Analysis
-
max time kernel
331s -
max time network
332s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 18:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://url2.3u.com/MNBBfyaa
Resource
win10v2004-20250610-en
General
-
Target
https://url2.3u.com/MNBBfyaa
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules mDNSResponder.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 33 1548 msedge.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iTunes.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation 3uTools_v3.26.007_Setup_x64.exe Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation 3uTools.exe Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation QtWebEngineProcess.exe Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation iTunes.exe Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation AppleMobileDeviceHelper.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 31 IoCs
pid Process 2060 3uTools_v3.26.007_Setup_x64.exe 1404 3uTools_v3.26.007_Setup_x64.exe 5236 3uTools_v3.26.007_Setup_x64.exe 5748 3uTools_v3.26.007_Setup_x64.exe 2392 3uTools.exe 6092 3uViewer.exe 3496 3uViewer.exe 5776 updater.exe 5680 InfInstallerx64.exe 2748 InfInstallerx64.exe 5736 7z.exe 3620 AppleMobileDeviceService.exe 4676 mDNSResponder.exe 2700 Process not Found 4148 InfInstallerx64.exe 2352 InfInstallerx64.exe 6072 InfInstallerx64.exe 3820 InfInstallerx64.exe 2212 QtWebEngineProcess.exe 5836 QtWebEngineProcess.exe 2368 iTunes(12.12.9.4).exe 6864 SetupAdmin.exe 1420 SoftwareUpdate.exe 5960 iTunesHelper.exe 6996 iTunesHelper.exe 2464 iTunes.exe 4864 AppleMobileDeviceHelper.exe 6544 iTunesVisualizerHost.exe 2812 distnoted.exe 4840 distnoted.exe 3276 SoftwareUpdate.exe -
Loads dropped DLL 64 IoCs
pid Process 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe -
Modifies file permissions 1 TTPs 6 IoCs
pid Process 5172 takeown.exe 5640 takeown.exe 4196 takeown.exe 2176 takeown.exe 3996 takeown.exe 4884 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper = "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" msiexec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 490 2444 msiexec.exe 495 2444 msiexec.exe 497 2444 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 50 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: AppleMobileDeviceHelper.exe File opened (read-only) \??\F: iTunes.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\D: AppleMobileDeviceHelper.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\D: iTunes.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\SETEF38.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applekis.inf_amd64_0d321f6593083a69\AppleKISInterface.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\SETE03F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\usbaapl64.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applekis.inf_amd64_0d321f6593083a69\AppleKIS.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\usbaaplrc.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applersm.inf_amd64_22734d1c46db7f66\AppleRSM.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\dnssdX.dll msiexec.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAB2.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\AppleUsbFilter.dll DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\system32\dnssd.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\usbaapl64.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applekis.inf_amd64_0d321f6593083a69\AppleKIS.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\appleusb.inf_amd64_58854158183af679\AppleKmdfFilter.sys DrvInst.exe File created C:\Windows\SysWOW64\jdns_sd.dll msiexec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\AppleRSM.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\SETE041.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\SETEF3A.tmp DrvInst.exe File created C:\Windows\SysWOW64\dnssd.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\USBAAPL64.CAT DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\SETD034.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\AppleRSM.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\SETE052.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\SETE052.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applersm.inf_amd64_22734d1c46db7f66\AppleRSM.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\SETEF4B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\AppleKIS.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\appleusb.inf_amd64_58854158183af679\AppleLowerFilter.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\appleusb.inf_amd64_58854158183af679\AppleUsbFilter.dll DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaaplrc.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\AppleRSMInterface.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\AppleKISInterface.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\SETEF39.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\SETD045.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9cc4eff5-a221-a148-b10a-6998986c8ce4}\SETE041.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\applersm.inf_amd64_22734d1c46db7f66\AppleRSMInterface.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\SETD033.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{752fd5ae-6459-3446-9ea2-655af4cb2e05}\SETD045.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\SETEF3A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\appleusb.inf_amd64_58854158183af679\AppleUsb.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464} DrvInst.exe File created C:\Windows\SysWOW64\dns-sd.exe msiexec.exe File created C:\Windows\system32\dns-sd.exe msiexec.exe File created C:\Windows\SysWOW64\dnssdX.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cd0a7cd4-829a-2142-a914-6519b8d03bb9}\AppleKIS.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\AppleLowerFilter.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{182f699d-d953-6a42-9c73-aff00d782464}\SETFAC5.tmp DrvInst.exe -
resource yara_rule behavioral1/memory/2392-2380-0x000000006F6C0000-0x000000006FFE7000-memory.dmp upx behavioral1/memory/2392-2581-0x000000006F6C0000-0x000000006FFE7000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Protocol\InspectorObserver.js msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\de.lproj\PrintingTemplates\16.Media.PlainPaper.DS.xml msiexec.exe File opened for modification C:\Program Files\3uToolsV3\files\SMS\images\zz.png 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\iTunes\iTunes.Resources\fr_CA.lproj\[email protected] msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\hu.lproj\[email protected] msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\zh_HK.lproj\ViewLineItemiTunesExtras_dark.png msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\ScriptTimelineDataGrid.js msiexec.exe File created C:\Program Files\3uToolsV3\locales\images\vn\Connecting_trust_img.png 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\3uToolsV3\cache\devices_table\border_16_white.svg.tmp 3uTools.exe File created C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\CFNetwork.resources\pl.lproj\Localizable.strings msiexec.exe File created C:\Program Files\Common Files\Apple\Mobile Device Support\CoreFoundation.resources\cs.lproj\Error.strings msiexec.exe File created C:\Program Files\iTunes\CFNetwork.resources\Japanese.lproj\Localizable.strings msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\zh_TW.lproj\DeviceCapacityBox.png msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Workers\Formatter\FormatterWorker.js msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\CPUTimelineOverviewGraph.css msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\Sidebar.js msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\sk.lproj\PrintingTemplates\10.Insert.SingleCover.xml msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\zh_HK.lproj\PrintingTemplates\01.Playlist.Songs.xml msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\it.lproj\StoreViewButton.png msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\da.lproj\iTunesExtraGridView.png msiexec.exe File opened for modification C:\Program Files\3uToolsV3\translations\qtmultimedia_zh_TW.qm 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\BreakpointActionView.js msiexec.exe File opened for modification C:\Program Files\3uToolsV3\translations\qt_he.qm 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\DOMTreeElement.js msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\cs.lproj\ViewLineItemRatingE_dark.png msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\pt_PT.lproj\[email protected] msiexec.exe File created C:\Program Files\3uToolsV3\translations\qt_zh_TW.qm 3uTools_v3.26.007_Setup_x64.exe File opened for modification C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\iTunes\CFNetwork.resources\sk.lproj\Localizable.strings msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\cs.lproj\Localizable.strings msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Models\Script.js msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\nl.lproj\[email protected] msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\BoxModelDetailsSectionRow.css msiexec.exe File opened for modification C:\Program Files\3uToolsV3\locales\images\ru\Connecting_text.png 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\RecordingContentView.css msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\es.lproj\StoreRentButton.png msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\ja.lproj\PrintingTemplates\15.Media.PlainPaper.SS.xml msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\ScriptTimelineOverviewGraph.js msiexec.exe File created C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.MobileSync.client.resources\ClientDescription30.plist msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\it.lproj\StoreBlankBuyButton.png msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\sk.lproj\genresLoc.plist msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\ro.lproj\[email protected] msiexec.exe File created C:\Program Files\iTunes\MediaAccessibility.resources\he.lproj\ProfileNames.strings msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\id.lproj\PrintingTemplates\12.Insert.MosaicBW.xml msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\fr.lproj\StoreBlankBuyButton.png msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\pt.lproj\PrintingTemplates\09.Insert.WhiteMosaic.xml msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Views\LocalJSONContentView.js msiexec.exe File opened for modification C:\Program Files\3uToolsV3\files\Openhiddenncm\ncmdriver_win11\iOSNcmDriver.inf 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\3uToolsV3\setting.cfg.Vxjwjt 3uTools.exe File created C:\Program Files\iTunes\iTunes.Resources\ar.lproj\iPhone License.rtf msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\id.lproj\PrintingTemplates\09.Insert.WhiteMosaic.xml msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\da.lproj\ViewLineItemRatingC.png msiexec.exe File created C:\Program Files\iTunes\iTunesUWP.dll msiexec.exe File opened for modification C:\Program Files\3uToolsV3\translations\qtwebengine_locales\ca.pak 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files\iTunes\iTunes.Resources\fr_CA.lproj\[email protected] msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\pl.lproj\[email protected] msiexec.exe File created C:\Program Files\iTunes\CoreAudioToolbox.dll msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Images\Image.svg msiexec.exe File opened for modification C:\Program Files\3uToolsV3\files\bonjour\Bonjour.msi 3uTools_v3.26.007_Setup_x64.exe File created C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\CoreFoundation.resources\CFUniCharPropertyDatabase.data msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\id.lproj\ViewLineItemiTunesExtras.png msiexec.exe File created C:\Program Files\iTunes\iTunes.Resources\th.lproj\DeviceCapacityBox.png msiexec.exe File created C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\CFNetwork.resources\el.lproj\Localizable.strings msiexec.exe File created C:\Program Files\iTunes\WebKit.resources\WebInspectorUI\Controllers\TabNavigationDiagnosticEventRecorder.js msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Installer\e5a9fe0.msi msiexec.exe File created C:\Windows\Installer\SourceHash{56DDDFB8-7F79-4480-89D5-25E1F52AB28F} msiexec.exe File opened for modification C:\Windows\Installer\MSIBD94.tmp msiexec.exe File created C:\Windows\inf\oem6.inf DrvInst.