Analysis
-
max time kernel
1799s -
max time network
1658s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
001.exe
Resource
win7-20240903-en
General
-
Target
001.exe
-
Size
6.9MB
-
MD5
1632b97230c6d7dbc1f4ace409e92ba1
-
SHA1
c884ed2837673b90e1fba77f9b04c8d2e3c1927d
-
SHA256
cca2f9105b2a1998eadcc8cabe7e18704f2c7de1e2c5b03e6a7f652082b81510
-
SHA512
99aa5818fe08ea5717b62108e5c95ddbdca6f31f39e26695ca6079ca7d64b2fe70643a36b72f796e6e3d361da3d92d4764b5b16b5bfb65165354c5e6b3651e8e
-
SSDEEP
196608:d0smbmVIlqWrGTrwW/0dy/SLSJS5wS/H08SWoDpGI:SBbOIlkWcUI
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot5504089027:AAFZwWvljkPTGD18o3BaTdJaHkFe-rjBlHk
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RESTORE-MY-FILES.txt
http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Lucastealer family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2696 bcdedit.exe 2032 bcdedit.exe -
Renames multiple (202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 5972 powershell.exe 13848 powershell.exe 5928 powershell.exe 1832 powershell.exe 13836 powershell.exe 5456 powershell.exe -
pid Process 6636 wbadmin.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini netsv.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE-MY-FILES.txt netsv.exe -
Executes dropped EXE 6 IoCs
pid Process 6068 netshvq.exe 544 netsh.exe 13856 netshvq.exe 13888 netsh.exe 13944 netsv.exe 3544 netsv.exe -
Loads dropped DLL 44 IoCs
pid Process 5988 cmd.exe 5988 cmd.exe 5956 cmd.exe 5956 cmd.exe 3396 WerFault.exe 3396 WerFault.exe 3396 WerFault.exe 3396 WerFault.exe 13804 cmd.exe 13804 cmd.exe 13784 cmd.exe 13784 cmd.exe 13920 cmd.exe 13920 cmd.exe 13728 taskmgr.exe 5552 WerFault.exe 5552 WerFault.exe 5552 WerFault.exe 5552 WerFault.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 4816 cmd.exe 4816 cmd.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\netsv.exe" netsv.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\Searches\desktop.ini netsv.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini netsv.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini netsv.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini netsv.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini netsv.exe File opened for modification C:\Users\Public\Documents\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini netsv.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini netsv.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Music\desktop.ini netsv.exe File opened for modification C:\Users\Public\Music\desktop.ini netsv.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FP29B0EC\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Documents\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini netsv.exe File opened for modification C:\Users\Public\Libraries\desktop.ini netsv.exe File opened for modification C:\Users\Public\Pictures\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini netsv.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\Links\desktop.ini netsv.exe File opened for modification C:\Users\Public\Downloads\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1J27TKW\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VSUVY3HP\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini netsv.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini netsv.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN6BGAW3\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini netsv.exe File opened for modification C:\Users\Public\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini netsv.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini netsv.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK3MU41S\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini netsv.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini netsv.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini netsv.exe File opened for modification C:\Users\Admin\Videos\desktop.ini netsv.exe File opened for modification C:\Users\Public\Desktop\desktop.ini netsv.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: netsh.exe File opened (read-only) \??\F: netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 10 discord.com 20 discord.com 9 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n3qcQJHGS.jpg" netsv.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2504 001.exe 2504 001.exe 596 001.exe 596 001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netshvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netshvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5680 SnippingTool.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 001.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 001.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 001.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 001.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7312 vssadmin.exe -
