0f86166301e5cf2fc51010357173780cd2a9cf0f59416e954b99aacd5af67b162dec539e931bcec25a470381d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\749fbf1e-472c-4186-a979-03d1af9e30f1
Filesize671B
MD50ebcb1834f7deeae74af62434f26c1bf
SHA1fa86b32dad33a19db72aaf2fa8b253e7378f3b00
SHA256f939a0e81e483a2c08484f4e147b25da972ff02dcfd5623248fc52d205e7f02c
SHA5129548d7e25df055afd501fd321a9c844bea0a72fad32f6acf14436bfe77f5ec5ceb541d49330e0d89ffeb6c25ed212850afeed016853a5157cbe7fe997aa9f393
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\c805d655-cab8-42cf-9791-97805e02b7b8
Filesize982B
MD5bc34e351268bb5841437fcc0c80db684
SHA1763c05fe4ba7ed68c19d2e69cc72e69f26d8a33e
SHA256b6f02fb619fe1b9211e1362bcb217d0e323a7d18a2d24357baa44cd9e62d428f
SHA512352a42810bdbf0d3cd566be1cecfb872df2724641d5fc07de40a2a8b4037187e4377b2563dd88caa4feb5b93c145fbf0fbc4ca2ee4bc2a7260683bd644378238
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\e7811f5b-3b00-49af-b2e2-c847d659f334
Filesize25KB
MD5ac76d03333e7c761734985416cb46ed7
SHA1186e50b129b8669750a9ca741753149a58b15f7f
SHA256e4909d2ef9040287ee4cf2a275143cba3ee410972caa8bdd8f8df4877fe68d85
SHA512c0018898704fb8792f94ab7018665630207530c2fdedd4e6ac8fb264b36551f053b46814713a1981076e45da7458891682fce4b2d5f8f7c62105e0ca00a892a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD53f22fe675c94672289f4cbca10d28239
SHA1254cab09f9f078122491ce129000554b5789489b
SHA2560745c75e3d2204e68dc63889131b9a2475055df92c559c1ffef3b5dc382c8918
SHA51222817788fa49bf3e701983370d7e4ff8b9303a0af0a4cf0fd6bdc8be1af6cf228d57a99e6fab7f5894a40248eec509b1fc13cf26c2f9ebe974d8290ebd8df075
-
Filesize
12KB
MD5c7efa679469cbae4904b8e6be4abc894
SHA154233e6a8035b2a4fff0715a530f755d62bbf2d0
SHA2560549f2e0df43a28eb6b613359a598896e746e940afc433af6240e6279237ff3b
SHA512642ee3fb6cc760bc2ac5604e9061c095a8179140afd335b662f71e0ebec78261e44112e8a87da84f8212bb402e11e3d0a77a75154b9bbdd47344a9a684b5c3f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5055acae237819d7f8a4b217f2ac5dcff
SHA13547d67609e80ab00f9a4f5f099fc33491694ab9
SHA256134d45c0ab58ab3b219870e2f6bc350ce69ebf5a6d451cdc66a940b6ca753bd1
SHA5122cfd9d19760f3ea7240fc33dd50170d1612fbbfcc1ad9ee280dd02cd4e635fc5d84b4f46816805fbd70deb6a39af8055e7afe3875881d91a5ba85215883016bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize584KB
MD59e170d74ce6158e4d2d9ed5b3ac29f38
SHA1c9b6155ad4f3cd622bccaaf0e9fa12a0e6c6aca0
SHA25658b5e14feec90e157cc177bad95b7d0c1569c79b0cd3befbf205093e1979e8a0
SHA512da6a65a7e4c2ceef7c2547fcb84812eb7dce2d56db464e01ddb81a76e1b90ca17c93c0f2e627e222de511e757a1552cc9551e5b669de227270f5dca0b03f1001
-
Filesize
152KB
MD539e9d0fd9e9cfc63ada62ba1a30f47fc
SHA185baf494871476e6691079413b4ebe01cda55d5a
SHA256433c34264fbf9c10dd2be150d94ecc6c6ba586085a588d6b70e74da7fe141bd5
SHA512fda251aa12f994c55a06df594e39571b69bdb58673949830db016c166da9655ee10694f5bd52b4a3b1b02c0396af1f9a5b305dc85209a6541ab91c53659fde7f
-
Filesize
2.9MB
MD5819352ea9e832d24fc4cebb2757a462b
SHA1aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
SHA25658c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
SHA5126a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a
-
Filesize
147KB
MD532a8742009ffdfd68b46fe8fd4794386
SHA1de18190d77ae094b03d357abfa4a465058cd54e3
SHA256741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA51222418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