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\concrt140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\vcruntime140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8 msiexec.exe File opened for modification C:\Windows\Installer\MSIBD53.tmp msiexec.exe File opened for modification C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\Installer\MSIBD93.tmp msiexec.exe File created C:\Windows\Installer\e5a9fe6.msi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Installer\{76420BC2-0A88-4483-BDB1-0DD97DFF3163}\Installer.ico msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\msvcp140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8 msiexec.exe File opened for modification C:\Windows\Installer\MSI528.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0 msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\Installer\MSI9C04.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\e5a9fdb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA520.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBF3C.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Installer\MSI55A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336 msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\concrt140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\vcruntime140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F msiexec.exe File opened for modification C:\Windows\Installer\e5a9fe6.msi msiexec.exe File created C:\Windows\Installer\{B292D163-23D2-4523-A699-1ABEC1875609}\AppleSoftwareUpdateIco.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI9C93.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAACF.tmp msiexec.exe File created C:\Windows\Installer\e5a9fdb.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9 msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\msvcp140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8 msiexec.exe File opened for modification C:\Windows\Installer\e5a9fe0.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Installer\{76420BC2-0A88-4483-BDB1-0DD97DFF3163}\iTunes.ico msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\concrt140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8 msiexec.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\Installer\SourceHash{CA8EDE78-7A08-4F27-9B31-D6161C095986} msiexec.exe File created C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\vccorlib140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\87EDE8AC80A772F4B9136D61C1909568\16.5.0\vcruntime140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Installer\MSIA491.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA705.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBCB.tmp msiexec.exe File created C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\{CA8EDE78-7A08-4F27-9B31-D6161C095986}\Installer.ico msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\2CB0246788A03844DB1BD09DD7FF1336\12.12.9\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2832 sc.exe 5952 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4772 2060 WerFault.exe 161 1480 5236 WerFault.exe 166 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3uTools_v3.26.007_Setup_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3uTools_v3.26.007_Setup_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SoftwareUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SoftwareUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3uTools_v3.26.007_Setup_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupAdmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language distnoted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3uTools_v3.26.007_Setup_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppleMobileDeviceHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language distnoted.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 3uTools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID 3uTools.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\HardwareID 3uTools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_HL-DT-ST_DVD+-RW\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs pnputil.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ SoftwareUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString iTunes.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ SoftwareUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SoftwareUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iTunes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SoftwareUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Apple Inc. AppleMobileDeviceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.m4p\shell\play\command\ = "\"C:\\Program Files\\iTunes\\iTunes.exe\" /play \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpg\PerceivedType = "video" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithProgIds\iTunes.wav msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C1E4FCC-B47E-44AE-8EA7-FA66EBC8BAC4}\1.0\FLAGS\ = "0" SoftwareUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\.aifc\OpenWithProgIds msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.mpg\DefaultIcon\ = "\"C:\\Program Files\\iTunes\\iTunes.exe\",-133" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rmp\Content Type = "application/vnd.rn-rn_music_package" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.AssocProtocol.itvlss msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SoftwareUpdateAdmin.DLL\AppID = "{16D99191-6280-4B33-A2F5-04805A0FC582}" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.m3u msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-itunes-itls\Extension = ".itls" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.itpc\AppUserModelID = "Apple.iTunes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AF768AC-4FBD-4914-B847-F4E13C984926}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Apple Software Update" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{995E123A-2A19-4E52-872F-774C5589459C} SoftwareUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.m4r msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.wave\OpenWithProgIds msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.AssocProtocol.italss\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunesAdmin.iTunesAdminInstallIPodSupport\CurVer msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A52621AD-E10F-477B-9ACB-B6181610788B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" SoftwareUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CLSID\ = "{B8DF592B-DE05-49f5-BB21-084F548F12A9}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunesAdmin.iTunesAdminParentalControls.1\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB0246788A03844DB1BD09DD7FF1336\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CurVer msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wave\Content Type = "audio/wav" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.mpeg\shell\play\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.pls\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\italss\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C2589C3-96F8-4863-A511-9C33EB2C7E2A}\InprocServer32\ = "C:\\Program Files\\iTunes\\iTunesAdmin.dll" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A52621AD-E10F-477B-9ACB-B6181610788B}\ProxyStubClsid32 SoftwareUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E93C96F-CF0D-43F6-8BA8-B807A3370712}\1.d\0\win64 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.m4b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.mp2\shell msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.BurnCD\shell\burn\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88F48C4A-46DF-4236-A838-364BF1B3FD1E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.mov\shell msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\itsradio\DefaultIcon msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB0246788A03844DB1BD09DD7FF1336\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8BFDDD6597F70844985D521E5FA22BF8\DotNetSupport = "Bonjour" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0515ACBB-7296-4F73-8958-EB1CCF5EFD83}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.itl\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.mp2\shell\play\command\ = "\"C:\\Program Files\\iTunes\\iTunes.exe\" /play \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{71A1A612-F7B4-4092-8E0F-C79C8FB0391D} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cdda\ = "iTunes.cdda" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BE75F4F-68FA-4212-ACB7-BE44EA569759}\ = "IITEQPreset" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\itlss\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.AssocProtocol.itlss\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E9D58BF1-0070-4fcd-B722-A0EE5A3ABCD6}\Elevation\Enabled = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF3A0880E1A25C340B029039E070D543\2CB0246788A03844DB1BD09DD7FF1336 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.m4r\shell\open\ = "&Open" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\iTunes.mpeg\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTunes.AssocProtocol.itals\shell\open\command\ = "\"C:\\Program Files\\iTunes\\iTunes.exe\" /url \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.aax\OpenWithProgids msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.aif\OpenWithProgIds msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.ipa\OpenWithProgids msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\PackageName = "Bonjour64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC0C2640-1415-4644-875C-6F4D769839BA}\TypeLib\ = "{9E93C96F-CF0D-43F6-8BA8-B807A3370712}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iTunes.exe\shell\ = "play" msiexec.exe -
Modifies system certificate store 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 QtWebEngineProcess.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a QtWebEngineProcess.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a QtWebEngineProcess.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2392 3uTools.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4076 taskmgr.exe 2392 3uTools.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4076 taskmgr.exe Token: SeSystemProfilePrivilege 4076 taskmgr.exe Token: SeCreateGlobalPrivilege 4076 taskmgr.exe Token: SeDebugPrivilege 2060 3uTools_v3.26.007_Setup_x64.exe Token: SeDebugPrivilege 5236 3uTools_v3.26.007_Setup_x64.exe Token: SeDebugPrivilege 5748 3uTools_v3.26.007_Setup_x64.exe Token: SeDebugPrivilege 2392 3uTools.exe Token: SeRestorePrivilege 2392 3uTools.exe Token: SeBackupPrivilege 2392 3uTools.exe Token: SeTakeOwnershipPrivilege 5172 takeown.exe Token: SeAuditPrivilege 4448 svchost.exe Token: SeSecurityPrivilege 4448 svchost.exe Token: SeLoadDriverPrivilege 5680 InfInstallerx64.exe Token: SeLoadDriverPrivilege 2392 3uTools.exe Token: SeRestorePrivilege 2392 3uTools.exe Token: SeBackupPrivilege 2392 3uTools.exe Token: SeRestorePrivilege 2392 3uTools.exe Token: SeBackupPrivilege 2392 3uTools.exe Token: SeLoadDriverPrivilege 2748 InfInstallerx64.exe Token: SeLoadDriverPrivilege 2392 3uTools.exe Token: SeRestorePrivilege 5736 7z.exe Token: 35 5736 7z.exe Token: SeSecurityPrivilege 5736 7z.exe Token: SeSecurityPrivilege 5736 7z.exe Token: SeShutdownPrivilege 2392 3uTools.exe Token: SeIncreaseQuotaPrivilege 2392 3uTools.exe Token: SeSecurityPrivilege 2444 msiexec.exe Token: SeCreateTokenPrivilege 2392 3uTools.exe Token: SeAssignPrimaryTokenPrivilege 2392 3uTools.exe Token: SeLockMemoryPrivilege 2392 3uTools.exe Token: SeIncreaseQuotaPrivilege 2392 3uTools.exe Token: SeMachineAccountPrivilege 2392 3uTools.exe Token: SeTcbPrivilege 2392 3uTools.exe Token: SeSecurityPrivilege 2392 3uTools.exe Token: SeTakeOwnershipPrivilege 2392 3uTools.exe Token: SeLoadDriverPrivilege 2392 3uTools.exe Token: SeSystemProfilePrivilege 2392 3uTools.exe Token: SeSystemtimePrivilege 2392 3uTools.exe Token: SeProfSingleProcessPrivilege 2392 3uTools.exe Token: SeIncBasePriorityPrivilege 2392 3uTools.exe Token: SeCreatePagefilePrivilege 2392 3uTools.exe Token: SeCreatePermanentPrivilege 2392 3uTools.exe Token: SeBackupPrivilege 2392 3uTools.exe Token: SeRestorePrivilege 2392 3uTools.exe Token: SeShutdownPrivilege 2392 3uTools.exe Token: SeDebugPrivilege 2392 3uTools.exe Token: SeAuditPrivilege 2392 3uTools.exe Token: SeSystemEnvironmentPrivilege 2392 3uTools.exe Token: SeChangeNotifyPrivilege 2392 3uTools.exe Token: SeRemoteShutdownPrivilege 2392 3uTools.exe Token: SeUndockPrivilege 2392 3uTools.exe Token: SeSyncAgentPrivilege 2392 3uTools.exe Token: SeEnableDelegationPrivilege 2392 3uTools.exe Token: SeManageVolumePrivilege 2392 3uTools.exe Token: SeImpersonatePrivilege 2392 3uTools.exe Token: SeCreateGlobalPrivilege 2392 3uTools.exe Token: SeRestorePrivilege 2444 msiexec.exe Token: SeTakeOwnershipPrivilege 2444 msiexec.exe Token: SeRestorePrivilege 2444 msiexec.exe Token: SeTakeOwnershipPrivilege 2444 msiexec.exe Token: SeRestorePrivilege 2444 msiexec.exe Token: SeTakeOwnershipPrivilege 2444 msiexec.exe Token: SeRestorePrivilege 2444 msiexec.exe Token: SeTakeOwnershipPrivilege 2444 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 4076 taskmgr.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe 4076 taskmgr.exe 2940 msedge.exe 2940 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe 4076 taskmgr.exe -