Modifies registry class 47 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Applications\Solid\shell\open netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 SnippingTool.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "1" SnippingTool.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\solidbit_auto_file\shell\open\command netsv.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a0000000e0859ff2f94f6810ab9108002b27b3d9050000005800000030f125b7ef471a10a5f102608c9eebac0c00000050000000920444648b4cd1118b70080036b11a030900000060000000 SnippingTool.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\solidbit_auto_file netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Applications\Solid netsv.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000010000000300000002000000ffffffff SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\solidbit_auto_file\shell\open netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Applications\Solid\shell netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 SnippingTool.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.solidbit\ = "solidbit_auto_file" netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags SnippingTool.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}" SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000000000000300000002000000ffffffff SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg SnippingTool.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "3" SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Applications\Solid\shell\open\command netsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\solidbit_auto_file\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\netsv.exe\" \"%1\"" netsv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "8" SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5} SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 SnippingTool.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" SnippingTool.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\TV_TopViewVersion = "0" SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 SnippingTool.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "96" SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.solidbit netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\solidbit_auto_file\shell netsv.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Applications netsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\ = "solidbit_auto_file" netsv.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000030000000100000002000000ffffffff SnippingTool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff SnippingTool.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders SnippingTool.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 544 netsh.exe 544 netsh.exe 544 netsh.exe 544 netsh.exe 544 netsh.exe 544 netsh.exe 5972 powershell.exe 5928 powershell.exe 1832 powershell.exe 13728 taskmgr.exe 13728 taskmgr.exe 13888 netsh.exe 13888 netsh.exe 13888 netsh.exe 13888 netsh.exe 13888 netsh.exe 13888 netsh.exe 13728 taskmgr.exe 13836 powershell.exe 13848 powershell.exe 5456 powershell.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 13728 taskmgr.exe 5680 SnippingTool.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeShutdownPrivilege 544 netsh.exe Token: SeDebugPrivilege 5972 powershell.exe Token: SeDebugPrivilege 5928 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 13728 taskmgr.exe Token: SeShutdownPrivilege 13888 netsh.exe Token: SeDebugPrivilege 13836 powershell.exe Token: SeDebugPrivilege 13848 powershell.exe Token: SeDebugPrivilege 5456 powershell.exe Token: SeBackupPrivilege 5124 vssvc.exe Token: SeRestorePrivilege 5124 vssvc.exe Token: SeAuditPrivilege 5124 vssvc.exe Token: SeIncreaseQuotaPrivilege 3264 WMIC.exe Token: SeSecurityPrivilege 3264 WMIC.exe Token: SeTakeOwnershipPrivilege 3264 WMIC.exe Token: SeLoadDriverPrivilege 3264 WMIC.exe Token: SeSystemProfilePrivilege 3264 WMIC.exe Token: SeSystemtimePrivilege 3264 WMIC.exe Token: SeProfSingleProcessPrivilege 3264 WMIC.exe Token: SeIncBasePriorityPrivilege 3264 WMIC.exe Token: SeCreatePagefilePrivilege 3264 WMIC.exe Token: SeBackupPrivilege 3264 WMIC.exe Token: SeRestorePrivilege 3264 WMIC.exe Token: SeShutdownPrivilege 3264 WMIC.exe Token: SeDebugPrivilege 3264 WMIC.exe Token: SeSystemEnvironmentPrivilege 3264 WMIC.exe Token: SeRemoteShutdownPrivilege 3264 WMIC.exe Token: SeUndockPrivilege 3264 WMIC.exe Token: SeManageVolumePrivilege 3264 WMIC.exe Token: 33 3264 WMIC.exe Token: 34 3264 WMIC.exe Token: 35 3264 WMIC.exe Token: SeIncreaseQuotaPrivilege 3264 WMIC.exe Token: SeSecurityPrivilege 3264 WMIC.exe Token: SeTakeOwnershipPrivilege 3264 WMIC.exe Token: SeLoadDriverPrivilege 3264 WMIC.exe Token: SeSystemProfilePrivilege 3264 WMIC.exe Token: SeSystemtimePrivilege 3264 WMIC.exe Token: SeProfSingleProcessPrivilege 3264 WMIC.exe Token: SeIncBasePriorityPrivilege 3264 WMIC.exe Token: SeCreatePagefilePrivilege 3264 WMIC.exe Token: SeBackupPrivilege 3264 WMIC.exe Token: SeRestorePrivilege 3264 WMIC.exe Token: SeShutdownPrivilege 3264 WMIC.exe Token: SeDebugPrivilege 3264 WMIC.exe Token: SeSystemEnvironmentPrivilege 3264 WMIC.exe Token: SeRemoteShutdownPrivilege 3264 WMIC.exe Token: SeUndockPrivilege 3264 WMIC.exe Token: SeManageVolumePrivilege 3264 WMIC.exe Token: 33 3264 WMIC.exe Token: 34 3264 WMIC.exe Token: 35 3264 WMIC.exe Token: SeBackupPrivilege 4376 wbengine.exe Token: SeRestorePrivilege 4376 wbengine.exe Token: SeSecurityPrivilege 4376 wbengine.exe Token: SeRestorePrivilege 5560 7zG.exe Token: 35 5560 7zG.exe Token: SeSecurityPrivilege 5560 7zG.exe Token: SeSecurityPrivilege 5560 7zG.exe Token: SeDebugPrivilege 3252 firefox.exe Token: SeDebugPrivilege 3252 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe 13728 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3460 WISPTIS.EXE 5680 SnippingTool.exe 5680 SnippingTool.exe 5680 SnippingTool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1036 2504 001.exe 30 PID 2504 wrote to memory of 1036 2504 001.exe 30 PID 2504 wrote to memory of 1036 2504 001.exe 30 PID 2504 wrote to memory of 1036 2504 001.exe 30 PID 2504 wrote to memory of 2216 2504 001.exe 31 PID 2504 wrote to memory of 2216 2504 001.exe 31 PID 2504 wrote to memory of 2216 2504 001.exe 31 PID 2504 wrote to memory of 2216 2504 001.exe 31 PID 2216 wrote to memory of 5928 2216 cmd.exe 34 PID 2216 wrote to memory of 5928 2216 cmd.exe 34 PID 2216 wrote to memory of 5928 2216 cmd.exe 34 PID 2216 wrote to memory of 5928 2216 cmd.exe 34 PID 2504 wrote to memory of 5956 2504 001.exe 35 PID 2504 wrote to memory of 5956 2504 001.exe 35 PID 2504 wrote to memory of 5956 2504 001.exe 35 PID 2504 wrote to memory of 5956 2504 001.exe 35 PID 1036 wrote to memory of 5972 1036 cmd.exe 36 PID 1036 wrote to memory of 5972 1036 cmd.exe 36 PID 1036 wrote to memory of 5972 1036 cmd.exe 36 PID 1036 wrote to memory of 5972 1036 cmd.exe 36 PID 2504 wrote to memory of 5988 2504 001.exe 37 PID 2504 wrote to memory of 5988 2504 001.exe 37 PID 2504 wrote to memory of 5988 2504 001.exe 37 PID 2504 wrote to memory of 5988 2504 001.exe 37 PID 5988 wrote to memory of 6068 5988 cmd.exe 40 PID 5988 wrote to memory of 6068 5988 cmd.exe 40 PID 5988 wrote to memory of 6068 5988 cmd.exe 40 PID 5988 wrote to memory of 6068 5988 cmd.exe 40 PID 5956 wrote to memory of 544 5956 cmd.exe 41 PID 5956 wrote to memory of 544 5956 cmd.exe 41 PID 5956 wrote to memory of 544 5956 cmd.exe 41 PID 5956 wrote to memory of 544 5956 cmd.exe 41 PID 2216 wrote to memory of 1832 2216 cmd.exe 44 PID 2216 wrote to memory of 1832 2216 cmd.exe 44 PID 2216 wrote to memory of 1832 2216 cmd.exe 44 PID 2216 wrote to memory of 1832 2216 cmd.exe 44 PID 544 wrote to memory of 3396 544 netsh.exe 46 PID 544 wrote to memory of 3396 544 netsh.exe 46 PID 544 wrote to memory of 3396 544 netsh.exe 46 PID 596 wrote to memory of 13736 596 001.exe 51 PID 596 wrote to memory of 13736 596 001.exe 51 PID 596 wrote to memory of 13736 596 001.exe 51 PID 596 wrote to memory of 13736 596 001.exe 51 PID 596 wrote to memory of 13748 596 001.exe 52 PID 596 wrote to memory of 13748 596 001.exe 52 PID 596 wrote to memory of 13748 596 001.exe 52 PID 596 wrote to memory of 13748 596 001.exe 52 PID 596 wrote to memory of 13784 596 001.exe 55 PID 596 wrote to memory of 13784 596 001.exe 55 PID 596 wrote to memory of 13784 596 001.exe 55 PID 596 wrote to memory of 13784 596 001.exe 55 PID 596 wrote to memory of 13804 596 001.exe 57 PID 596 wrote to memory of 13804 596 001.exe 57 PID 596 wrote to memory of 13804 596 001.exe 57 PID 596 wrote to memory of 13804 596 001.exe 57 PID 13748 wrote to memory of 13836 13748 cmd.exe 59 PID 13748 wrote to memory of 13836 13748 cmd.exe 59 PID 13748 wrote to memory of 13836 13748 cmd.exe 59 PID 13748 wrote to memory of 13836 13748 cmd.exe 59 PID 13736 wrote to memory of 13848 13736 cmd.exe 60 PID 13736 wrote to memory of 13848 13736 cmd.exe 60 PID 13736 wrote to memory of 13848 13736 cmd.exe 60 PID 13736 wrote to memory of 13848 13736 cmd.exe 60 PID 13804 wrote to memory of 13856 13804 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\001.exe"C:\Users\Admin\AppData\Local\Temp\001.