97KB
MD54f409511e9f93f175cd18187379e94cb
SHA1598893866d60cd3a070279cc80fda49ee8c06c9b
SHA256115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f
SHA5120d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f
-
Filesize
115KB
MD5ad1740cb3317527aa1acae6e7440311e
SHA17a0f8669ed1950db65632b01c489ed4d9aba434e
SHA2567a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878
SHA512eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2
-
Filesize
9KB
MD51c2cea154deedc5a39daec2f1dadf991
SHA16b130d79f314fa9e4015758dea5f331bbe1e8997
SHA2563b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d
SHA512dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00
-
Filesize
9KB
MD54ea9ab789f5ae96766e3f64c8a4e2480
SHA1423cb762ce81fab3b2b4c9066fe6ea197d691770
SHA25684b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50
SHA512f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414
-
Filesize
361KB
MD5e6fec4185b607e01a938fa405e0a6c6c
SHA1565e72809586e46700b74931e490e2dc1e7e3db1
SHA2562e2f17b7dd15007192e7cbbd0019355f8be58068dc5042323123724b99ae4b44
SHA51213daeb2bf124e573590359f18a1d962157dc635a88319c9ed1a2e8ccad6322fb081579e1e8fbe62ffe55c8286c2bc8acb251d572a4beb00641ad5009a380e513
-
Filesize
361KB
MD50c24edec606abda7c6570b7dcf439298
SHA14478a102892e5eb4bb1da8e9c62d17724965691a
SHA2568fc693238afc49a8098dac1762bfae891e818bb84749c6eef5f1b0c6c8ffddb2
SHA512f8de3ffb8f9fe1394b3626ae5616213d4612b43f0635fa9053d74ac6fe536657e796289487f245b8abff74f1de8368c0df8e56bf21f540366ed86a378649ea24
-
Filesize
97KB
MD514465d8d0f4688a4366c3bf163ba0a17
SHA19f1fa68a285db742e4834f7d670cae415ce6b3b6
SHA2563f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e
SHA51201db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d
-
Filesize
66KB
MD5167425a3fa7114b1800aa903adc35b2a
SHA1601e8bd872ea31aff03721a0361e65a57b299cad
SHA25612f600b09c0db00877684a950fc14936ecc28df8f0ddc6821d68e4b82077ad92
SHA512586ce1360eb06f1df8e95ad178abfae7c9d41cba1be55276b3d3947d0504ca09185e543b7dbf1ba72dde4942ff626859a6d2e8a1faaaf6c5daaebd8740dcf538
-
Filesize
112KB
MD5f1463f4e1a6ef6cc6e290d46830d2da1
SHA1bda0d74a53c3f7aaf0da0f375d0c1b5aca2a7aaf
SHA256142b529799268a753f5214265c53a26a7a6f8833b31640c90a69a4ff94cee5ec
SHA5120fa93d009cc2f007d19e6fdda7ebe44c7ed77f30b49a6ef65c319133c0570ab84f2d86e8282b5069d7f2e238547722ac3966d2fa2fae4504133f0001a0387ae2
-
Filesize
131KB
MD5a512719efc9e6ecc5e2375abceb1669a
SHA151fae98edfab7cd6b6baac6df5ecbda082eeb1db
SHA256b2f7fb22cd5b935cf19a2f58f7fef9db99db40772ff4bb331a73c345161c2574
SHA512e0153dbc8f3fdda8d1a7082bc30a3895d7f4b3bc2982b4b4ece55653d1b4c293eba3ba6d4a0a581f0f7db95ab287d6616ef7bf03af4485904111798bf9d9e625
-
Filesize
125KB
MD59c053bef57c4a7b575a0726af0e26dae
SHA147148d30bc9a6120a1d92617bf1f3e1ba6ca1a2c
SHA2565bb21d6c04ed64a1368dace8f44aff855860e69f235492a5dc8b642a9ea88e41
SHA512482d639ba60f57827d8a343f807f4f914289c45643307efaa666b584a085fe01ac7892252f41b7756fde93d215b4f3fed16e608bc45102d320d77239fa93146a
-
Filesize
100KB
MD59dbdd6972e129d31568661a89c81d8f9
SHA1747399af62062598120214cef29761c367cfd28a
SHA25645c85bdaaf0e0c30678d8d77e2585871ea6d1298ee0d30037745bacea6338484
SHA512e52572de3f0d57d24a24d65eca4ff638890ccc9c5aca3f213ff885eda3c40de115849eb64c341f557d601f566ce21f8fc0df25cc4b13aaad5e941449a6b7f87d
-
Filesize
106KB
MD5d7c9666d30936e29ce156a2e04807863