Suspicious use of SetWindowsHookEx 34 IoCs
pid Process 1404 3uTools_v3.26.007_Setup_x64.exe 2060 3uTools_v3.26.007_Setup_x64.exe 2060 3uTools_v3.26.007_Setup_x64.exe 2060 3uTools_v3.26.007_Setup_x64.exe 5236 3uTools_v3.26.007_Setup_x64.exe 5236 3uTools_v3.26.007_Setup_x64.exe 5236 3uTools_v3.26.007_Setup_x64.exe 5748 3uTools_v3.26.007_Setup_x64.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 6092 3uViewer.exe 3496 3uViewer.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 2392 3uTools.exe 5776 updater.exe 2392 3uTools.exe 2392 3uTools.exe 5736 7z.exe 2212 QtWebEngineProcess.exe 5836 QtWebEngineProcess.exe 2392 3uTools.exe 2368 iTunes(12.12.9.4).exe 1420 SoftwareUpdate.exe 2464 iTunes.exe 2464 iTunes.exe 6544 iTunesVisualizerHost.exe 3276 SoftwareUpdate.exe 3276 SoftwareUpdate.exe 3276 SoftwareUpdate.exe 3276 SoftwareUpdate.exe 2464 iTunes.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 6124 2940 msedge.exe 88 PID 2940 wrote to memory of 6124 2940 msedge.exe 88 PID 2940 wrote to memory of 1548 2940 msedge.exe 89 PID 2940 wrote to memory of 1548 2940 msedge.exe 89 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 548 2940 msedge.exe 91 PID 2940 wrote to memory of 224 2940 msedge.exe 90 PID 2940 wrote to memory of 224 2940 msedge.exe 90 PID 2940 wrote to memory of 224 2940 msedge.exe 90 PID 2940 wrote to memory of 224 2940 msedge.exe 90 PID 2940 wrote to memory of 224 2940 msedge.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://url2.3u.com/MNBBfyaa1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ff993f4f208,0x7ff993f4f214,0x7ff993f4f2202⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1820,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Downloads MZ/PE file
PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2288,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:22⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2324,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=2952 /prefetch:82⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4812,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:82⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:82⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5612,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:82⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5632,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:82⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6432,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:82⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6432,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:82⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:82⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5060,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:82⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2428,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5892,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:82⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:82⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=4024,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=704,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3876,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:82⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6972,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:82⤵PID:1220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6932,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6960,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:12⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6888,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:12⤵PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7140,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:12⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=5212,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:12⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6836,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:12⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7080,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:12⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6764,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7500,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7480 /prefetch:82⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4840,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7228 /prefetch:82⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7200,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:12⤵PID:916
-
-
C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 23923⤵
- Program crash
PID:4772
-
-
-
C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1404
-
-
C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 22483⤵
- Program crash
PID:1480
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7352,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:82⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7352,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:82⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=6800,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:12⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=7380,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7636 /prefetch:12⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7456,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:12⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7816,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=7812 /prefetch:82⤵PID:5968
-
-
C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"C:\Users\Admin\Downloads\3uTools_v3.26.007_Setup_x64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5748 -
C:\Program Files\3uToolsV3\3uTools.exe"C:\Program Files\3uToolsV3\3uTools.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Program Files\3uToolsV3\3uViewer.exe3uViewer.exe /reg 14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6092
-
-
C:\Program Files\3uToolsV3\3uViewer.exe3uViewer.exe /reg 24⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3496
-
-
C:\Program Files\3uToolsV3\updater.exe"C:\Program Files\3uToolsV3\updater.exe" /background4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5776
-
-
C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe"C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe" -i "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applekis\x64\AppleKIS.inf"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680 -
C:\Windows\SYSTEM32\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A5⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5172
-
-
C:\Windows\SYSTEM32\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F5⤵PID:5060
-
-
C:\Windows\SYSTEM32\pnputil.exepnputil -i -a "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applekis\x64\AppleKIS.inf"5⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2352
-
-
-
C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe"C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe" -i "C:\Users\Admin\AppData\Local\Temp\itunes_fix\appleusbdevice\x64\AppleUsb.inf"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\SYSTEM32\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A5⤵
- Modifies file permissions
PID:5640
-
-
C:\Windows\SYSTEM32\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F5⤵PID:60
-
-
C:\Windows\SYSTEM32\pnputil.exepnputil -i -a "C:\Users\Admin\AppData\Local\Temp\itunes_fix\appleusbdevice\x64\AppleUsb.inf"5⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2240
-
-
-
C:\Windows\SYSTEM32\sc.exesc start DeviceInstall4⤵
- Launches sc.exe
PID:2832
-
-
C:\Windows\SYSTEM32\sc.exesc start DsmSvc4⤵
- Launches sc.exe
PID:5952
-
-
C:\Program Files\3uToolsV3\files\patchtools\7z-64\7z.exe"C:\Program Files\3uToolsV3\files\patchtools\7z-64\7z.exe" x "F:\3uToolsV3\Other\iTunes(12.12.9.4).exe" -aoa -o"C:\Users\Admin\AppData\Local\Temp\3uTools\iTunes(12.12.9.4)"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5736
-
-
C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe"C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe" -i "C:\Users\Admin\AppData\Local\Temp\itunes_fix\usb\x64\usbaapl64.inf"4⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SYSTEM32\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A5⤵
- Modifies file permissions
PID:4196
-
-
C:\Windows\SYSTEM32\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F5⤵PID:712
-
-
C:\Windows\SYSTEM32\pnputil.exepnputil -i -a "C:\Users\Admin\AppData\Local\Temp\itunes_fix\usb\x64\usbaapl64.inf"5⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2276
-
-
-
C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe"C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe" -i "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applekis\x64\AppleKIS.inf"4⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SYSTEM32\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A5⤵
- Modifies file permissions
PID:2176
-
-
C:\Windows\SYSTEM32\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F5⤵PID:5440
-
-
C:\Windows\SYSTEM32\pnputil.exepnputil -i -a "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applekis\x64\AppleKIS.inf"5⤵
- Checks SCSI registry key(s)
PID:4148
-
-
-
C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe"C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe" -i "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applersm\x64\AppleRSM.inf"4⤵
- Executes dropped EXE
PID:6072 -
C:\Windows\SYSTEM32\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A5⤵
- Modifies file permissions
PID:3996
-
-
C:\Windows\SYSTEM32\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F5⤵PID:1196
-
-
C:\Windows\SYSTEM32\pnputil.exepnputil -i -a "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applersm\x64\AppleRSM.inf"5⤵
- Checks SCSI registry key(s)
PID:4616
-
-
-
C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe"C:\Program Files\3uToolsV3\files\inf\InfInstallerx64.exe" -i "C:\Users\Admin\AppData\Local\Temp\itunes_fix\appleusbdevice\x64\AppleUsb.inf"4⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SYSTEM32\takeown.exetakeown /F C:\Windows\System32\DriverStore\FileRepository\ /A5⤵
- Modifies file permissions
PID:4884
-
-
C:\Windows\SYSTEM32\cacls.execacls C:\Windows\System32\DriverStore\FileRepository*.* /E /G Everyone:F5⤵PID:1020
-
-
C:\Windows\SYSTEM32\pnputil.exepnputil -i -a "C:\Users\Admin\AppData\Local\Temp\itunes_fix\appleusbdevice\x64\AppleUsb.inf"5⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1840
-
-
-
C:\Program Files\3uToolsV3\QtWebEngineProcess.exe"C:\Program Files\3uToolsV3\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --no-sandbox --application-name=3uTools --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=4204 /prefetch:84⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Program Files\3uToolsV3\QtWebEngineProcess.exe"C:\Program Files\3uToolsV3\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=2 --mojo-platform-channel-handle=4228 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5836
-
-