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Preparing components. Please run in 30 seconds.','Error','OK','Error')"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Preparing components. Please run in 30 seconds.','Error','OK','Error')"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\netsh.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\netsh.exe"C:\Users\Admin\AppData\Local\Temp\netsh.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 544 -s 12044⤵
- Loads dropped DLL
PID:3396
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\netshvq.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\netshvq.exe"C:\Users\Admin\AppData\Local\Temp\netshvq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\netsv.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:13920 -
C:\Users\Admin\AppData\Local\Temp\netsv.exe"C:\Users\Admin\AppData\Local\Temp\netsv.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
PID:13944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete6⤵PID:5584
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet7⤵
- Interacts with shadow copies
PID:7312
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no6⤵PID:2900
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures7⤵
- Modifies boot configuration data using bcdedit
PID:2696
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no7⤵
- Modifies boot configuration data using bcdedit
PID:2032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet6⤵PID:6700
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet7⤵
- Deletes backup catalog
PID:6636
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2468
-
C:\Users\Admin\AppData\Local\Temp\001.exe"C:\Users\Admin\AppData\Local\Temp\001.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Preparing components. Please run in 30 seconds.','Error','OK','Error')"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:13736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Preparing components. Please run in 30 seconds.','Error','OK','Error')"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:13848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:13748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:13836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\netsh.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:13784 -
C:\Users\Admin\AppData\Local\Temp\netsh.exe"C:\Users\Admin\AppData\Local\Temp\netsh.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:13888 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 13888 -s 11844⤵
- Loads dropped DLL
PID:5552
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\netshvq.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:13804 -
C:\Users\Admin\AppData\Local\Temp\netshvq.exe"C:\Users\Admin\AppData\Local\Temp\netshvq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:13856 -
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\netsv.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\netsv.exe"C:\Users\Admin\AppData\Local\Temp\netsv.exe"5⤵
- Executes dropped EXE
PID:3544
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13728
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5124
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:8516
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:9988
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PKG\RESTORE-MY-FILES.txt1⤵PID:4024
-
C:\Windows\system32\SnippingTool.exe"C:\Windows\system32\SnippingTool.exe"1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5680 -
C:\Windows\SYSTEM32\WISPTIS.EXE"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;2⤵
- Suspicious use of SetWindowsHookEx
PID:3460
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap8401:368:7zEvent23989 -tzip -sae -- "C:\Users\Admin\Desktop\PKG\PKG.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5560
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3488