SHA1845e805d55156372232e0110e5dc80380e2cb1e5
SHA2566ea04cf08751a2f6bb2f0e994258a44d5183b6cdb1471a0ee285659eada045b5
SHA5123cfd7a41f65c5a0dc23a90c6af358179efb3ae771f50534c3d76c486fe2d432ea3128a46b4b367c4714e86e8c0862a7385bd80662fe6ea82d7048f453570ed56
-
Filesize
164KB
MD57891c91d1761dc8a8846d362e6e31869
SHA10229bb01b7b4a0fca305eb521ec5dfbaa53674ea
SHA25629d38c75af79aa0554f34cdfecb311f88f8dd02b02facaa299b9700841806ab8
SHA512ed14614a706da985566853dc13df0d1128a718f39ec9957320813803fe07e59de337d51033970e2f57d9f56da3546c506f5f0f3becfa91ce741576855be14ba7
-
Filesize
108KB
MD5af1739a9b1a1bf72e7072ad9551c6eea
SHA18da0a34c3a8040c4b7c67d7143c853c71b3d208d
SHA256a65cbbdc2ca671a9edd7edac0c6737b3b116e357727e003e5fdeff163c6c21ab
SHA512eeeac307371c38b75e256083c55a3fe4ab096c1c7520a4b7acb40fad3af5a0d6c88aaf85f2c3e418034abee422c2a3ba13731adf7ee6078016da4dd2e989b120
-
Filesize
264KB
MD53e24e40b41ecc59750c9231d8f8da40b
SHA191a701cf25aea2984f75846b6c83865d668ccad6
SHA256bd1c33a67244801e828035904882ec53bd2ea8a1db9265a06d1aa08cf444ca80
SHA512fe62edddb62dd4b695f1ef40ffb7a0119d480d1c176f0254acee19a45d6433ef6c308acbe567c721018390626c71f7a0f7bcd195d59d54c19cf019f13c4f7572
-
Filesize
130KB
MD5e78b604f946a72b77c610f4895619f0c
SHA16fb5e3d68b3d88a5633456ac0f0f2f7b962094ae
SHA256d5f1b18111a7739ebebc971c2f1ff137a60fabb1a9b946b27c5de2bc721a282e
SHA512dbb0cce79eb5fc41fd9257dd5b9fead06769fa7e587e9689652fb1dbdcd3d3d3c6061135d920574874e60c9420fab68386cad0aaa5e708244914e24504bda5e2
-
Filesize
502KB
MD53b87d1363a45ce9368e9baec32c69466
SHA170a9f4df01d17060ec17df9528fca7026cc42935
SHA25681b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451
SHA5121f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
14KB
MD55a766a4991515011983ceddf7714b70b
SHA14eb00ae7fe780fa4fe94cedbf6052983f5fd138b
SHA256567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52
SHA5124bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8
-
Filesize
18KB
MD559f75c7ffaccf9878a9d39e224a65adf
SHA146b0f61a07e85e3b54b728d9d7142ddc73c9d74b
SHA256aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492
SHA51280056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8
-
Filesize
32KB
MD5edb2f0d0eb08dcd78b3ddf87a847de01
SHA1cc23d101f917cad3664f8c1fa0788a89e03a669c
SHA256b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982
SHA5128f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3
-
Filesize
14KB
MD5831eb0de839fc13de0abab64fe1e06e7
SHA153aad63a8b6fc9e35c814c55be9992abc92a1b54
SHA256e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959
SHA5122f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee
-
Filesize
11KB
MD5cf15259e22b58a0dfd1156ab71cbd690
SHA13614f4e469d28d6e65471099e2d45c8e28a7a49e
SHA256fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b
SHA5127302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38
-
Filesize
679KB
MD5641a8b61cb468359b1346a0891d65b59
SHA12cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0
SHA256b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd
SHA512042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee
-
Filesize
478KB
MD56f8f1621c16ac0976600146d2217e9d2
SHA1b6aa233b93aae0a17ee8787576bf0fbc05cedde4
SHA256e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b
SHA512eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a
-
Filesize
25KB
MD5f0e921f2f850b7ec094036d20ff9be9b