F:\3uToolsV3\Other\iTunes(12.12.9.4).exe"F:\3uToolsV3\Other\iTunes(12.12.9.4).exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\IXP809.TMP\iTunes64.msi" INSTALL_SUPPORT_PACKAGES=15⤵
- Enumerates connected drives
PID:6428 -
C:\Program Files\iTunes\iTunesHelper.exe"C:\Program Files\iTunes\iTunesHelper.exe"6⤵
- Executes dropped EXE
PID:6996
-
-
C:\Program Files\iTunes\iTunes.exe"C:\Program Files\iTunes\iTunes.exe"6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe"C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe" --pipe \\.\pipe\31189486162541112443642464 --parentPipe7⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\distnoted.exe"C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\distnoted.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\distnoted.exe"C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\distnoted.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4840
-
-
-
C:\Program Files\iTunes\iTunesVisualizerHost.exe"C:\Program Files\iTunes\iTunesVisualizerHost.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6544
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7620,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:82⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:82⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5672,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:82⤵PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5156,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:82⤵PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6084,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:82⤵PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:82⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3916,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:82⤵PID:6600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7924,i,13510798284121901530,1619352638505433618,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:82⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:5348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:1312
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4076
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:4568
-
C:\Windows\System32\ildjt0.exe"C:\Windows\System32\ildjt0.exe"1⤵PID:3112
-
C:\Windows\System32\ildjt0.exe"C:\Windows\System32\ildjt0.exe"1⤵PID:5168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=ildjt0.exe ildjt0.exe"1⤵PID:5012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch "https://www.bing.com/search?q=ildjt0.exe ildjt0.exe"2⤵PID:5544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 20601⤵PID:1292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5236 -ip 52361⤵PID:3560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{cd7ff25f-8475-2f40-bc40-909bb41e730a}\AppleKIS.inf" "9" "4639b046f" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applekis\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2328
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{64a9f068-05b3-4d4a-b910-45858907811d}\AppleUsb.inf" "9" "4ca0613ab" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Users\Admin\AppData\Local\Temp\itunes_fix\appleusbdevice\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1376
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{de4d3bb8-b344-654f-8ce2-840d531ef2b8}\usbaapl64.inf" "9" "452eabb2f" "0000000000000148" "WinSta0\Default" "0000000000000164" "208" "C:\Users\Admin\AppData\Local\Temp\itunes_fix\usb\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4164
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{904d7584-bbc8-c048-8961-63ea7a4eeb72}\AppleRSM.inf" "9" "4c7809927" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "C:\Users\Admin\AppData\Local\Temp\itunes_fix\applersm\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3904
-
-
C:\Windows\System32\SppExtComObj.Exe"C:\Windows\System32\SppExtComObj.Exe"1⤵PID:2428
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 270CF57EAEBD66B0BEDCE6C272AD9FEB2⤵
- System Location Discovery: System Language Discovery
PID:3996
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding F3A39AF7088C53C30F9F577AD9AF37822⤵PID:3912
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 31E64CEE8BE1ED320BA99A05684BB97C E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:4024
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D0346C3C7C9B1A8975F1556A491C7B202⤵PID:3556
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9C56AC726067DB2B1E181D357EBB34562⤵
- System Location Discovery: System Language Discovery
PID:5092
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 61F4DE0C422AAB0B2AE796DADB84262C E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2496
-
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"2⤵PID:5256
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"2⤵
- System Location Discovery: System Language Discovery
PID:5176
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3DC9FBECAB739039B21F7B89F0940CDE C2⤵PID:6732
-
C:\Users\Admin\AppData\Local\Temp\IXP809.TMP\SetupAdmin.exe"C:\Users\Admin\AppData\Local\Temp\IXP809.TMP\SetupAdmin.exe" /evt E516 /pid 6732 /mon 788 8003⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6864
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1503F520ADBD5305513B9C61E446A652⤵
- System Location Discovery: System Language Discovery
PID:6920
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll"2⤵
- System Location Discovery: System Language Discovery
PID:4164
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:968
-
-
C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe"C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe" /RegServer2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D7159FD527C9B1C198594E862C60C1AB E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:6512
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FBD1693348A612B53293D63F687335C02⤵PID:6908
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D13E3255EFBD49C34F5B08C8CF61B6952⤵
- System Location Discovery: System Language Discovery
PID:7060
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D943E4EF0B17CB18DADF8C23C38E007F E Global\MSI00002⤵PID:7152
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 92C4E89ED6F8DE2DFCA7A747E0C67FC5 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3620
-
C:\Program Files\Bonjour\mDNSResponder.exe"C:\Program Files\Bonjour\mDNSResponder.exe"1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:4676
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{16D99191-6280-4B33-A2F5-04805A0FC582}1⤵
- System Location Discovery: System Language Discovery
PID:5376
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\iTunes\iTunesHelper.exe"1⤵PID:6104
-
C:\Program Files\iTunes\iTunesHelper.exe"C:\Program Files\iTunes\iTunesHelper.exe"2⤵
- Executes dropped EXE
PID:5960
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x500 0x2d01⤵PID:5440
-
C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe"C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe" -Embedding1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3276
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{16D99191-6280-4B33-A2F5-04805A0FC582}1⤵
- System Location Discovery: System Language Discovery
PID:6104
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD585b1ba52b4c17d704be2101f078c651e
SHA132121e5b185c41dbd2c2dd22562c87491a4b2d9e
SHA256bfa2975e1c5dffd99617b4fb165b3e926030914bae01d16cca90b45572f8c6c0
SHA512ee6a0ef58c387abd94fca5d5460c8a9e09b1e4be68b5d6f3421b25438afa9dbeb9f65b6e17bdd021987d3ab698b3a8f393f08416ed171e742a239f42b7dd7bd9
-
Filesize
126KB
MD5b42a077188287e2079f32003a943c6d2
SHA1879946897ee28b52ac65e99c04dabbe86b34a3cd
SHA256e798a1dfc4443227d4070e430490b9a8d04d59b47d4d64d91649d6ee7b657c73
SHA512116a4bb088c4f886ffa69f0503b9a0cdb75c42d9fe843eef215220c0dbe2a31f33c8fdf999cc793ffacfeacc2fd5419472496531cfb5e6015e7cbe820c202661
-
Filesize
167KB
MD5f07a3879f355deac9a8a01274a60b32d
SHA11cff2b1296e1199457579ae81c72b30e76b89664
SHA2562b20e176c8341d8d898cd361af953ee249c447df79ce5cde93c6cafc975293ee
SHA512915384bb7d2ac325a101004f5256c59fa39cdc661f913fc384991b66cb12a2a84598c39fbe09e9ed5af6747b31d8dcbe2977bdb5aaddd9f654754fea9d9f698b
-
Filesize
1.3MB
MD543f4a4257d8e8b410543b842de0bc042
SHA19a2bf42540560f15fad60a45780fc48425661974
SHA256a80ffb0784ec1a77cae110736c3b32a5e0500f6b18ddb02505b25520d108d1ee
SHA51274bb0040cab14cd9182efa04f3cd8b83307aa80706aa04af4eb266dba770ff7732be13f7e924092900c60af0a426f9453de004b98cb2a1059982e139a4cc450c
-
Filesize
13.0MB
MD5d0537f91590c1122e5aaa5e08de565d4
SHA1d57923e88709be706b87cbdde7b1053b16e75a2a
SHA25606cac5a360c086197ffa6bd223b3a9cc18949780c11a888e2b6122f4f7e2d689
SHA512a721ab6adf39f390cb8ba4a0db5dbdebd9891f3b8d0a3d11a31b57c1da768e0d7f4266dcadcfef2d9bcdbe63d35e6fc6136332c4d4d8bf5c36d4e01d5e010fd7
-
Filesize
749KB
MD58ca625fd879fffda74779b0af552e465
SHA16c6941e688136d22d72beaffcfe7cf541a62a6ad
SHA25642a532132a7a04c0421f697eb023c54d791d3a8a3b2f82209120292073aca622
SHA5122087fa205916db22434f83f213419d88969bbdd48dc3908f1069df15996a4aaea9fc19eb572442c180c63e01824c3a9fe45e256318e588ca66eea2b40da6e1b7
-
Filesize
325KB
MD547a12398c7cecfe9ff5556e0dad8d8fc
SHA115e5c03a91d887b59a76634690d6d20efa9230e0
SHA25610f3f980b25d8d28747931f9c8b903beb0cb4e01ac5c4639c4757ad380c57b12
SHA51217b790185d1d24617f07c36091bc8db1df971376fa30643d205e7d5c3e82dd5bd7a4046a64da31d0bf25f052992169447e74a3827d8e54fae0e9e0cd6ae15927
-
Filesize
3.9MB
MD52577d3423d0f29aa70a78450b28b5ec5
SHA1418acd19a9535bb5536487b3bdb7b73090511b2d
SHA25698307b0c701b2a9886de24eff369e22714fe0aa3404e6a58591c8afc3719813e
SHA512b9e82136596263a36a6bd37564d6649205c4e66e19e9ae3ef79a31bde57c3ed9a8219ab0ed71e6a6c208e5b6b2e3d29cee437c6fca7cc1e2634fc9364908196f
-
Filesize
341KB
MD55455034a118445adabb7a2dba0a5c240
SHA16ba6563d7709dbddbcf94ed2501235febe2385ad
SHA25699fdcb49199d843659c4570df27670f12b33f659e3d080f8052c417fb468fb8c
SHA51286c2834d5582edb79d01c1be508bae4f67947a1b291b512b9641715cdf6ffb6b6e4177ee3fa906c06f6c8775b3ec18b3edeb145566ff500c72532601c6f93f44
-
Filesize
259KB
MD5febd0bc442a26588adafd4bc3d59e7c3
SHA1efc0b54962de01ba8a7db5254a14c3a1e584586d
SHA2566f925a98067394119dee637365c7426bc011f3790a6ebd1209e0941ac7d8a7ae
SHA512ad0cc1f77af94ee83683eda0b45992652370faae6625a4476f8fa962e553183dd3a1d80c9b9b81b4bb20db7fa51d4b9418c5c27f37885c90553cbf6e2b7541d5
-
Filesize
5.2MB
MD52c3d30abf2f9cf6ab33107e8bebdb181
SHA19569fe1092aa2c4bda74548e44482e852b7a0167
SHA256f9c58b3f883ce8e969fbeb2908f4a95589122c4574666d75dea6f6a835e3bc59
SHA5121cb5e3c2e960b992c8030d38c2f76307c06f2f1e7eff25ae99fbd304b32b590cfec5615dfcd05b1b1f8bc740db4360cc78a669b513cd94ba82b55743d0df57d9
-
Filesize
227KB
MD56f8898d2285d5466ec54bda8af8d10b4
SHA17238804242aff57aec15acf2351eb507b0111a39
SHA2562cad1733f9efc647fda9fcbe8cbd188e71e3cedaef0c3c1be07b6530d5727f9e
SHA512200b2a62ead63232a7753c4b19813209951bdd00a151135a914c121077eb22c9a38ed550ac8842434758be4bbae4b14ba8096417f46ee8c051e589c0c4ec1e80
-
Filesize
1.1MB
MD5196421661e24c59bd11536f3ad9bd243
SHA1a59eeed11cf849a76e69c52b35c56fbcfbdde074
SHA256f1b74d97c627f30df80f2615726561b103659a93e5c9c718bb4ed5b96344d7e6
SHA5127a358d504b74abbae0a7fa502ee85c87ba528ef01679af6a5fb591e75780cc8b1b4fb9afa11374ce7850d3c195f982a754319a015ee5bec4b4f0ba9a17ed095b
-
Filesize
25KB
MD57f2390f5032c2a01f2af2efd2fbf0fe6
SHA1155dfa69d939cbba1a6f147d608a102347af3509
SHA25665d4e961734340bcc372fb5789c5ee02070239e6209b9cdeedae54623ec2b7f3
SHA5127cfa63e91cf4f6569cf37fd49134cdc417758fefbf9720560bba36f7e85263954bc3979750213757550b7794f5d588bb2583273334fa44161248e2e36fa78a6e
-
Filesize
85KB
MD5417a9a266186eba0b5c0e7fae060d5b6
SHA1cbedf7bd71f7737c076069565fcab54cd040cf3a
SHA256fb536ebf3436a353ca42d3efe03204d9bd13f6d073887f8f38b875896d1b51eb
SHA512bd6fd68e74312501cfe4701ed8627e341d53cb59c6f5bd23a86ee3ae7310762e0dbabaf0f96c5dd99e60a616242d4410e30f3ee083d9b54880ce3073c63a3c62
-
Filesize
55KB
MD5ddcce3bb78f7afe368ae73dc3ea96ac7
SHA1adbc9d45e15c436b494a3141beeacfd94ad5dc46
SHA256e8cae30319ecbd47cc171f1b594249b475ee6e21b3be7f647b8b498140fcc4c9
SHA51270243d9e576e73797664e3abbf01aed97d8c74ebd5fb73d63e37222131f8f32a65aec7676d4357867d969adc30eb1037bf3841dc63a6b0bbc8468b3b9ceccbe1
-
Filesize
1KB
MD5a73bcc83dc2729d19d9d0e1eb36bbd96
SHA19d15df65438cab48d07ebe7e9359258ff1011423
SHA25629739779fd76b21175d4ea24d7ded3e057233127062d05c164b9ab4df9e11a3f
SHA512c37de466294c22c9b3ed6587c639a7d53ae6f5cc8d352931035885191a2fd329dae3ff28d1bdeb363c2c12243505584354acc5f88bb8e21da9c2942d03cacf03
-
Filesize
2.6MB
MD586e2b390629665fbc20e06dfbf01a48f