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.0.812037672\1149552346" -parentBuildID 20221007134813 -prefsHandle 1152 -prefMapHandle 1168 -prefsLen 18084 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4355c76a-462b-495c-9a6a-4ebdad120724} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 1140 14367358 socket3⤵PID:8160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.1.471559984\651642874" -parentBuildID 20221007134813 -prefsHandle 1596 -prefMapHandle 1580 -prefsLen 18674 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35fa893d-4021-4bd7-9c7f-6aecdd9f7552} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 1620 14365b58 gpu3⤵PID:2000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.2.1574680190\2011207923" -childID 1 -isForBrowser -prefsHandle 2036 -prefMapHandle 2032 -prefsLen 19455 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21df0f0a-5bff-411b-a2c1-28bd12d6224c} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 2008 178efb58 tab3⤵PID:7260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.3.671372368\1334365716" -childID 2 -isForBrowser -prefsHandle 2736 -prefMapHandle 2792 -prefsLen 19610 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eefc41c5-edb5-4e67-a17f-7603985980d7} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 1272 1a3cfe58 tab3⤵PID:3032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.4.523354480\1433423779" -parentBuildID 20221007134813 -prefsHandle 3000 -prefMapHandle 2860 -prefsLen 21627 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d21eae76-b142-47cf-bd55-816afcf5bbdc} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 3012 19751358 rdd3⤵PID:8200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.5.2062564632\1564950929" -childID 3 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27017 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {459f56e2-3a5e-4771-9d01-482146da1648} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 3588 1974f858 tab3⤵PID:9196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.6.565064589\258039823" -childID 4 -isForBrowser -prefsHandle 3784 -prefMapHandle 3688 -prefsLen 27052 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ed64313-d66d-4d21-99dd-1f0bede97ef6} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 3908 2130a258 tab3⤵PID:9244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.7.1459016005\72243284" -childID 5 -isForBrowser -prefsHandle 3812 -prefMapHandle 3788 -prefsLen 27052 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {540c3612-ea78-404e-8b12-c9871f666688} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 3844 21307e58 tab3⤵PID:9340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.8.548853350\482532800" -childID 6 -isForBrowser -prefsHandle 4336 -prefMapHandle 3972 -prefsLen 28036 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e0d923d-b5bb-4779-8f2f-ca4f8b9eb2c6} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 4328 24ba2858 tab3⤵PID:10632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.9.1917416101\38908761" -childID 7 -isForBrowser -prefsHandle 3828 -prefMapHandle 3856 -prefsLen 29362 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96b1cebb-76e4-410d-8f56-60b28a56503a} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 3936 178f0458 tab3⤵PID:13408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.10.854909752\1884694990" -childID 8 -isForBrowser -prefsHandle 2320 -prefMapHandle 2424 -prefsLen 29362 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0d152bb-60f7-4ec9-ad78-29d1e3f28c52} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 4368 1b20c158 tab3⤵PID:13416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3252.11.1049495522\1534281615" -childID 9 -isForBrowser -prefsHandle 2424 -prefMapHandle 2320 -prefsLen 29362 -prefMapSize 231738 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {362f669a-e884-4029-88cd-aea09063c248} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" 872 1d98db58 tab3⤵PID:13632
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
Filesize102B
MD57d1d7e1db5d8d862de24415d9ec9aca4
SHA1f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA5121688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477
-
Filesize
727B
MD54454e51bb66c534d75d160cc85f105d7
SHA1ab88863a8ff204988808af2f7b46c85f9d14cf7f
SHA256362015a6e818f3bc0dfc7738ab9e2d04c070c59069e262e5436c4a9b827267b9
SHA512e29e549d9a9361be727636df6434466d2c6df60bfca346dccfae53961ae5df87cbf3c9a963a076c7a0eec05a3fc60bda347597236e870801865d94fb12af8e41
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d5hwcntb.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD5bd5cf75a37981967785b073cdf70591c
SHA14ef68bd9e174d00c54fa875c4daa5d0491384774
SHA2565d2209d669c2c6f11771748276b34018410b7632f6f22ff45752a32ba86f8b38
SHA5128d550ae6ef4e5e0fd48902e0bb1fb495058e92b5ab2c61051b56baeede70873a699c7d052f37d1219003c5a619a6e0702716143fe4bdb41fe97956d0038b0c7e
-
Filesize
14KB
MD5d32b751a5c64bddfc6a99e5568bbce16
SHA12f4a98c7c8adc37a40b683d65400ed7751953c0d
SHA25629841a5d534c2d8956fe3d2c05ce0fdaa8c4a4aee6f79cd7f77666c7de119ed0