SHA13b2d76d06470580858cc572257491e32d4b021c0
SHA25675e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c
SHA51216028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3
-
Filesize
1.7MB
MD5f27b6e8cf5afa8771c679b7a79e11a08
SHA16c3fcf45e35aaf6b747f29a06108093c284100da
SHA2564aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
SHA5120d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33
-
Filesize
58KB
MD530eb33588670191b4e74a0a05eecf191
SHA108760620ef080bb75c253ba80e97322c187a6b9f
SHA2563a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96
SHA512820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97
-
Filesize
39KB
MD5065f0830d1e36f8f44702b0f567082e8
SHA1724c33558fcc8ecd86ee56335e8f6eb5bfeac0db
SHA256285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4
SHA512bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545
-
Filesize
45KB
MD5ba2141a7aefa1a80e2091bf7c2ca72db
SHA19047b546ce9c0ea2c36d24a10eb31516a24a047d
SHA2566a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea
SHA51291e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c
-
Filesize
22KB
MD567a884eeb9bd025a1ef69c8964b6d86f
SHA197e00d3687703b1d7cc0939e45f8232016d009d9
SHA256cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b
SHA51252e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7
-
Filesize
17KB
MD5246f7916c4f21e98f22cb86587acb334
SHA1b898523ed4db6612c79aad49fbd74f71ecdbd461
SHA256acfe5c3aa2a3bae3437ead42e90044d7eee972ead25c1f7486bea4a23c201d3a
SHA5121c256ca9b9857e6d393461b55e53175b7b0d88d8f3566fd457f2b3a4f241cb91c9207d54d8b0867ea0abd3577d127835beb13157c3e5df5c2b2b34b3339bd15d
-
Filesize
15KB
MD5806c3802bfd7a97db07c99a5c2918198
SHA1088393a9d96f0491e3e1cf6589f612aa5e1df5f8
SHA25634b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6
SHA512ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c
-
Filesize
14KB
MD57db8b7e15194fa60ffed768b6cf948c2
SHA13de1b56cc550411c58cd1ad7ba845f3269559b5c
SHA256bc09b671894c9a36f4eca45dd6fbf958a967acea9e85b66c38a319387b90dd29
SHA512e7f5430b0d46f133dc9616f9eeae8fb42f07a8a4a18b927dd7497de29451086629dfc5e63c0b2a60a4603d8421c6570967c5dbde498bb480aef353b3ed8e18a1
-
Filesize
18KB
MD5e6367d31cf5d16b1439b86ae6b7b31c3
SHA1f52f1e73614f2cec66dab6af862bdcb5d4d9cf35
SHA256cc52384910cee944ddbcc575a8e0177bfa6b16e3032438b207797164d5c94b34
SHA5128bc78a9b62f4226be146144684dc7fcd085bcf4d3d0558cb662aacc143d1438b7454e8ac70ca83ebeedc2a0fcea38ad8e77a5d926a85254b5a7d420a5605538a
-
Filesize
1.4MB
MD59043d712208178c33ba8e942834ce457
SHA1e0fa5c730bf127a33348f5d2a5673260ae3719d1
SHA256b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
SHA512dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65
-
Filesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
Filesize
17.9MB
MD549f6c848fc3b1f32ed96b08bca221e53
SHA10c1da68ae22f31f61ded840a42515793e1432a24
SHA2567926286cb142cc3d2511cde859dc78ea4d9a26b5007c80bc33879fc3e5800c0c
SHA5121cb5fea83ccecf175ec1ed6e381bf09f915115458869f05ebdbfbd2a92b6ec41f0a5d004e0bf74a80ccc68491554bb7df95d10242f22ce1429a2bcff124b5ba1
-
Filesize
32KB
MD5ac88de9702211d7d0d1562dc1028cd29
SHA177d2c0342a629d91f7c064a9f45c36d399415520
SHA25682adfba877f47bace9f98d914cc0c34d7f9ad9417cd1d01cc73c589ae75cccf7
SHA512784e266324dea7311de5d3bfd946411bdeb70aa7d94a81adb233297efb0981ba9e474f3cf4b6afdb907ae55bda7c2bafe754b7d3b456e1db223b2ba60b707b91