SHA1d9f4697a6f4eceea24735822cb1df501268ca0b0
SHA25646e31e284da64d6c2d366352b8a8abcf7db28d3e2a870d8fcf15c4a6fe0a6dd1
SHA51205ecd3be5779f39db09329dda4dce0e3c49ac5d3950e92833031622b53542dadbe9e2948df35faeb4c41dbc8e01992935087c4a2975c797bd008ae177f7c3fea
-
Filesize
93KB
MD58101d596b2b8fa35fe3a634ea342d7c3
SHA1d6c1f41972de07b09bfa63d2e50f9ab41ec372bd
SHA256540bc6dec1dd4b92ea4d3fb903f69eabf6d919afd48f4e312b163c28cff0f441
SHA5129e1634eb02ab6acdfd95bf6544eefa278dfdec21f55e94522df2c949fb537a8dfeab6bcfecf69e6c82c7f53a87f864699ce85f0068ee60c56655339927eebcdb
-
Filesize
93B
MD520597c1917af28d7129d6d23ed5cf8db
SHA15587f3f873f66de2c534c6f71fb54b6be9f48ca0
SHA25678a095c2205d3d1389eae26f6f08d90ec7cae79836d200c7f844c049cc01017e
SHA512d22851cadd90f36b2cefd7abe0f2b8fb2166bafa3109c087bef2febac2f79963d4977fed9e30b11ff9ed8bd2a0430a363dc1f808f76bad89e9d1e481ca4c1686
-
Filesize
300B
MD5908dd478504c22b31876523fd2ab71ba
SHA1588e8c648db833f55b26bc0476152c19724a2c37
SHA2567194abe7c90cd230420ded5a60056aa2ab82636d5a654df9b00e3f9a4555d25d
SHA512ab0f215cb9e37042017a477814ba3d3b8b64c748028e1dd70c6978180fc57803786db641789628c800f2a14233257fadf750f4ec681144d969ba7bb672c7d1e8
-
Filesize
257B
MD5295378b509925b097268cfc33042ad0a
SHA189fb9cafb2b95563c600e4dce8a3e523d357ab55
SHA256ba6eade872ca4b90cc2207c54f706d461a3a3e268fb0ec9bce2dc1bfc7710f53
SHA512cf0f1305b63f16d21b5ef3bdb104d34f9a8872cbdb9c065ee25a724152d0ea3cf2a746576c2ad3136a1e2591e2b75a0e3710b75d7fb08a0dad7e5003ab06de2a
-
Filesize
270B
MD54580d28ce81683110f6b8f192559f4d6
SHA1b45ea89da23af0d32d44862cc3df06f0dd7f5a84
SHA256dd1168b4e604e5526025ee6f72a658f60fda90c0fa66bc5d26206c0c83c72c38
SHA51252fc5c1803676182683ef960a2fbf101c75693888b292195efc373f38225cfb55a88ca3350ec746d26af79c0d5060b33506a6667cd80d7413243e87de81f8666
-
Filesize
60B
MD59b70a249faa11ba4df10db8cdbea98d8
SHA1ade180ecaacf953ed71de7c2c5c69bc6302044d4
SHA256fbe8833c529861267bdcf94227c2a63bd969ac33b850a66d4c4864f4430dd058
SHA51294741379f7d73d0431dd2455fd02e29d0dd9b6b83e281becf772e30c6216b469525af5e3235ebc30d3cb55ec1c3e3b8f4ddf88072097e844f31107d61778b362
-
Filesize
185KB
MD5d512456777500dc13ef834ed528d3704
SHA190a32284052c3fe12c18afec9f7ff56735e2e34b
SHA256c515dd2a2e00765b5f651aae124a55d617b24777138019abc5a7001da7417561
SHA512babef929ac600c117967b42389623f352d219a466c484ae68ef3c9da9ff61555875ffb0dafc3e5eada6fb43d37f7afe74a6b6c73458a93ffb42819e1068c9a3b
-
Filesize
135KB
MD526b777c6c94c5aa6e61f949aa889bf74
SHA1f78da73388c86d4d5e90d19bb3bd5f895c027f27
SHA2564281c421984772665a9d72ab32276cfe1e2a3b0ebe21d4b63c5a4c3ba1f49365
SHA5128e02ce06f6de77729aefa24410cbd4bfba2d935ef10dcf071da47bb70d9c5e0969f528bdb3db5cab00e3142d7c573fcf66ea5eb4a2bc557229ad082c0eb1dbcc
-
Filesize
16B
MD5bcebcf42735c6849bdecbb77451021dd
SHA14884fd9af6890647b7af1aefa57f38cca49ad899
SHA2569959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85
SHA512f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78
-
Filesize
17KB
MD5ce9a2f5a7fcfff341d6d901ad919a2ab
SHA1341f9d9a0b3fd8cfbefe0169b148dcc55688ee93
SHA256cc36a44467f41cf2dc91c126e368e357b28a0d57101472d2dfd1c06a4091cdf7
SHA5121f53e652b042ee27fe05b11ccda2ed9ae9a8f44b948b8658aa7a2d7ad2f5bd94ea16f3d9a92e65a8c65b7480517f1d05a066a4fb8d961b927d0d305399ca4e8f
-
Filesize
703B
MD58961fdd3db036dd43002659a4e4a7365
SHA17b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92
-
Filesize
687B
MD50807cf29fc4c5d7d87c1689eb2e0baaa
SHA1d0914fb069469d47a36d339ca70164253fccf022
SHA256f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42
SHA5125324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3
-
Filesize
141KB
MD5677edd1a17d50f0bd11783f58725d0e7
SHA198fedc5862c78f3b03daed1ff9efbe5e31c205ee
SHA256c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0
SHA512c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff
-
Filesize
82B
MD52617c38bed67a4190fc499142b6f2867
SHA1a37f0251cd6be0a6983d9a04193b773f86d31da1
SHA256d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665
SHA512b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0
-
Filesize
176B
MD5e7314184e67b4501f5048c2e5f181d96
SHA1f741a8a1b8c18c8d4974f937ef589b134dde5419
SHA2567bd96fc0239229d64cc38693c64f2524d95711534c606b2b39957af8411d870a
SHA512773ff8228cc87677e3f74667b61db59decfccb6ca4da80a5ac5e0aff0e3102e08e6c1561df35b9ed64c8b7db8dc8ed27210c2ca0139ec85d17f9e3f57018a086
-
Filesize
76B
MD5ba25fcf816a017558d3434583e9746b8
SHA1be05c87f7adf6b21273a4e94b3592618b6a4a624
SHA2560d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11
SHA5123763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f
-
Filesize
69B
MD5b721bdf2924d658186ac8868dbd2c008
SHA1914aacc65bb7933bd73aa06f8bd2ca0b04de3858
SHA256dc6a19395ad3a24ee3805f6e90c6b16fdc141a51ac7fbb99fb784e423f8962f3
SHA5124c1c16f714a2e2436697bc801f7e2f684010c833e3d5fe6ed68d6f3e630afa495412ea5a1b46f4bbbb1102feede84e72f32686910492510cbce71888a85b5fda
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
84B
MD5e0909520982fc48e47a6451443b11741
SHA10e46425274933c153ebf5a03f25e693267a8cea2
SHA2562e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654
SHA5123fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8
-
Filesize
116B
MD5a4edf901d950a9758ffe578ff1b03212
SHA1cda83d7736a1c05a7d2cb0b6704653c27b4a4ca5
SHA256aaca603fa9d65fefeaa198a93d03f2511de66b6398cc34dde6233eab492eebfd
SHA512835d6a31e56d400ace235ee94e16bc1e24bf1477e7e3524180d12b312a58422ce1a579daa423881e50bc2b314e50f5587e6fd98ea68a1ffcf294a7f187cdbac8
-
Filesize
118B
MD559e5d162c3a5d96b7ebd23712271b96d
SHA1f48585f462ede55730df40a762f5234dbf67d664
SHA256b88eec9977c596dc8adc22e39477392f808ebdc61220bfcf373dee09f87e764b
SHA5121b1924164338dde0a51b852de40b4c422ea69a56c0f7f2d0e87f0c4d861416e1f9f922ab04aef0b808df4f372c4bf12edd147ec34872b97e8aff92d823a695ab
-
Filesize
119B
MD501cb8b111843d1f1dac11d249c24c8b7
SHA1c4f1f6f219f325caee6363df7f459323109f2f6e
SHA256b13947842a1d3e66e62bd32398a3780c18127a520e7212a4adbf006a9abfd74a
SHA512075d54cdbd80078d4bf66f3c5814a055058f2535629cc7f5d88fa5c69d5c931dfd2c456a0bc634768d796af604ce4d585c7904c1924d35df7855dfd7e275d403
-
Filesize
22KB
MD511d00b701160c1244899bc1647e3b756
SHA1866c9acf31291a1459e6719dff2764af41eddde0
SHA25647be7f1aea7eba3fe98080713b1c4414ed5018aee75ee7f6453ae2ff95aa76c0
SHA512f1e8727fa33b70bd146d71aa782ef8000b6824c06b936b7584057ca77cd082a001398bc5ef2202e12b50bd86687f3a75ba3a6b028d14c7ae3d1a21d868cb756b
-
Filesize
236B
MD5093deba2a9db087a0cb01a676bff1c9b
SHA19c7d3070d1fef593731dacdde8cf38e7f96962ab
SHA2562950ef6f4409f89b8513f2bb787f9070c2983b698b35b678088c59cd83246bce
SHA512dc3860ac3d87ad8f28988b2c7e694721757a43367ce6a1333205cf335de1c29e739a8468a70bc305a60c4d0587aa062fe01f3762d608c9bc4d76867f2d381c1b
-
C:\Program Files\iTunes\iTunes.Resources\cs.lproj\[email protected]
Filesize5KB
MD5236216d5b66e7e9f48715b953b465c56
SHA17ad8425770aeb398922005b2649c4764c5b6dc5f
SHA256ebdb9147c9b509b923fbb4e1e7903c84f67b42542b0055b2f8356a16c456191f
SHA5126da4821957d52ef729cee2c6436f75b8581b702efeced430e99abc81be11f8cd2f2b2c374a88d68ee177b46b0cf34f723341a78d642dd4c81a8b5f09e8c77bd1
-
Filesize
4KB
MD594eae9dc7a205de2ee0a17effa21b60c
SHA154f23cb71ac3a62680bd22a3b2b8ed5c6c86d5a4
SHA256a33f1e4d73943a77e6471143d263aaa53a871f7534e27435beeea19e75c82fbb
SHA5125601cb432d92697a630dfa9c5403b7ff1210f517c51eb84a4036d7c14192af287eb86782a8036b0da72ff39f827d118d276a43cfdc0019f40b85147948d3d99c
-
Filesize
3KB
MD55e93c7b6af1f907359091cd0c629b3dd
SHA14aba4ecd7b1b5d7937e7c7faaf7ac1629c0394cc
SHA256b21d24670a44bea7c5c86c2b87d356e66006cfeaebb8e6b7d4ebf07974ac3f66
SHA512492683e196bceb4f80d2bf07dc9031fd8f1667b0d8e3da877df1666bc419276bde0a6af8a1dd983a0b5594d5e0143eeda09ad2b87378cd221fbdb3e45291772c
-
C:\Program Files\iTunes\iTunes.Resources\da.lproj\[email protected]
Filesize1KB
MD5b8f2462ffc91bd1956cb2607c1c9df31
SHA1b4d4a46fd481f23268fce6b63496e753ec1c8a25
SHA256b58b3ac76194b282833d971e2e2379cb25e7149f29f4a585e9405daf810a3d50
SHA5126814101aaa72a241e4f9d37594c666016a36bd4d5e5ef50623e23590ccf94bac80d2b8c062213b557ebbef5e007fe0400ed9c84422df8f5a5486d2c9bc4516c2
-
Filesize
3KB
MD5357922d796c4ab56acb274ec1c89ed4b
SHA14f29801424d33877426dc21cf02bdbabaa321120
SHA25666e1fc581446d80a7f64afeae19273cef7d6a10001e3e7d3127ade5842c754ff
SHA512e0c7b23cec3ba61f83ba3a9675ce078d4fd36fed08f8e1c20be6e9b7891c1d4175e5ceca9ec3797419b22806d82d86fa4fbad314565d000a36fbe92905c9e36a
-
C:\Program Files\iTunes\iTunes.Resources\en.lproj\[email protected]
Filesize20KB
MD5498055b7ec8f362e71a988ff8c79b517
SHA14b28c12932e86c68c7acea45303be3900bf987ea
SHA256065261151f732d9f8391b0bfc00e71d3dd8e47c84331aa94b58e295782d74a30
SHA5120b7c4dd87fed1ec01b14334e129ac43c598c30a1141bc9831f7b0ad106704072112b36ff4688520d675eb72652ef6a1dc349c95f55f6a59a245c5c151771f0f7
-
C:\Program Files\iTunes\iTunes.Resources\en_GB.lproj\[email protected]
Filesize4KB
MD559d4281f0f7f665c809f2a68434999ff
SHA11c71204e311646a1b367860c0de11ea5e60e06ed
SHA25657b642737825507373c0b192e3431f7a15848c1fb061b51b262b8d2438551e43
SHA512e38edd4b53f950b8c3202552d38a6a56ee726a239527a1aec064b9a3a66f06a3aced67c0b6bc3c240994d006d8dbd5f2e2ec67bdd4e76c181e9331891d1d0154
-
Filesize
46KB
MD5cb4f512972b12e3b783e89704cccea3f
SHA1e64cd7091224e3449e15e4ea664aef256534183c
SHA256b636c8c51b01fd142af1134448763dc526041f3fbf635e841b0c2882254d64f4
SHA5128b9abc21f291f53ae89b16f1cd9403bb881f9fa9140cb919e0fd5f4ef8544dca0359b7d5e45f54e3ff74eeccd4d9f0b62494992a58c6e230e4467015a1092988
-
Filesize
538B
MD530aa67b32a3542874bcc88e146e17b46
SHA16d86b94d2c71ae27504ce8b3ad000fa4ef532a6b
SHA2562ece6d0b0fc97dd6deacfdbaef44458a4b96e43319c78cb74c55d4f7ea79d9b6
SHA512dfd082a54a13c5d2fdfa66ee9db8c893bbc6b32108308727665267f0a9e9fa9610c174082c0ca7a34832cbba768a1e2d8f6218b4c5a538a328a6159be05f3cc3
-
Filesize
222B
MD5ef859a036759f6f29c3dc14928a75c76
SHA145f8c4450757f2ec653ee0845f5ce497b6832598
SHA256c5c8219de48b954849bf19b716dbba8358c66b02836417d8d729dd2a672935c0
SHA51293aae547f72edf6c466b4f6c1a43f7f0fe0393cc7f7ea87818b462a4938cd86903017a12cf4eb1f3e05492b312e8826c5fea1935388a168e1f0278cbf3fb505d
-
Filesize
218B
MD517d011dc9b1de5a0dbcbe11f5dfa4dda
SHA122b3182f41bc4a322f162832b4dfa92a46a71859
SHA256a0f0336ccbb2964f1b6534fc1a59a04896bc104473812ce0f407496648eaa93c
SHA51299193d05842ff4debac4d1c1ae772d3fa6424f5c097eea557095a9bbbcec044a18c3557afb1d2f474a2b86db7a8ce24d44d2b70d1c5a989258ad9f70d6561452
-
Filesize
41KB
MD57f9f90998dbb72a12f12464fffd40997
SHA101a41b41e92271eea01f31b208a2c2b47b496b59
SHA256503b82910c0a98e3509cdf590dfa8f722ef149390b260068675fae09c3cf12ef
SHA5127c293a39681c386002107aeb852c15ec8b4acea037f8abcef601cc76380f3487f421d267a6ae856df90b10fe8d032852c3650d5feb36f675a524163314e23a98
-
Filesize
9KB
MD5001e313e3be5e546cb50d86cb65dec8c
SHA1e7feac3aa8b53b2670077ae0254a2900ac579467
SHA25659a9ffdd81daf97ceb9e66f1e29b292dcf78373eef8df94038df3845d3e6d5a5
SHA51226329e02aba9b0ed9295dcdc0834a7b2a75aa05843365490ae0d86f787159967943a8040ab425c10266523e15308c6c52673cd2ac5db7073369bd76c0777278f
-
Filesize
797B
MD559ecde9c26c45850d5d42fefd0a2fad5
SHA16bca0dc1fb62c293f30bd7880d91cf96835ed4e9
SHA2562f0e9c34845db2353f8798bbd7ec23ef4fc151cd61b3383b0a3280b7de78309c
SHA5129b9744414188aacbace2bfa37561266f7aa6426c6e61bece4990601f0a57c7c41302dcefe1757e3da86947baac2ebb06c266f18108448ccee41d205680822994
-
C:\Program Files\iTunes\iTunes.Resources\he.lproj\[email protected]
Filesize5KB
MD58875b575ec840a83ede84ca27762761b
SHA17463b50c8483598dc6ae4889633a11edfcd3a5ad
SHA2566529e898923292f4163ad09594682cb7fa1c32c6c71baac0e4405d9996dda509
SHA5129af764d681309781353504d270d78ee59798154c94292e8eb73b07e78f077a52cecc9523ee088d68fc08de353541c6ed34fb2d73eabd1316e638485ceec6a6bd
-
Filesize
3KB
MD522b6a916115477a43ce634ea820a6304
SHA1a34138e73bae3a62d745171d62f9f05a6dc07276
SHA256138d6ca25775eee1f0ea7001f694a5b286224372aa168a09578a1a9af7eb76bd
SHA51297502dcec76353fd69ffabf398b53777bde50d08cc998a6213410596fc42eade86f717eef60bea0d5a4f193fbdd18b33f09fe360b043246b9c96d3316c7a0347
-
Filesize
8KB
MD5d4eda1881d75dbd2b0d9336e9a5108da
SHA1fa2264a591a47e42b7cd581b9e0a3ada33874746
SHA256a9ccdc7553e6cf9095d3760e88a3c9f76c0817ea6596337f21ae748828ce3532
SHA5124a953a46684569c02fa447f46ebc5d8c8445a045703f36cc17df708eb53b2c324bf83c4c71a72f35d96f4655e5159b919f4eb631df598d4888d40a73d675f527
-
C:\Program Files\iTunes\iTunes.Resources\hi.lproj\[email protected]
Filesize28KB
MD57676be0b698ae5a36b25772f547142bf
SHA14f5ab9344fc8cc6de692bce6881878185b96bd4b
SHA256946361d40f1b68a0cc29004ad4f55522c648023004e6adc9975e90b6e382657c