SHA512d3152e3c83e4366f2bdb89eefa09fc8c1ab7e2ecf077d92f4c26a784f54430b998cadd9d06d9b24de192f1065e35c94505b085ff777e71320f8453a69d46ed8d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d5hwcntb.default-release\thumbnails\af8ae13acaa727e6a1e1be8f6379edf6.png
Filesize10KB
MD5cad3271371d8867435a80b374c1c6689
SHA1caebee84d0f0bfe4f452548d0ae8f7937435a493
SHA256e3510ec427298011d84d520961c652a0e5f5a59fd5313194772673653877e15d
SHA512be797258b6be724bcf3b3d7f99b0d67e9b988f60616f352e640189f951905e03b0269349fbb5d9f0c26cd5f5760157600672019b4b7db73ac41beeb7d550d646
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD52cd7a684788f438d7a7ae3946df2e26f
SHA13e5a60f38395f3c10d9243ba696468d2bb698a14
SHA2562ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d
SHA5120fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1
-
Filesize
5.8MB
MD51901c109191d0da59085f28b6977ccf4
SHA1bb0ea2818404bc126e1a9e0386ba923d6002a91f
SHA256ab85e601a6845c44e2ec7efc853b01f8ec02a6c4bfb011d61f6eb3be759aef81
SHA512f3d64a37768ad1d0ebab384a434217ceff8396b81dc1cfa2b40834177d462d63d0e52b30fecde43177d393347d5a296de005a49051265bac2c8393a3604d079a
-
Filesize
252KB
MD53c9bd0d16cea39a29132136d93c0b2ec
SHA15ffdf5cb39cc0e51753843e9e0aa14a201472fe4
SHA256f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86
SHA512314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4
-
Filesize
325KB
MD5ae9bbaafaa8deeb8063b46693838dcae
SHA11625802c26319e89adbe13ec6220c4ef012d05c0
SHA256454e40a80acc1b9d0e8c51c08712becbee783a5614ad50e7753ae094b3b38347
SHA5126aae6873080059b9fb332c84581e9f3fe0bc691449c2d0b2a48af94283796409b45d4cbce08316d535204d56f01498627525f1e4e5b77efe976162eb5c94e684
-
Filesize
325KB
MD5a6299e31f943c805415911968be7b79a
SHA1a59eb3f5ff23f6deeb3c556de068e1e18325c723
SHA2567b716989ef800137a67994b3a16f6ca69f9e9f58f70b0bbd50cca771ce9c9744
SHA512685cebc7a13a5fbed45faaaac9d26027bd9b94ed39153d137be8f6e15a6e35397cf8225696e67a7796336ac501d468359cacaa7adcb394226e15368199fbad5b
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
220B
MD566077f557e5b9ea1e63908df413f49fc
SHA1ac766f97163394d7e7c090e7b0bebbf6343f59ff
SHA25608874fe977193c727b2960d2386c8900b6ec83ad920ea06ea29cf6f5a8bd8ecd
SHA512b12f3ab68aa54db2177bdcce662c115f08d45d97954be4aef34adf64ebe92d6ab716aaec9f36ef6662ec56cf6dae779f9a14b4acecc6421ab2e1c24c6f5caced
-
Filesize
2B
MD5e1c06d85ae7b8b032bef47e42e4c08f9
SHA171853c6197a6a7f222db0f1978c7cb232b87c5ee
SHA25675a11da44c802486bc6f65640aa48a730f0f684c5c07a42ba3cd1735eb3fb070
SHA512016ba8c4cfde65af99cb5fa8b8a37e2eb73f481b3ae34991666df2e04feb6c038666ebd1ec2b6f623967756033c702dde5f423f7d47ab6ed1827ff53783731f7
-
Filesize
332KB
MD534d267bb41e969ed2baea678732d8bb4
SHA1b13218e17bcad3b65ff13c45038ae8494f1755a5
SHA256b612d0ec296f1c67445bdb51754a01dc17459f63b13f2d89d391da2678ac1bc4
SHA512b421ba1a6dbd07485b874d96a13f83d473d730246c6ed0f854f5c02db1e824d35e2f24a06ad154c725e84c7315f74fccbc93d99d1a8f844e561dfc6d9d34aee0
-
Filesize
1KB
MD51f8b0c38336a363d02947f4c4b3e3d50
SHA1a55bd1a611dbff8241959bc0ba1f36142ae26d1c
SHA256854ce974a31a2630757df19514c4dfd36ff7d4fe94c6ad1152fde8ee1073649d
SHA512ff069303b3c725972c0eaf6fd9cfd3e72742d7dfa0eaf90c3445fb0a6929766cbcdc2681a288390e47d9efd59f867cfc796674ac67e3c56a9bdef212081e05bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD52285af3a53d7ed892e9850aef81cecaf
SHA1e65d4edefe6f39a095ecc8865934d4c1df66ccf9
SHA256066dd14e6576f2d8e18910442719a7a8b6719cbfc0167da0ed472b49e32b02b1
SHA512c8f94086c8bfb926787a9551b826d400968519521288b3d77bc74c37615955dae7b0aff6336597933f5d398008b5bb6a6b6ca726b7e00c8fecae22a12303d487
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50d7d8cc9b9c2f68628c38d8049a4ecfd
SHA1ae3c54dbde49bc61eef2e68e4b9265cbbb2cd7fe
SHA256639ae0e3a40afb03bd625d2e6ff16b82d8fbc456c5ddb1f46c21f0211cea5b38
SHA512caa3ca3f4693fab082dafd0a28e9074dd391bde86e8312d872a1e6b82b004f8a45afb7865b0151ef51d65eee75a8a6afd124c8149d004d4fa4e3164295fcdff4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\addonStartup.json.lz4
Filesize5KB
MD55e35281348f6c1887313f7f853289ac0
SHA16e7244b3c90ba8fd1eddfdae78b49c95c7bbc4ea
SHA256d4f4685e464052975d55481a9d62346f50edd00932236cd7a7276e942823d640
SHA512acc20770ae6cbe0a19cc9e0698ee798ac3753a6616dacb4c7d5a42be9a9f7f1dc9d84822b7a6505b29562f7277fe70f078960c11b029153fbc94c82b684a8bb4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\bookmarkbackups\bookmarks-2024-11-10_11_pPTPsCgwglAPoOsgPtiqtQ==.jsonlz4
Filesize942B
MD5399642ddbb824173863f1a6aab0f7d82
SHA1bf019ffb46db0654bdb8f72f637c90179a3057da
SHA256d72ec2bbc70e816c0b37017c74d473cbec67742288d06f7183330aa3b1aab169