SHA51209f77f33a281a5d4ab712b2f43f01da729085cbc27a973c8f34e3fe0cab1fc515f9dbc45ef35ed9d0a04aa76cf26e98d0c78e8b1805f12560e2866239bb9248c
-
C:\Program Files\iTunes\iTunes.Resources\hr.lproj\[email protected]
Filesize302B
MD55132ff3c2935630e2f54ccc9a360b742
SHA158a0b7d8667d625d8e0c9267bfbab88551c6524a
SHA2565501b7a0c2af99684fb58c1acd227fe53bf07f4028382aca136607ed9459fc8a
SHA512816d16f9b37c52f97a64a5a1f4c4b6c1bd2705231703416c7713212e1cca2753e3bc5e3352439a0cebc89a5ba0de584edd1183603cd387e7c7fdea1f023b1f85
-
C:\Program Files\iTunes\iTunes.Resources\hu.lproj\[email protected]
Filesize3KB
MD502185d025965988b87c6b4748cdcd745
SHA1e110b97b7d669361a0f2a2cc38c4a62f3d5deeab
SHA256ce8aa4cf4ded795fbf1c10fc881978746ce6c76f13accf566e7ba0e98f5af774
SHA512f1b6617eff4a584a760c24423226c844e2ceec8df8023bc9a53da69b18f76d2226ad24d0d1b2bf61cb2da9711caf4c23ff7905298edb309cf771cca1797a2c48
-
Filesize
18KB
MD58490f8bf0576147ba7cd139446e6cf20
SHA148a557825885bea1a6afcb662b07113e99a20136
SHA256bf81225b2c30aabab43beb74142693ba800af85f88025446aaed2dcfd5068ffa
SHA51286f0896fa6ad25a9550cbb3d0746eb413c86832986165e0824eadd917bb902b1f13c9aa60db78d477c3c5921fb7fe1465025765429b6a5a7e638da8063487753
-
C:\Program Files\iTunes\iTunes.Resources\id.lproj\[email protected]
Filesize5KB
MD511b4d45789544050871f75c0fb3b5e3b
SHA13362722a15fdd5a67d0c7e1c643c64a3630e89df
SHA256f03209b2a8826502acf29e9769c73e1fabb923f4ac11057299cf8fea57a13def
SHA51251854f9a9961224dac3fab303d2e39e0a30d3f52b9d5e561dc07c69950733e6a9c6f585e001a3f9453fe0a7932a74e9b53fea0e87a691787cd11cb009017a794
-
Filesize
261B
MD571062ebf3a5a9b5c578387aabb2e7fd3
SHA1410d43bb43f7ddc7ee7cc225963303326485bc0a
SHA2565c751b7f4b96d07b22971ea4977566ed88c3297ab7d0b2853e7e9baec00be1a7
SHA5120ad45440a3e77a4ea2d1ebc8531c91fcd663e596a90f5cdf1d0a57384c54d988c0759dff51f5231d973f9886c80c16feecfc16da84579a0cad53ba70b984a865
-
Filesize
241B
MD5b52bc951d0c8f8dae4329368388dbb76
SHA1ae408ee6f2d946aaddb8be466f7de2b99c7c4c58
SHA256befb8ccb14ff090ad56345786c9f367a8cb2d14516ccb52dcda123df5e5dfbe4
SHA512144de7bcef6fc1be493229c84c2038e2c6b6719c5ceba95d7abbc14539c5222a3bd1e65eb00e0c0f3bfbe6e0be4ddbc9d2876dcfdb9f1b3372cd3361d7f58d98
-
C:\Program Files\iTunes\iTunes.Resources\nb.lproj\[email protected]
Filesize948B
MD5c6beffb1568071b2fab6f19bb9c875c2
SHA1137ada0e83cce6b784a8d4f345430c28d61944a3
SHA256f1b5cce0aece4f65441bb7cbbf86155ad2d4e90b8bbba8252de985ae02d751a5
SHA512a1e811646642fbfd11ae794e7c764a3bff39e285f1724deddbf9ed516cfa7929e8ce10611b9d0cc11f6c1944728f4aedca99df5badc72f2878209c3d24b28758
-
Filesize
310B
MD5e4f62c535e191b6d40912f32c60e1eff
SHA137203bd8a250fb9b7471e1a4b8b2dd4f727aca2a
SHA256800cb75b9347c5142edc9094c9c829b10b6a280271f19e8ef3b4673a1cc48484
SHA5122b64834f62de68efc971bf59e36d7cc0a29c3e7dc4c2c987ae6840488f6fb94e88ca73276fd0968f2f6b68d427a5f87a97faa0821f0cefb533deab38a58f3630
-
C:\Program Files\iTunes\iTunes.Resources\pl.lproj\[email protected]
Filesize9KB
MD5010e5869f100573199acf50905ba17b3
SHA1da950fbeb52dea27dc393ad4a113422238bd6002
SHA256f533c5ca2a6bdcd1a9c7f757c0c9a17d894b2717c3493bd7ced8f36a722eecc3
SHA51283c30c0291ce0540a41f07a6566eab12b784efe5a7a8dabe29dee67fdfdc0e53e89026511476d0abd46a267bda76e179892a249be46619c7b6fd621d1ce753ca
-
Filesize
5KB
MD5d947d2a1018ae12438bc118af0a04215
SHA1c816253a5341d804712b8fe00967cbc887f99907
SHA256041204ca5fb90b0d19d0f8b5bae858bf4022d9c794990e8fa4a0bc7eae093ed7
SHA512bf7192cd4f137311d4696a0dfcb5fec66df5ad45e301fff3f8d4104163b0c64d8abf2b2d3f4100802f75aa55b435cc890005d5836c1350702473b0359add46a8
-
Filesize
662B
MD5471584f30a8dbce0f8e4ab7a781d3705
SHA11d4ec7b6ad3ae1ccd48056c84d05f2d684db85b5
SHA256ec0e0c2e51cf0c587bd8cd8842682ed78becd0cdb76ba06cb1c8cc1d98c710c1
SHA512b6370cdbf9430cccb041c21641409e43bfd2a1b78836ee38fd0a706f26623ea1cc84e645fe6b501fed06b4222173055c101bee5de2cdd012c0cf5451cd3031d5
-
Filesize
622B
MD5589bbd384b604e83cadeba1d59f8fd90
SHA1ee6fe62fb935e9f1007f31eea754e3cdc315d022
SHA256096343c9ddc34fead4232f182085ceba66907446657257969f3916ba991eb58d
SHA512369b8d35ee411971f1dfd02fa065ce2badca714a0046cd26d098c15a8f55185178206516a62de59f81bfd285d4a8804a29b64d98f51f4e4a543bdb2eea993736
-
Filesize
10KB
MD58246496c258d58712c0a972bece0d69a
SHA165f4a403895354702552e2769cfe7f480a70ea6f
SHA256f930036e7cae52b4022d979fdd6274d8604ca4c7e6f14495223dd78c17bc19a7
SHA512b1dc4bfc186762e414ece274b158f10fefaa86ec373c732c804381733a7c17cd56e27331ca7381e7e9fb795c04a4a09ac75642684f36f99d4c2ae2871dd8d447
-
C:\Program Files\iTunes\iTunes.Resources\ro.lproj\[email protected]
Filesize1KB
MD56cf4cedb6b5148b103fc91a2d057888d
SHA123e873c7d60c21248eb9f8381643a295dc4fb12a
SHA256dae1592358924b99a4363cf20fc4a6dbcaeffb5af2f7a248a0fb687e95336597
SHA5124847a96925aa568c6d523f84e760b35d0f4abad4b6df70c3ed6003289b776b3327bbc41dda3da96221113e41b0097a2275db5bc562c77117db6c04e4275fc583
-
C:\Program Files\iTunes\iTunes.Resources\sv.lproj\[email protected]
Filesize25KB
MD5784f871663195e678f524f4aefccc28a
SHA1ee8a70134370ce17ce49bb31e92cff252958d202
SHA256efab63103f90135001658bac9c8724da424e81fc05c9385953a7555c6ce1ace3
SHA5127e1b0f1f74abd674b09443b835da35b9b1855a0d7ac15e60670c6d3ffa1059fb13ccc579f069e444d073be0da76b65b4dc1d517c2ffef654a99ba9143fda6f7b
-
Filesize
2KB
MD567f1b4232079935a9998b0395a6b7c10
SHA1ac4bfc88ed92cb526720f9cc9b4a377ae6a7a787
SHA25695f0affa39a202e292a5f630a2524c8de31b6478304e040ef06488d9dd1e9f0a
SHA512410e56ec048d2033e7e05202fc09575758d5c5e441146bd89070106108f1332e3ed3b8868238c78f18c0d641898607ecf1c704f51234d741f0693868966b0219
-
C:\Program Files\iTunes\iTunes.Resources\sv.lproj\[email protected]
Filesize8KB
MD5d9eb252906d8d98e592ef01034a94c76
SHA15fd847136846bba1957e2ace9e1d3ec482de2e5a
SHA2566f231775671c67eaa458a6a2d1405f3e5c52d56882f5620aa435166f4bfb7529
SHA5127bd132759532496ca864cfff7ad411ff48e3d2a9ab28e3b50afdabe5782d853da52a09f093b25c0d7c60906ce42ae8a28634df363fc6a435962dfdf3ae9faa71
-
C:\Program Files\iTunes\iTunes.Resources\sv.lproj\[email protected]
Filesize1KB
MD5e85fcfa0b73018404b29d4fa04f047a8
SHA12c7ba150c3fd101231563ffec9a7fd5ec5ae02a0
SHA25655617519bf037182dc93082300e162933c3771996607aeb605079bb834a182ef
SHA512141c92030b58dea61e29020b1792cc2a8dafd306af2a9130b105721a026b81a05d0d1621d4a76f6b6e5509dfffd47506885579279b6a098130b542df60b0f884
-
Filesize
226B
MD518109ed593d861bd659055a5bd9db831
SHA13b2596e909633ca509e857650d7d7c9693987a4c
SHA2561c28554bca95dba35ce291c0a42e0810e2ceebe805d63f916b6b7505e057752e
SHA5121b8bb8ce363f7b5db7fe6648f518d0d528cb47bc90f5c80e66d8928b79f7912879b1c35ec6944d9ff91cb70c84547b9e46758cdd315e299453016da3cc24bed9
-
Filesize
3KB
MD5ceeb4e2a8deb651b69a973f5d671d92f
SHA13fff59aa350cdd2cfea69c08b55540b63122bf26
SHA25651edab4204721531caab3a704e86d54445db4b4ddca70ef2c4b1012fa6bb3d5f
SHA5129112040b761b90b93e89249986e6e75d55038fc1537293d7eadd02e181effd601ea15aff7a3100cf2c72de610b8b4cfefb433ae8bd75499e4a3dbbccf8410493
-
C:\Program Files\iTunes\iTunes.Resources\zh_CN.lproj\[email protected]
Filesize386B
MD5ff602a53d097a0d42fae257d6cd2fcac
SHA157ed476c7c88b7c231ec9e4d6acbd5c04808d78c
SHA2568acad76c6c4eb0c023664b845a7492adc2e418cefa48aba7e99496125a06e5cf
SHA512a5f0d07314040fdbc614d09e2d38bf87ad0a1286c472f8c7403dd488488124e769d436ec1b01ff1b47825455f03aafadcac5722f4367fcdefb13ec3de0ec8def
-
C:\Program Files\iTunes\iTunes.Resources\zh_CN.lproj\[email protected]
Filesize314B
MD5755eb418266342b17633f1615a1882b0
SHA1df51fddb36717426da15d38f4edd48f74c140364
SHA256f5f639656493f65e4a5462f6c4e280fdd54a7a4e839c2c0f52c8b5b1840fdab2
SHA5128bd4b9879f1899c2a5e5f9de80897882f262252260c69767365634f9a97e281020176613c58a9d22ffcb510f1cce66dcf26903092c455d7b17f951ba0876f116
-
C:\Program Files\iTunes\iTunes.Resources\zh_HK.lproj\[email protected]
Filesize416B
MD5e14f8e390a9c489b10eb23306d27824a
SHA1e33831e12fa5092ca15e7d8af7b01afed996b30c
SHA2560775705d7637f7173ec31f22e324af8160b43d4cc6a47a2f199b3751963252b5
SHA51263c3e261ea445de5d7eaab326e0168db054b4d953e81f89f16446a1ef5170a96aa32db5d7cf42181f990a8028e9a67764885a6d94f74d1d1c9910dcebc4f8a4d
-
Filesize
37.4MB
MD5f76984d6a5d80ead9c597ed723a3a4d2
SHA1161b2b74aded0e27d60ce71e8e1cb81d20caf527
SHA256985fb377ba59ef405cd7591b646cb17ee6cbebdb8fcfa33f4510c6e9ae7dd16e
SHA512c43903add9fac4a3b1628b32fe173c5a3d9ae2aaec85b3a4530a86b798a5a1db58923750f3da36736b0f04f5180a48a13036a4f4ae66312838feff360b800a83
-
Filesize
24B
MD5b57780f56b4c4b8a2df27c3a4181bde4
SHA16678066a428462808c92fee74ce2004f835179b4
SHA256b6b33ee8d99f0c1278122e9e50b6a9ee47db07881500c11923120a4543df1db3
SHA512f081952e0550b23f7156f309a54b9a952f28c2d91b2cc774cd15eb6b496f1888bb050413595d2570224d448a25f9be733860d6b3001c276dc6cfb6cd116bdb65
-
Filesize
451B
MD5ce0867b34ece588aefb8a1a6803b6115
SHA109415182a23d780bbf1d0578e484d9ba23b05457
SHA25620487f9dbcb87c0889c35f5d642367470ffef0d1b08b5e702d8e4fd95638557d
SHA5127f189837057f13162b384425f673d80ee63581404aff1d01304ad798ce4a32ab9d0f836405030a256655215f2029de90e473c92be5c4cbf582cba9524cf291b7
-
Filesize
77B
MD503dca35d88c4928191a2388914efc8eb
SHA1a99908cdc112d4f7b03536c97e4c6c2675c4e0bb
SHA2560f971d39764ac2a152018cb156797318dcccf881c4e861aa882c2fb0f44ef8a7
SHA512e8852724c3b44b9fc18b1e3b9dbfef0f05404090891c91449603930dfcabdcbcbe10dfbdcae00be368390f7a1ad327f77ddedbb121c6eab62e2412bbde30bdc2
-
Filesize
1KB
MD5aa37a45a141bd140766ea9e0b790181d
SHA15be27321fb8765d7b9e00a495295d470abd7fa4b
SHA256db7cdc489871e795ea12e0859fc0a37740d51fdd789997ffba2797c686354db3
SHA51256710e615e68f2a2b25927fbe67663ed992cc1c6b117aebcf2dd223b640f28628a0a5a5f234007dc2f2bdc1a0318cab629d5f70d58741845e66c16fff4409436
-
Filesize
1KB
MD558ac609e9bad28d310049ecf63e14828
SHA1dd37a7dd78ffbaf104727cc298c5901e656a9675
SHA256e49bbc40398f8f0e608d50f2ae3f0b102c074515aa43efbbbe40343e9583ded4
SHA512e59c4dd978c05e9f46ddd54a735898d4661f92a80fac7399c1c97af813663f6c84282630ced5281cbddd1b79638e71d5f99a3fbc8f7334ef23369b36b529afcd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_A81BB8DEFA061C43E51385B3AAAA57B8
Filesize727B
MD59f40ec3cc0cbdb5d14eade113ee34f57
SHA1735e3b522294e2442d3db73bd37e23043c00ff74
SHA2561f8ff22e930f94ab44c6b4987922e0ed21a38cdee2b7fdb881ff2eedcb736aed
SHA51221a139757a0fa15dd17654c6570e6977064738ffba3c45b96e12945c73e4744bf1a850c88a41a28575d37879873772654854ab0c7f7e1ba64bf7acdfafb002a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57
Filesize471B
MD54587d52babb585a6c764b03185519360
SHA174b2bad738d94519e33e97d2713bcabb08d7f4da
SHA256b66fdb3918a39f784976c41c0b94f0fdf59217aade0d491e22c84928e99589d5
SHA512490a908a47a2c04252dea7abacc4a12a8f7317fc01cea6ecdd958b8bc013955c78e63348749623bfb071cb8f207758c98ca7ff1d184436be2a2cbb6bd9ca3570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_A81BB8DEFA061C43E51385B3AAAA57B8
Filesize408B
MD50d1fe868708d7530b6da83cb3863cd8c
SHA1434e5c9091c78c7b8cabeb3f54b1e67999cd368e
SHA25690784aaae4da76c39c2fbe732b39efdc15812175e84ebb4b88647d50be80030e
SHA51209bc631710aacab1b713f731ef8e02894202e4c3e4522a569fb191976b51b12ac2866554b60518e2feb7623af2014e720a92ba57bb0bf7c079cae957b0dc6f01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57
Filesize400B
MD57901f11dcf2992896b9a5548c7eee1a8
SHA1b02b1dc353b5e462c2e65e39119cb130bfb766d3
SHA256b2385a0aedd9ca8fac8dc9597346be20586995b1821117070e4b291b3527aa4b
SHA512a511db3fe08a0d93381117cce6182b64ddaf4aaebcabf0fd98ad64a3ff5ea37b510099f676871e894b1f8551f80ece6b6917dce2e0dce81c1904195069295e09
-
Filesize
188B
MD5c9d13cb52b68a92160a269ea151b197d
SHA1989b3ae882d689e66d15a620cfcee91b589be675
SHA25664751ca2cebfdb4835433c6ef833ce0ec120126484fa4fe76ff24bf5beff90e5
SHA512baf1e67294650d5162332713cc2ccda2fbdd81573ccfccadf642d10f2fd4a6781ebf911bae92ae2458051f18e1c2992b8937301201582769c30b83253bbe92c3
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.21\autofill_bypass_cache_forms.json
Filesize175B
MD58060c129d08468ed3f3f3d09f13540ce
SHA1f979419a76d5abfc89007d91f35412420aeae611
SHA256b32bfdb89e35959aaf3e61ae58d0be1da94a12b6667e281c9567295efdd92f92
SHA51299d0d9c816a680d7c0a28845aab7e8f33084688b1f3be4845f9cca596384b7a0811b9586c86ba9152de54cafcdea5871a6febbee1d5b3df6c778cdcb66f42cfa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.21\edge_autofill_global_block_list.json
Filesize5KB
MD51c865471f98902a3818e8bbf46360342
SHA1932497309e942f67080b84dd37dbd634117135d4
SHA256b3ed570caaa1e88ca7fdeaa6569b5ed172adcb64221766cc73fd7e6b07e0c65d
SHA512d77791b1a55cbb09a6dd88911be0219c712d573238666e09b0c18f7b92573db2a54dc0525d3232851f1bb9c008c2ab542bb4fcefa09b7a4be50fcd8bad4e231e
-
Filesize
509KB
MD5c1a0d30e5eebef19db1b7e68fc79d2be
SHA1de4ccb9e7ea5850363d0e7124c01da766425039c
SHA256f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1
SHA512f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a
-
Filesize
280B
MD537ce022f0541808e190165127ef74e24
SHA125c13f622316359dbfb4270b30463cccec6daf9c
SHA2563e16b1e599311209f195e48392fed916c277781b017c55901a1b3a6162bcd6b1
SHA512fca35a8857bb5ee5339b63248d28bd5d534a14187fd53be395e9284a8ba937e3000de870f64cf3f2c0c5fd93c44484971b800802be8b72dd54bcfcf28c7d32ed
-
Filesize
352B
MD5a915b97fb518ddf13fe605d3695a8a65
SHA15b509a7c5dc097011bf2b179c5960a68ec99e031
SHA25646e04e8b0cddedb1940e5e9892ea9e628588f103ed7321992825b186894dd26c
SHA51295321a9494c654ddcb23cf4f66618d8ab3ac9e6fa7bf8c67553cadf8d9179ad7d5691ae8b0ccf1562d8691feeaf0ec8ab10e9ad2240f8724d323a364965d3a4e
-
Filesize
268B
MD56567f9952f3ce901f4f7d902f5ecce4b
SHA10324ef45eb1b0471c2934838d9dad03f4e3e5624
SHA256d412734531c594078722a99f7779e5524c440ea35c9617ee3cffc4e58dffb367
SHA5125b3073340162825937675ff4a04d9f478cadfa2490b9ace87e6bed5c128544d818105c72d85d180df6f7d9d2802ab8ba82368fab0a83fcaf827ca9490c0c0fc5
-
Filesize
4KB
MD57bdcaa29608e523d0b766ac29d420057
SHA122c6eea15548697b572b697b1d3108e71a900828
SHA256539570075bcd6a38067bbf50e9d6496feb01a6c03276c80610e8d8d545b45104
SHA5123976aa9759b8f176f910ae4976de72db56e80997e8e0a944c501fc91b66f33f3a7addbf44b5fe5ebc442034dd6bac624911f30a267b24de772974c7d224f5058
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5eb38c2f13966a1b5f85a0bf1b5d7c83b
SHA1283a121056651b69c993fefcaf4b528ee59ef0ce
SHA25690557cdbecd2187f5e05a16e200c924dd940382bc2e612949b6da35b91f424f4
SHA512d12b5959471884fd578dace2d455dc33fbd85b7178ee6b5a4b442207fe7b206fca2418c8fe7b5f6ac16d8ddce784ec82e36465d007a6d983bf58bff84d2fb045
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5d700db306a74710084f266223f97e67d
SHA1133150c6f5572e9fee0150f13f53a7eefb2d11b2
SHA25652fc38565e5debdddf9e5ccf9d22a235ecc6095fa505ac4237128a90b50dd2fc
SHA51209b7b5408697ddd1eb41df88bfac9cf941858c5870d06d7a8b7793c89ac4f399c0c470ddcbd35d06311827aa17eb0dfd811ae8d2fc595118874a95fe89deeed9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58b34d.TMP
Filesize3KB
MD5fa5d78ba8141abd69e18cb00921b1f11
SHA1d069900efae0b57cfa3472102401459015632a03
SHA256dbd8f63ee07b24f59e242863b2c9c1be1018814e7ec42a2ba659e5e56442aeb3
SHA5129d38e6279621d5488af6a645529c8fa1ac77460842123e840ee95b144ad34d032afcb42484b450c192a45c750fb89a81e83aba1fe7751babd948ce6bd332f222
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
2KB
MD5b67e386619fb3e6429053655cde6c4db
SHA100f03066c1154c2b10e67ac93ed9ea75967dc4a6
SHA2561ec9a7479662eff8312878bf3cc3941f32fbf141875514a86d304dd17e7c0e4e
SHA5121db349878981082b3dc896259648140efc9f8f92e800b44c9e6530cf5729ba87f3b3ab8314591962dabb2e9dfe3633fe4a6f187e63fff9e4ae86b0d45ca48bff
-
Filesize
5KB
MD59fe7f8ecaea5b51a9ad46840e96ee14f
SHA135f93a20d601e5b309513e22ac470bb9c8627cf2
SHA256baaef36abde9bf1306f50f2e4e844df3206d18852016b25e243de3b01e5eaa28
SHA512745038aae5022202128c2ba045e2ead1d854938e4d01b461428b823311bde5eeb7ec6072e841f6f3ae942344783740bd6500dabc8fe91f65a8b88bdfc325fbaf
-
Filesize
5KB
MD557df952b92059832895da8dc1e95eafd
SHA1acaa2089a51d1ec1aac0f12a758e1f1a8bff4c32
SHA256e90aeb07ef7894ba94302956d1fee93bd7b154900c09619525bdfaa7c932f446
SHA5125d24744bd3f6b209e875a03c0aa4930a6d250515aeeb8513ac448a9b28bdb6f6f93c386cf09f2561cd0d7b962deb5018255ef39f015d122ee6d608d68f1d992f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
211B
MD5e40090d259facaf6401019ce10d11a00
SHA1e668e76e569aa3bbd9eb64d1b02a96fe03f1a978
SHA256132a04563643db8d3550b388a1320c0212456fc53bb71d5ebc39561ef6fcc439
SHA5124181423264bb573ec326798691183f3a64767febacfe9c796914551eb5be8f1d6ea5412c4c22ab18001e15e435ed8f28af1d9a65b942e02dfb0de15ba69517b9
-
Filesize
16KB
MD516324da0c0a1b56bd84a6d4456ba0b3d
SHA1875d47d776c8d7f6a0867bab057837462854213d
SHA256e4460250a9f9f3434a37414ce63047277af68b7c2bbab0ab6b7c2ef62e4b3b02
SHA512846e7ac37bc78886b0930169fccd6669bac3f6f0b50ba5315f519b34a065cde449ddb1e9e5395685a362394ee80e6b0754fd86dfe5735604e8307a2d993afa78
-
Filesize
15KB
MD5faf27cbea09a5af0dbfa885977043d36
SHA15fad5e2fbd69152e98fe5fa4dd26ef7f0e3e986e
SHA25623ba3796750988717a23d7d2e598dc0213355dd7764d6f926c2eaf3d4238d12b
SHA512e4edc8cbe602fde4323c74c64219fca1b2d3d0e772c912af1d66e4f2454fbf6a6675b63b64e27f65e2063b1e5d463ffb4b5cb502e93dc5d57ca3693ce8bedeb8
-
Filesize
16KB
MD50ebf34dea6e4d2f2eac840b628f56b93
SHA12cbc1c51620c00d1c77411cdb5621cd09264dd9a
SHA2564255e97761f7174a3aa18f08467f12d0113907b3fc0c340e45bc030f8c0f4c70
SHA51279225a4500b504bb9ca297bec9d99377ba0d6c2435cd111b2613378b7e09a91d13cf65ab1550c77232c7e582ab471073ac6c62953146c0c5e27fb346cc1530bf
-
Filesize
17KB
MD5aa851f0ba24ad6d6edc63e0d8939edc4
SHA1b60b691902a1b699f9700ef29985b02f709aa2ef
SHA2560acd62a09f10b6fd77a46f0339cfe8e4b36d2ca6b9bfaa56f88d41dafad4ceb1
SHA5122e9eb36bb595d5641080f0ffd4406f163f204e02b1adafdc25c9cf8a9033a68ac8f6d020980ef9334fc72f9bcb45c9522f19aed403effee732e248687e641227
-
Filesize
36KB
MD5d679d2399d68cbe4d581ffb7a596fd4a
SHA1b1dd95d5fdfc1b21b8c2b81a43ab23be9cbdda34
SHA256bdbc3ce961ed03d16edc86a3d9b27f733f463555543e66985721d1f2fb2858ee
SHA512fc1589d0319df5d6d1a4748d8d082991253ecc5ca470f8978290a7dcb6e674a9660c815faf918cfcf6d9b2e73b9b03c25e2f79912da40af7c1525c5ac951c4d9
-
Filesize
22KB
MD50c2e59d4189dbf8a52020a00f31c0b5e
SHA1042aa4759f169fcbb4da17038cfcf0ab9f4459c1
SHA2565d4a8bfd91be88586d3584e622c6d83c60a6260ca19f634f947fed1566a032c6
SHA512c06297dca44f47495154da17df3b174438ef1a9f8bfbcce546d8a1502d9a3a58d56e203c0779187844549579476b042243421643f306a5f33a89ff504d210682
-
Filesize
464B
MD5caa2851e8c3c99faf6110cf0773fee57
SHA1e26908b59861ad0f22eca2f340fa8018853d19ed
SHA256315f8fb2fcc5d235cc007c22725be2661c88f04691b840a4cca1c71f32fc3057
SHA51248bffb914964cfd53bebd7808af5e00af2393c27d1b0e452bd4ae807999f24699752f7d8a32f6b7a76763768a1bfb6897ae89cab074f962f17f15b1130d97e4e
-
Filesize
46KB
MD53c1a0cfad8f6b178f1bf5d6c44b5e9a5
SHA124c29c25c4227cd5c57874f0756e2f49086c8342
SHA256d77ae498f5e4d86294e782a41dcee6e9f9d22a98990883efdbb0138cb29dd711
SHA5121256e84122e8dfcf02cccfa796238de06d036506d25bc7a5ab8928e20efe65c7b2d3f7752a3c68602a82c2e97861af11a92f2565c1307cdbc9cbb0d4d959a9a1
-
Filesize
46KB
MD597aeafbcf6082fa3a0e26763c60e82f2
SHA14446b5583622eb01c5c8f5ce16523bad382ebefd
SHA256c60971aa953620436930c00ff1417e71f393da270975eb49d1dae488e1f22553
SHA51202cc5aed1662d39b04feb587f4182d73a6cccea95a0245cd9c998fa8c921bcaf1f6d1e22a9f87ef2952d286cf5e7d15a4443ca84a1cd24b9563ce157d29c6e0d
-
Filesize
46KB
MD52d2097b7f4fb50314f7e0c92d6076bce
SHA1ee9819edfdf752acd282a65bbc69dadaced0c29e
SHA2560bdc0736eb575c72db718d5f8d09f8c6c8df08d17ff6eb949c52b000982149e7
SHA512c82f00f9ca5ec213062e4047f38589982fe12baae227351efacf6a2f94094401252b173781d1c7d708aa58dca5c1837b866ce0f74657d4d6efdfd2b524b1df55
-
Filesize
38KB
MD5f1b325eec68122a129405f717109c544
SHA1d5263350ede2a2be4113af74acdd28734353498b
SHA256732087aa8065bb54ca266817418a5dd814c81ecf6e35d57084ce4c7f71131274
SHA5121dba87263890fc1b010a9feedcf3ccef58cec4a5824c7ff5a0986a95613248c2c77a2af183ba401096aea62fd97cd1e60634b8b6cd1e19306fcf1d608d35e36f
-
Filesize
39KB
MD59814a9d879421e8abb2d63e66ca99261
SHA11ee692c1e04433a152858c68641a14b596b4b9fd
SHA256756048c18f276873699f5d152b2cfbd25243adee417df3e6dc6a019b39731212
SHA512263ef1f01f23b0024d2869a71349917f45532bf0a1e5a73ad44300c936b1cf22a1962cf9d146b20762219255bf772741f5b5c8cd6ebc85f78fdc1ea3d3c0f0cf
-
Filesize
51KB
MD5b2668f524b7f7b7878c804d7d3cc6f2e
SHA1db36f5a7105324351651a9bd5b18732546cd52cb
SHA256f1403f32d47cb41af5f47c4111f70b9c84c52c5c509e49ef8f45d62fb80a90a7
SHA51276c5a1a6285795481ffeb8fa843c6ed7b486071c4decd28ac66d089aaa803f0f2de1ad88422c9bdd9e72fba28a02b5188c7f3cbd3dfa3e45d988b0b4e528d099
-
Filesize
51KB
MD507bba96691ff18808b46b3a9aec8a78a
SHA1dd2d34893c759cade4b78a5474b3f69a515a90b3
SHA256e7b94b5bdfc91cdbed5a329a4c77c122376b274a4ca811850aa0c9a3126a747f
SHA512c90a2ead87862a17ba3cd5fdff80ddebbf488785206726624faf289ca03a03fa9101beab7f0c209304fc347b01d69122d06c2adb9289230d1d21654bc8cae603
-
Filesize
51KB
MD54214f6270241466e0fd46287f77a6f30
SHA163ce9c62428ec84a248f533e2808af37e2f8fd65
SHA25651db7f75f698328c49ec0e1d3b3da2bf596c700334f03d1a56147745330014fc
SHA51206b695f82b0f031b3bfcc05444437a8cc0ba13e844a5c9b9f2513354784ba3f086211a4fe24e677acaa4250ecda21cbc06f2def0a9db28ac8d59c63cdad0ca85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.80\Filtering Rules
Filesize1.8MB
MD5faf01ed2c0020f8fa512ff379d82c211
SHA1233d104dfe718231837e33c5543085b6dba5cd8b
SHA256192ca12bc520edee8b5a8844cc870cc4a669fb9c1449dad33a69fc5ce112c750
SHA5128ee475bc419950f08933be92c390087b67a7914825dce81eef4786012bf641f86f447239bb8d08602a407627b3846f12c52f365eae2af32fe5d22d5ee7133c31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.80\LICENSE
Filesize24KB
MD5aad9405766b20014ab3beb08b99536de
SHA1486a379bdfeecdc99ed3f4617f35ae65babe9d47
SHA256ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d
SHA512bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.6.30.1\typosquatting_list.pb
Filesize694KB
MD5981943717a2f6eec151e0981f42afffe
SHA17b96d1970f4137632264395dad561e541d0dce0f
SHA25610d399c6b6ac4cf794b498459cf7926cc4bf6f862b78baf790c036c63b922a56
SHA512360feb97c12ba3db31df8b8f7e11cc6aa362b4c704f531df1d6de77d74468d7118d030048251b9ee336682bb6cf97b577f319266fbae609fdb28f6d46bcefa08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b
Filesize156KB
MD5b384b2c8acf11d0ca778ea05a710bc01
SHA14d3e01b65ed401b19e9d05e2218eeb01a0a65972
SHA2560a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b
SHA512272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD52cead3cb7e98eebafcbb9e04e1816ee5
SHA136e325bd85ae1dacb936b449ce303a05e61e1835
SHA256cc22df2c6623cddc22f5b59e105431261f130293a82e3f55de7d8e60a0d813a5
SHA512392e283f155a04cc105f13fa3341c0172e246f905ccae8024e99686f0420a741305401d8575eadbc1684c3f962308b2886945f3a03a426d86a4428018c5c3201
-
Filesize
40KB
MD532d4112f03de2020a43731fb71f6ebef
SHA18de582329d8b5bf794f80cb5827857a8800cad8c
SHA25696d537101c7f381f21c9d07254a11e817b66c84d002c5ec6bd80fe6ca3c8dc3f
SHA512a19cf51eaac57c72691507267c3b9bb8aea09cd0c92b5d5bc88fbf19beac352c76d2e9bb3f6c3448caf42670b5a4f997f3df816fd25b80cb09c7ec6ad44a4a7c
-
Filesize
3.4MB
MD5adf71b16f66b235268c5d894bb7c46a5
SHA1b44a713560477c1ddc0be33bfff1a21cba714bc7
SHA2560610ef6e01c2ba53f57035545f2c61e85b1bafa6334a47f6de8a63b060f9a130
SHA5124564dba8763a165b582e0ab785fbf658f50fe07469716d0b840261a8faa9b1b9ffba54cab14f674b46bb22445128a1f56e36491421c8ca0b7dab1d933e0dcbd4
-
Filesize
141KB
MD56a0d9995affa10fd6d842828c9420206
SHA12c011c5ce86139bf35b72e017dff67b2fd54270a
SHA2568ed8fff282adfb2f025b9d789577cccff5aaf426731615ef16dd99728f0f51e4
SHA512879439b4840388bb438f6359c458f61d8373632207ae57ac37c45d74060f5337dda7f0b2b45fa0534c305d5ea7fc8eb5de9fddc57fca513796d0ffc754ebd3bc
-
Filesize
203KB
MD56ad6ed5ec87f3e15b9ec07752d4f0390
SHA14ab03a717d114ad88207ad808661d7f009156bd4
SHA256fd762fdae46d1430ceb28887ac092e430003f3f09d45c294a49fb37c831a87ab
SHA512cc96928bbd249dfe6567469a5bb06cece2fe49b7479887434c3d2fbdca33969c2b05e5217be38eec4b5afa439bee3e3aeb9f7a9bfa015be17c31b2a0fff04770
-
Filesize
1KB
MD56db0394609c92e266a16bfd93b1eb597
SHA12d77b73e0ee0cf5f891dfb527991ead8cb39f22e
SHA25610aac2d96e5b2c8f55605fd6acf6a39c7ef3d092018a5bc622011ec46c139a7c
SHA512d1e160e507d5f4e2a561226c5ed4254562ac1599481f22d39d6f3b9560312f42d85247017db3b8b710677559327ac71badcf2473696a14dbd2244de6cb48c4ea
-
Filesize
77KB
MD539fbeae7efff3b0859b3d467e906a81a
SHA1de04f243e6837394f141897e6df98a7777a05d46
SHA25630bebe8d26c16e1d22d776e641f7a68b9ccd1c70a3804964db6753b821eee4b6
SHA512f565684b27a92dee7b748479631af3f1a201fe9e6cf3b76346f83b59b1755fa3483c97c95b65e7bdd7d2bfcbcb973c4c1f0a2a6859d17e73b249e75f9a6c1058
-
Filesize
36KB
MD5cfdd6b37070699bf9ac287fa4fdebf0f
SHA1bb6d98979e0577229beae7607a92d5caadf45113
SHA25635075c0a280d7544b402c1f030ae9acd3c917fc1bd6a52145fae9b2a55320ecc
SHA512793151eb8ab8c35eab2a4e4d66b2dcd4827fef53080b5c0be7fa359e7f4cc7377998d7f222303d93233b09fb76859c16f6c47b3ec3b0e88081a8d1cffa8b4978
-
Filesize
11KB
MD58dab3e4d8e271f17696cdbbd638f28af
SHA1c4b3df527a77303785ed28a5cf1ac00d729ee83c
SHA256df42e6ae66f82785552cbe1815246128cea10029e9dbb463e211590941a81bc1
SHA5120a52bb023cf6d33faded6eb2829e0706f021be76217f050a77f65b09142f20b37675877ce8911cdb3bc8349357e0630a1e36ec60b3855097ede1c803a60a5880
-
Filesize
38KB
MD5201f083b80cdbe930d78fe72f1123e22
SHA16a368a4665e0e56c3f32973c679258ab6c4fc35a
SHA25672fe475d8ada0cc2e26a4e659ca7d03bdb8d3061b4a689016a54eb52b18773a3
SHA5123fa61fac2127efbcadff25c17e055f32ee8ec65e82f192cb87fc3390dac322d5d24b611ac3b665b5661beb1bb0e62929e6912c80880b2187540298bb6eeb52bf