SHA512784bb3d6dd6f9b67ce79e527b4aebef936938079034678ae5aadee92be870c7097eb87625a8101f440af74dc23b02c57d8caaf6e74fb69aca9d53e6b6c73964a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\broadcast-listeners.json
Filesize204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
Filesize
939B
MD594a3843fad8c45c48b0e07342df3dfdc
SHA1d55b650208bda884d573afebd90830a3f4d7c201
SHA256854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72
SHA5124d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\datareporting\glean\db\data.safe.bin
Filesize1KB
MD5693285f064e7a88937758afa203825f6
SHA107a28a37692ecff97c078a7d636c9494689fc28a
SHA25653107052b073ca50c80de00c96008a3298d5132df076f4979a578ef603316b38
SHA512d6184f2ad8732c9420dcca711e7a7acdd63b05a469097211348c0a2ba554028146c5a1d27f98ad3eb3c173a459e55f18e916c89f3f73c77b9dfc07b1c6ebcf70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e3a1fdf7ebda41c494d9ce130ed3a195
SHA1afe0c2389003150410f2a1b2879ef19b07d3891b
SHA256e9833be2ff7c9de2c4a4209b4b17c85dd69700e0331c06e1f5c6131d88d0937c
SHA51268fd2d0ddf1d98124928f380bcea25206218949b7ecfb5ed88df5719f238c839c9dd27dfb128c9d291d4980bc626b43c8a78e1ea77f3ecd17f822ccc746aad1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\datareporting\glean\pending_pings\9b65034e-4d11-40ab-b74e-a33ffb76db42
Filesize586B
MD51240e5c96f72d7400d54efd31250dc2a
SHA1f9c7c60038a6a8b1e548e871dc970fcafd304824
SHA256ff95678c148a26b360f92b592f05c615cc566a619f74304a932ec11ef0990155
SHA51290c43718836f4b5620cc6e6222dc4abc70bbb5c386893c78b07088ec72b922b4caa3c325e251743d17b456f315ef81becd21a5af8a29e1d2f429eb1ddb7719e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\datareporting\glean\pending_pings\d199f870-b868-4f99-9d77-4af631c608a0
Filesize655B
MD557cefa7a8a54988b101f4fca552a2e2d
SHA14aad536203c127d657329b9d62bdae014fb50c80
SHA2560a127442642de8224bec11e83c399ae803a7c90f337d5e074314c713f3d8b500
SHA5128cd3bd5b31ac7e9cbe38cd950e8aab48233d32e33b45d7ee47c6ccdb6f2d90a36e7c753ae54e5e1310bc8381af937b685f0dc00e8c70792c66addc5f441384b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\extension-preferences.json
Filesize1KB
MD50bcf208899396bcb6e659783268d3b67
SHA189b0cfdd4f7bfc36e9263cff6432080429a3eb49
SHA2560013ff84e9c5a777f6f161b7cb6bafcc3fe1ec554300e97be2361196af214c21
SHA512f45d7288b84b08c977d55ef0de766aabab0223f027b1ee6cbd2e29f179d4e6555a479c13abde15a73b1335b37721a17c32135ff3f8ea04323d6e9a68e1c4ab24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\extensions.json.tmp
Filesize16KB
MD516d5de0bb1456f58ef44ccf42639e65d
SHA16394f474f943f2a28644795bdb992b22e48d3205
SHA2568bc7c04f31a50b043ddd19445128df6ea66a9f50d760814709ba631a7c1ef8f2
SHA5127956768279507c47bd44e9b6f13ffbfcebb867beb04a218e9a3abef22675a2416789dbbf449f77ced223d56895982e723fbba8b455f45a8aba1e93ec4d5a5867
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
410B
MD5e7a65c5ead519a7b802f991353c26d3d
SHA134cc3c1cf9bd4912dba5fa422010934e46419fa3
SHA2560e5ce92485da953757f615bad034a43032b220da18f8165dd85347851b56b2d2
SHA5122a6034449ba6f5da8a77870ae665064047cea2460aeb4c8c0b62b308a403fdd30648150209aecc31ab1e50b6d9d94a1f51d3d7d50bbf35ec1b742bff2dbe788d
-
Filesize
288KB
MD59861759e0e978492ff80b5da8f47640d
SHA134eb1ce06420a3cb9a5ade75fe9d575aad09a77b
SHA2564b54a216bf42d34112731f7bbe811c673ed790cc4be8aad1a9b04e244dee7373
SHA512d57dad79db915ff049aefd1344f85632f455a5c8f91df77cab7735943dd63d2291eeb8dda509efb16517a9e97299d880266df7c985382e20ef19d65e863ac0d8
-
Filesize
6KB
MD5a57a48563a78adb49ff4d7a7bfa6c726
SHA17e8e0a52fed535bba5ebd65abd384d5f83c83f16
SHA256b95176d2b63ecd108c951a7e5aca0f5738e5df55ff1efa9381f8b4996284764c
SHA5125db5e0a1ba5682c092f2c74a9f846aec6f692d1dedebf770af7c9090ef74bc31fb66da6c22ca8de67d9626b466030e2c6039280de0d6498631cafb426bcb2a9d
-
Filesize
7KB
MD5c302f558c2b39123bba75f46f29e4862
SHA13fb91b445307dfd2f36869a9ac860af4386ddf12
SHA2562c2c2159fbea7cb3abc8838457ae73567c87a2248bafe6c5d18309fb471858de
SHA51286d67fccb0e271b83b592db13861c6cd3f59cb8941473490e8b051069b5b0e82b749b74f1aa12015746eada07d08b21efbe7cee515bbeed0c78aafd554309ce6
-
Filesize
7KB
MD5324ed76989c6c3c5f10cc3b27b813a47
SHA125e65e719ed3ba22000d1a27498192f859a67e8b
SHA256122ea030031bec6320219b8e2fd2d890c8df8e3520e29180680d6b5d4a209d94
SHA512f5e36bc90efcae7dc08f3140b0cadb245e9a98f82cf2a1b3ebdf7bbccf56c7859979fe6c835520856fcf277e3d57c7e4d719136e6c46fa7c87c9584005ce208a
-
Filesize
2KB
MD58252d0c9f36ffaec6c42e603aeace85b
SHA126493ddeb98babe3abbbf96b22fada608b47d998
SHA2567688b0743ec4ae73ae0dd56cd3f767f7a71e2f9ebd1c7f2eb1b80ef44a858b02
SHA512c57b1db20a890fb449b3bc29defde7e5460f64b0a18b634a982c6b481d6310c7da148ab9c47bcf606bc965689416584582744caa9cae39243071ae80f5b793cf