-
Filesize
54KB
MD5dbd000cc3ef170bd3e5d26b7349a7039
SHA11022aa866910aeef33a711f5a6d1de77a5dcffb7
SHA256ac3469ac659287626b05cda0da457b63ed78241d4f20c60778f6292d6e158346
SHA5126342cbbd7864494ca22b9a5eb26badbedbf800d094cb0343ff441c1b6db49b73e87d37377ed9029c386cdb4e60debe9e24cd34d0f3733ae55b42f6bcd7ce5f3f
-
Filesize
16KB
MD5a150a24f14aa40de4c18a868993c84aa
SHA1b239f3995efa3018025a8b59bd7617f6ae06fadd
SHA25671ef7dbef3e7b2c1bdc32c1a4400aa5f92c5c7eee9ef6261385c54cd9d0e26a6
SHA512953cf9074a00267be108d4fcd8626bfd56fcc7e1df5116a39564cfca4cc472f15ba1f4731dbfcfc92f2a92aacaccb186e9e552bf2115e68f07699854194b1010
-
Filesize
131KB
MD5c1c5b35fff1e13816718d6c30e15e2c4
SHA1a75a49857418f8915d27df08802555e9d2f65274
SHA25617fa26ea576e98f40eb2a353123d27232335e3a20c8d91465ec83710bc1a8eae
SHA5126725458b4b99d330d49c2499659eb87c9cf7c623fb5e9d1660c2dd13104e169ca1cfd242dab1ed601ff9902691d7875fc7f5fb6bc9851c336b41d20c0b66ab3d
-
Filesize
22KB
MD570e09f54ea9a321c80359bc9493fd9b5
SHA1440f5acf4b12bdfb052bc2e079e80a8ec6feae1a
SHA256775e43292702903d1f3991b655dde23ccb378052d28f7e0e8f89e2f4580a7387
SHA51246bedf56160b17fa9fcf0c707d88b6539e4acab7c76e74bce31d4875c0f5d1f8ff0eb177f94aa0dd11b47c13d39a637f96a81af064aa79886259082be79b6ead
-
Filesize
6.2MB
MD5238c5c261745b85ae717bc49df6f8170
SHA104d2e17652e4f5c9aca9bcf756672df34db2da6f
SHA25616fc810b7a9df820e9544a517cba3c455fe68d2b4934172f98d184e94c37cb34
SHA51217504743c90bbf6f0c8724ef439d317c4fc1e668e19c3445d7a96ab5915c4527ac7366fd951fb9232cd8c158ee5136b7563da9b42b02ded6378b05fd036ac7c4
-
Filesize
1.6MB
MD54da5da193e0e4f86f6f8fd43ef25329a
SHA168a44d37ff535a2c454f2440e1429833a1c6d810
SHA25618487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e
SHA512b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853
-
Filesize
10KB
MD5168c4256eea6a76983d79d45f191469f
SHA12f4e6d8db4bcfeec816d31a70045895a3e6158e3
SHA2562b8a6ebc3e10d06a6ebbcb4ef89992978836eb52d2ad1c09e19b137b0963c2f9
SHA512743f28589f4357594c4490c6bdc46b6ca6e3164ab58495d686316ba8effc004e68507b26cb07032f3232ecf21045078a97aae0fad9ac78acff48ec2ae0c26585
-
Filesize
4KB
MD52428e7f81420a9d7e81dfce9fa0613b3
SHA196605444de2721d553530179ea96024f29b32827
SHA2566db20d1374088a64b5a435189e3cbf1c0f30496d4a2c80346bc904605f3d0261
SHA512fc98a3010d5a71ce4c9ec2ef16914cc6fabf531fdbf1cfc487d42dc352111e47f970565a011cc6ebd18b2632af5bc107e5c0e784127b789b68e6cb3f214aaf5b
-
Filesize
22KB
MD5ee00c544c025958af50c7b199f3c8595
SHA11a9320ad1ebcaaa21abb5527d9a55ca265deec5d
SHA256d774db020d9c46d1aa0b2db9fa2c36c4a9c38d904cc6929695321d32aca0d4d1
SHA512c08cfb84b6bc98a965b5195b06234646e8f500a0c7e167d8c2961dad3c10da47407d339f1fbd2c3af4104932b94ee042872680d968c3c9b086705d374fc9c94e
-
Filesize
1.4MB
MD5a9970042be512c7981b36e689c5f3f9f
SHA1b0ba0de22ade0ee5324eaa82e179f41d2c67b63e
SHA2567a6bf1f950684381205c717a51af2d9c81b203cb1f3db0006a4602e2df675c77
SHA5128377049f0aaef7ffcb86d40e22ce8aa16e24cad78da1fb9b24edfbc7561e3d4fd220d19414fa06964692c54e5cbc47ec87b1f3e2e63440c6986cb985a65ce27d
-
Filesize
9KB
MD598b045f42f67bb602d8b768318a86018
SHA1a04dd80cb60abf2dd73aae417b0a34e10c321346
SHA256ad62ffdfba01af7222d95193d23bef0084115ee3aaba3ca1bcd808056dfe2437
SHA5125d3295eb28685cd16e7da047d708f3f0d7fe0b2ea56fbe87d671fdb8371ae9d0e8fd18e3c456189954c8938ca96b4dd5937f21716348b27449d9eafdea104d83
-
Filesize
4KB
MD52e21c73e279f7d39222d038cb711d7c1
SHA1493f1339c2dcaf82ad589158fd2f1b134cadbf8f
SHA2567d256f65ad5b0a2767f9cdfdabe80ff9fe18c00be93e7df0e08c6508f309d519
SHA512f5118e029fb911108eae967bd175a30eeee4a3898897120c38e92b92b43009b21f3810805b7a92ef68d2b8cdd84ff3a11d554114c0c4290e5bd9edb0c47e35d3
-
Filesize
18KB
MD59213aa35bca94eb79d366da254e4bdf5
SHA1e05ee5138270ef09bdaee37b31ddb57935e55cbb
SHA2565e1c71beb6cfff5a6f149e9fe6e169d087a6cbe63a504fee8d42170284952f85
SHA51251f147b5822b1adbc524712575a0d77cc28cdf69e3c6e01a81136043fe6fe57c64783b47d59f8e8dc0235abbbeefb658f9dc123ac104666a8f232abc121a6e5c
-
Filesize
938B
MD58629beec6d2d530f4b06a816c78358a2
SHA1e4fc314491e7af7783d82d452bad1cad6d535246
SHA256348b6816e84c4ee4cfd6cd69d340df2e9a7129c25c24f385e58a06a3bd2a7834
SHA5128d3887345d7389def047296613f1de77cdd8d925f94652c80d5b4b909a693838cbd09bc0df95458d25c25f1bf5b80d71bc030840da2c1ea5979d86677fbf7276
-
Filesize
14KB
MD526eee7af8aa1ef8c1bd7c9327c602844
SHA1990a56215aac7000eac9371f489a0fc57d560078
SHA256946b0a8150213d6a4dd3aef6248ebb923f8167c84c7ff1b10137e5030ec8bf30
SHA5121cce53edb09f449720005ee9ca013fabb0be498991adf38ce738330a02b336790cb835e235e097c57a7cf983b4bf18664bc113b074cd94f9118901565d83e24d
-
Filesize
5KB
MD52da3a91b71919d035d8fd17b6b90bbc2
SHA1c2c6a29f3abc80fd992777a92df30699124d37c5
SHA256edea577e694efceec5b26d745fff8125e9fc8a78cacd7365e77ef35031ebc49b
SHA51271b98c884c338902110c83f6c858b906bd8d63e09e5f92d3e019f586d82961fdc71a459e6456a3e9a56b9b109838b4556aee91e0befb68c2ae505c93a41fe56b
-
Filesize
53KB
MD5f957092c63cd71d85903ca0d8370f473
SHA19d76d3df84ca8b3b384577cb87b7aba0ee33f08d
SHA2564dec2fc20329f248135da24cb6694fd972dcce8b1bbea8d872fde41939e96aaf
SHA512a43ca7f24281f67c63c54037fa9c02220cd0fa34a10b1658bae7e544236b939f26a1972513f392a5555dd97077bba91bbe920d41b19737f9960ef427599622bc
-
Filesize
14KB
MD597f4158a43852869de6ba9f1c754bbc8
SHA10565f0874d623268529b86967b93a7ae8d57dab5
SHA2561daa9a80eaf692e1c1490afafcc435e37cafa94e9a9dfe453a82b1b472f3b1ba
SHA512ba75a483ac75deab29c4174f1991dbcf4a76857dac23c99065e07585a5958e49f1ade0133fabdb3c8a28ba35e8df06fb529f81c756ae549b35543ad39817a44e
-
Filesize
13KB
MD5e70b88763cbd6ea996b231f2d1f22b77
SHA1fa42e09d3bed60f7ad90f46ef142699ff6a376ca
SHA2560cdad698563e00f2f7fcb88d8260428630f2cac3bd8f4a60b6862c1db0694961
SHA5126c9c46fda2d6dc9076333981c5baada87a711d09394a4faa02d3c8d7dc40e08464c37e5439f604846f758684cacf7f78bf944dfcc84506b0ee709dbf4cdaa0cc
-
Filesize
5KB
MD5ca3a369e3993295e11d5fb6b7663f3b9
SHA17771a0176a543725d7bbf70a546c096a4ee2dd40
SHA2564494c8af156d9dc7deea76491d73716e16b42e3e8b5b4555b0fd247b6cacab8b
SHA512650b0f23b6470ad84a001821bd5ba6fc906db0e6fd616d734a87b9777ac1f5f6d6d0dc52f5aef223bf362109b77cd89c5b4e93562c1168fbd049756d714b64cf
-
Filesize
44KB
MD5a176718f0df45f60f545cf3e14f4d108
SHA1fb03c1b53709f65712df5a8318130d9788bc3cea
SHA2565e767cb0b51b3ba05b6f99a7e46bec275489dcfe874343c9b992843aa1f2334e
SHA5127af3e0b90cd175b6b6c24abf237dc4395e6b9d2f360ee2cc3721d3184811fb5b086199d4a27f36bce8d6462c2717b3d9e2e1814a9d5a24ea4dc4fea32e6ae427
-
Filesize
5.8MB
MD51428a8b3dbf4f73b257c4a461df9b996
SHA10fe85ab508bd44dfb2fa9830f98de4714dfce4fa
SHA2565ed0d8f2066dd19d5aec42c5498fdd1db9cefab4d024a1015c707dfd0cfd5b20
SHA512916a61feb9a36872a7c1adece8933599e55b46f7d113966ec4ad2af0e2568f1a339629ec48eca10bd1e071c88171fe88292dab27ce509ceea42afbd049599cc7
-
Filesize
36KB
MD597bc3bb77be14d66bafe247e5c46b0db
SHA14a78bef761020aefc50adbf894eb02666dac6db6
SHA2569a160fcae82c933fe3930830782b7458707defbf2200f46d370f6bf1a699c376
SHA5122379eaa10def39cb5286aba3ba7df558de48e91fdb112aa8e4463ed009fd880fd4d46481d6aafa8ee84577331cbb79689ba4bfe4451cb017df5e31d7e95c83ab
-
Filesize
11KB
MD52ebc04e384f237d2b32caca8a3f901ba
SHA11f3638c5a94668f3877f046b6df2fc4ef6f2cd08
SHA25632a07ee9313ae0b4bae928e5ba0e2eb9d99a5577946fb44dcd0e81d8062859ac
SHA5128c142a0eaed394f742e824ff41d0ceb927572d291fe20278d5c09ebea3d69467ea91db3befe72f550dfd6efa526836f7241d70589ca2ee5f8c097d3ad83ba601
-
Filesize
2KB
MD5a31656d224232177d4049bdcf6d2a34c
SHA1432483c57d446b2ef2bcbb1a8fe5826cd60d7011
SHA256b385f6d5839e6a031451947f8ce57a361b2866ba888bea58ce37f425d36c020e
SHA512b403e8273c7076470cd93af76bd8714d1eecf14104b362971c6af84758d1ced73ff10a0bfc2c3f0e01f11716d77b21b01b0d660c06b0773734a961f7e7830bc3
-
Filesize
66KB
MD5b2e9926bef29e3d5fa62928f0c7a16f8
SHA15325f3761554b960e00ada65478cfe2967334768
SHA25697830acae22500125bb9fd2c0ad39471ac97bf95eb6787bc368c1365dc608390
SHA512288bddb5bc4495ca40fa2ad5d2e9f9aa49c0ce05f7fc464d759e7b529b748c6f0726b24ff69416acdce1dfbff3453362da40f4eaaed67ecfc3c2526935be4232
-
C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\ByHost\com.apple.iTunes.{d7ff5c23-4699-11f0-92eb-806e6f6e6963}.plist
Filesize8KB
MD5b7bb7d7d30820631d98427582bbd08b9
SHA19c5d31925b4fb8708519f0b2605e280e0280c4c1
SHA256edf6fbfcc5791e27a928cce556f778cfe4f018218af0042b28e29827f20e24d0
SHA51281dc86ea0687211bf3a0fb3dbd65de6d8c0ad3a2ff7fe5b5607256747d71ebc29a4cd2a0b0f22c8cb9ea06449bc65281a95952d67ebeadc2fd0806d3e3609c06
-
C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\ByHost\com.apple.iTunes.{d7ff5c23-4699-11f0-92eb-806e6f6e6963}.plist.Xa07016
Filesize8KB
MD5357ece18256302fc7a2c2a8a02ea285b
SHA1b846738435393a2ab34db655c353cacb5f6541c4
SHA25652f7a44fcf01502d64f66e0b640bbebed43ecf06920a5c73366f7fbfcc9f42ae
SHA512640980e2034fd94c8f07daeae9cdfda6afc57f5e015112bdd329922a1466d7b51639076dfe30b28801b074dd7c77663976b0439fa36d0034d946bc4fb4cc3536
-
Filesize
126B
MD58f770dbbe853e44d5b119b80dfbc62ea
SHA16cee85554518d7a001a00d09f8c9fd1b7b979eee
SHA2565ffd48bc774b10ccd5150d2fea0fa472bad76cdc0b59ba06962256f512281b60
SHA51254f36264fb27fb800eb09d6f39adcb3f9da21a89e8e9f586e3f28b96c7dde75fb8a0a8a4bba69ff72a1147e901df16c96b47f7d99defbe4d06cafd1e646271af
-
Filesize
101KB
MD504010aa78ff3594ae7d857c0889f888b
SHA1700fd1b029c521308353da53d45b997d87f917a0
SHA256ade9ab297aa240cbde4859da8c10fd0afb558f1a45bee54cbc6760c26aadb151
SHA512620ae78a7c86e720ce9eef678af833c7820570a31e1cf3d5ed97c0a738c7d6900b6d86391412bdb6aaf6032f9bbe0968ae45e8704d7747ae48f72f8dce428c95
-
Filesize
102KB
MD584327e37f7eefa3f9dd09273473633e8
SHA1b433d89fc99b010c0728233db9b075b82c5f29b4
SHA256832f0c636d358c7a9f11195a842adefdaca394a1e5f6bb85bfe17f9f7af1150c
SHA512d0cf14111a201b6722ad88d38f0eadf44c206c78c3dfd817a81b8f3d496374eb4978816f200a607aa8ea4108e9b39d8212f14d06c976a1b66b4b921b20688029
-
Filesize
102KB
MD56fca230932b0014e9bf81efd117d3562
SHA1b2f5d4572f20d7fd0126c48c7426808546c384a0
SHA256a79d6e66ee0da602d4abbe79a4097953aaccfff60389cd21b6bf966b4d48a56f
SHA51231a31550c37c3e2ff813b2458101b2bff1c47bb07f100421bf2059a84fa0289f26e2ebbcf7366a349c48637622f047a4b914b76533e4afbaaf26e79d670e5651
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C76AC8E10E6A4E6C23E89A2528578CC3DBEB129A
Filesize810B
MD52bf42b3c6a9b05b410ef0ea68da65b55
SHA18c4ba5943e8f400a48174d3d4abb7a47c23d91a8
SHA25689c22d3d49c0dde18fe5d5af3bed6d31a553ce2c1f9287c1cfbad41de17cc78f
SHA512d747b6f60da01b09e8573f3b876a2c000b6f513d3c3344beb7f8be58d79c55fd45295e4594159d99b2c04acba7d5acd1f56fe9749b09be806c2831d42b344f70
-
Filesize
3KB
MD5bcaedf3d3c600d13fc7f631e534ec1bc
SHA106c325115f166543596b19af7966ef365b7af4df
SHA256f17fe485e2d3f3d94b614c07bd4dd1deeeac8cc7490fcf1829847f711093b8d9
SHA512cab4dbb054e5a0129861022dea06959b892014f8374120b587e07915df53bed90c2d324d81ea476c3e0a71ef194ef91394c0f73d0a95afbd3626549ae678285d
-
Filesize
3KB
MD50a7f3c59eed45b9f22e2a9efc6b3aef4
SHA1475d45540da8fb6318e59699588cd7d585c0e12d
SHA2567681982eb51c0e2e1d36d38e71e8ee4cf9937076efbfa5603603665987c3673e
SHA5125f6fc63b9141f13a581b58d4753001ee993f9a75b16e79fe2b64599aea44e045c347c68eb164e2fa060691507d3232366e5aa937664cc74b7d9199a7edc6973f
-
Filesize
127KB
MD593394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
Filesize
133KB
MD5928f5dc7a304a78d8687b16618ae7808
SHA1b75a22cbcce356cdaf39ad2315ac8974f4ee62d4
SHA256d1727467b076e59abc58fbc6a4355a9d238fc5b1842644e33a0f920aab449e28
SHA512c85167a58195261cf71c528e4877618fc7183fe04284abf7cc1b50bb74add5bff81d53371d881771bc96302b0be35c2aad9696a7cb3292c3c3ab3cb8e4712900
-
Filesize
135KB
MD5fe11c4804b99dc5328b62f266a34546b
SHA1b9e4b99c71d01a5105263b1b351325ad60ac31be
SHA256774992b8ffbb893475392387ff449532c9d75ef65b1e45718a03967bc526c739
SHA51229f9f52f36de3501c60a9c41f5f16580c4f2b1c30bbbb2fbbc002b21ff514b3fdf5f1ad809fb84c9927c48a1cad9322ad92fd0a40522e115be8443946332a6a7
-
Filesize
76KB
MD5950087e828e1b7426f703678e446c799
SHA1c9f28be9b9f810132ec8d78c161e5a232491e60e
SHA2568a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee
SHA5129ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93
-
Filesize
75KB
MD56f8e3e4f72620bddc633f0175f47161e
SHA153ed75a208cc84f1a065e9e4ece356371cac0341
SHA2562adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e
SHA51280187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869
-
Filesize
38.2MB
MD55fa31f33afa76e4ff8387d526abb70e5
SHA1c45e907c6189429b231579988cbe1010dd7f0f9b
SHA256b6accb2caf4f4668f130eee803387588d31cb9e8d16c9e02ea010c554c1193e1
SHA5126e2221ce35ee00b86ca4494ea41eefe9174290119f0798a351a2ffc51f3c8a35af3181c3d366f6232d5b2cada6729a265fdbc6de42ac56d8598516b2c9722072