-
Filesize
6KB
MD577509afa3239a949de71a3e31477ac72
SHA166d458e724c7360778a08354e0356b9f8a3d7d4f
SHA256170adc6b7697c409d9ef512c4a30c69338698a2526d1e0ccbaa74e6014589659
SHA512da5984036b024fa029a70d1d13568b4650b68e8892edced83918e87d030e643e3001835679a6ad942940e05ff39c1e44fd240e4b389f7e7a7d78466e3bdb5696
-
Filesize
4KB
MD59dfc7ba5762c64611fbad25fdf827c52
SHA14ebc6513b996bb828f4f24bdbfd18c9dddbb6172
SHA25619052198831c009be66dd4667427cba209fe7f246b3df4c5d8bdc39566e36d94
SHA512a9d1385d4b0e2b6fd5da190232beb691cc5474d3398c4d8e69bbbdcecd98a486d3db166511eeca888b44d8a0b5f855fe4a4e593c5044b5bc0f886dbe11337b1e
-
Filesize
5KB
MD54f9ac01ed989053fcc2290de0e0ef73f
SHA1b323f5efa6eea95f8dc55858bae3f15ccdae0e68
SHA2560c81d5fcb017df01036d2a6068fbe5c2c55558862d218227fc43491df47f2066
SHA51271d937df4e17d27b40d095a0164f49fa6bc664de2e5a3ed26f76734c08eab6fda7034bafb3312909a5112359867bbe4c952c7de01a22d922192ddeeadf37471c
-
Filesize
280B
MD541d220d4783f67d2b57beec20c135229
SHA16e97765e77920b6010fac2cb4abf1e3cea106541
SHA2565d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc
SHA512dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0
-
Filesize
299B
MD5e4b66478ecde473b6d9c95d7a4350d37
SHA1cf125f3ec9060bf59a3e4449b0fb151eaad01c5e
SHA2564510c82fc9289533b0dbaf0a2a70a45589814c06be7e9adc395100ff18d5fc73
SHA5120fef6926821a19f686d0291db9e7efb1a60cd6d13d94d4cc6fc3eeb06be3807d697debde0a5a264b430d449482bb26666b8273c7342e99d592e9b516027c086d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5c385473960438e526c4e73b67fe0a66c
SHA13f1a6ea017800d463aa412909a8feb80be1baeb6
SHA256c3a6a02f7e202a57b30d97fc71cc4ebd6314ac9f3c9a79d8f6157fd02ca47fa5
SHA5129b24b6914717b55110cb7c0baef50d3e1ca3a99f1ee9fc5f6b9af2529f99cf541536e5525b03e95fbd4c5259bd66729854368a96a71214a79743b27eba8bc5f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize806B
MD525b655f4846633304fa304245c33017d
SHA132100334c72677f76d5d851c705ffd274fc92ddf
SHA25642dc97c0573f5c1242e4cd09d27a80b628fb929c7e655e2007838e29efb82dc9
SHA512efa0a2c88825bcd5854bb43ca30eb1e6e5c967a7e7b11f58f41ab34719c4e7d54cc9d9309d729fff13e840951f50563f59606f19ab98ab848b1dd7a9d39ecadd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize984B
MD511ad13e962d7798788c37561935c35e7
SHA1e0a17ba87d8ddae53734c8e044edbc426469a50b
SHA256a5473d792db5bacc4333aee48e5ed404efda233db6b6c6b1091cf251e1ffacf6
SHA512e3a7926084d53151bd50ca3e015f080d448f3de5ecac7c994327c0d87c80d86489a18e79bc8874be0cd3f224bb60eac476c6d33fdfba2c5f8d30be35bd617485
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\shield-preference-experiments.json
Filesize18B
MD5285cdefb3f582c224291f7a2530f3c4e
SHA1f816c3e87aa007b6e6d31eb6a4618695a7d83439
SHA256704d28223a4320a853df4a19d48c7015cf79d56a5317cc3475b6305fa43dcc05
SHA5128f1decf1e4b5755fce8f165daae115f45d6890985c9c4bbb33a6f724cbfd26db75f6da06f9ef675de20fe755da9b7f55e5ee37124296a12a520a393da159bd58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize48KB
MD51aed6511cccdcc144250594cf8acd9cc
SHA1959744e03d9ebafad25368530e61a2d1f8127184
SHA2564bb02e5f4c16b43b9be32a62abda81b072e1ec600a73ccc92c0946f90be7e5e6
SHA512283011a46d9742f1b8614efb0077c9d3e7cacc91af5aac239b421cc5f16b68dec7642668fccb89a50a106fb1ef825897aab895daac985fba40c0cf0adc95f730
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD505284bfcaf872d782c6e3407cdbec9fe
SHA16f3d8bad7c66cba76d93f556938e05720691c987
SHA25675b74f0f232d70e963fe3bcd14f99c42931e562aa92413cd9cc21794daf16e0c
SHA5120f7ac190511f3af33c76b8fec24eaedf5699e7b8bf171e164ca51efffc99c6feafcc4469e0d8207ae35ed6616c7fb6589a8cad83018055b0eeebc29e02282ff0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5hwcntb.default-release\targeting.snapshot.json
Filesize4KB
MD5b1d58708d78845cc4dfe521ee096aca4
SHA1f62a808cd8540ed1ff4aa23b52a88fb6d6fe4d52
SHA25657cec8eaf5162a92b39bd86c7bca298200aade7cbcf700bd45e2d7dd663a05a7
SHA512fe9687184bb8baa2d26b0c9466ca3a85346ec5d3b46f85e53adc555bdad34df26192ac639a9b5c1d3872c5e9c12e64412c5a4d9297b5f889ce72432cf1ca8985
-
Filesize
141B
MD54061fee4f4705e38b6ca12ace32cf393
SHA19c2c69a9aeb5f2b7c0cfd60b006a86d3c99b1252
SHA2563d7c8f108dfbf12834902307d2428856db76cacb51c5114abea55f88d8c63e52
SHA512b41ef4ec3f2e3ea5a905c643a4f92f129a60cdfb7bf236c7148bbaf9fbec6cefe6126f416308994ec33153c5b309e4c4f810434a68a5ad96dd8a20143f9b6aa5
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
255KB
MD5b4fef894ac74f287af43a179b1368b72
SHA1a20f15bf1f835fbf1209181b53e60ba2853f070a
SHA2562289aa82316f97367e093ed28701f057fbceb7a134dc53c7a69180e5239846c1
SHA512853a04b551122618f62aa07b162642bcc15eecb1621f38bc127962f4723f8a28ade22b8c730ff47fdee8cb67f682b5600cd968ba2ddacc45c399f810b3094871