Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1255165018316476447/1255558363354501170/3CXLoader_.exe?ex=667d9158&is=667c3fd8&hm=950231c069ba69496d01d28eb6622c69dee3fc05e6d4b730213ed456c6c07cd1& was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Downloads MZ/PE file
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 16:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 16:25
Reported
2024-06-26 16:55
Platform
win11-20240611-en
Max time kernel
1482s
Max time network
1791s
Command Line
Signatures
Discord RAT
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\3CXLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 260193.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\3CXLoader.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255165018316476447/1255558363354501170/3CXLoader_.exe?ex=667d9158&is=667c3fd8&hm=950231c069ba69496d01d28eb6622c69dee3fc05e6d4b730213ed456c6c07cd1&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffee2eb3cb8,0x7ffee2eb3cc8,0x7ffee2eb3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,6143802337187399039,15908819088538698158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\3CXLoader.exe
"C:\Users\Admin\Downloads\3CXLoader.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.0.1086924705\1741923893" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1776 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {498c71b6-19b9-4de4-ab94-7a6f5e7a6ce4} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 1880 1c82b71ba58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.1.236552848\1138975267" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da8852cc-795f-41b4-8753-535468602511} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 2404 1c81e985058 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.2.112038721\1195791646" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 3024 -prefsLen 22187 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a929e743-b76f-4f12-94be-3129a2e7d4cd} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 3100 1c82e51e258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.3.1291425603\775752633" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3492 -prefsLen 27653 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26d8ac03-d719-48dd-9b13-4b84a8b18013} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 3512 1c830c64258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.4.792353197\1246362230" -childID 3 -isForBrowser -prefsHandle 5016 -prefMapHandle 5128 -prefsLen 27734 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35e26f3a-e3c8-4cc0-b4f0-d09bad17d024} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 5136 1c831ad5258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.5.725723136\1679627086" -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5352 -prefsLen 27734 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f3e90a-9632-427b-bfe1-618426aa515d} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 5272 1c831ae3358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.6.1950149209\386561449" -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27734 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ee4411-9809-4281-b792-d2715ae64df5} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 5476 1c831ae3658 tab
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 162.159.130.234:443 | gateway.discord.gg | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:49956 | tcp | |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 52.25.179.107:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49962 | tcp | |
| GB | 92.123.128.176:443 | tcp | |
| US | 20.42.73.31:443 | browser.pipe.aria.microsoft.com | tcp |
| BE | 2.17.107.113:443 | r.bing.com | tcp |
| BE | 2.17.107.113:443 | r.bing.com | tcp |
| BE | 2.17.107.113:443 | r.bing.com | tcp |
| BE | 2.17.107.113:443 | r.bing.com | tcp |
| BE | 2.17.107.113:443 | r.bing.com | tcp |
| BE | 2.17.107.113:443 | r.bing.com | tcp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| NL | 23.62.61.184:443 | metadata.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| NL | 2.18.121.71:443 | binaries.templates.cdn.office.net | tcp |
| GB | 92.123.128.176:443 | tcp | |
| US | 52.108.8.254:443 | wac-ring.msedge.net | tcp |
| US | 13.107.3.254:443 | s-ring.msedge.net | tcp |
| AU | 20.37.4.118:443 | d2773d58bb61e28dcf471e458200b8ac.azr.footprintdns.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 196eaa9f7a574c29bd419f9d8c2d9349 |
| SHA1 | 19982d15d1e2688903b0a3e53a8517ab537b68ed |
| SHA256 | df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412 |
| SHA512 | e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7 |
\??\pipe\LOCAL\crashpad_3352_LTEWHRTRXYMTPOZK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f717f56b5d8e2e057c440a5a81043662 |
| SHA1 | 0ad6c9bbd28dab5c9664bad04db95fd50db36b3f |
| SHA256 | 4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945 |
| SHA512 | 61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e306315a67739f337558dabbc5d3e1ba |
| SHA1 | d51981f89c0816557e334a51d17fbd8ba08e329e |
| SHA256 | 96de7bb71b856d7e5fa97c59ba897ed3030460e63c1b2437780cf23791055027 |
| SHA512 | ea5e5c3f1f516de9d42c214060c60921f51bae1abac5f1d6d3c407be04ed20d1a77015e36475a1a78f5f1f09886e8e2265da0d48b14392fb1555f24d081d790c |
C:\Users\Admin\Downloads\Unconfirmed 260193.crdownload
| MD5 | ca937feb56a6a559bb76486481090a29 |
| SHA1 | ede94604285d5a3ea756ea50db5fe6b6b05d7187 |
| SHA256 | 0c4b30258b007efee05b7f39fe6af886a8d1b1c987eb19db54c16bd7082abfdb |
| SHA512 | 61eb2830116a4f69f7a895a3754fedc74f089f3ba3bfd05dbd9aa922693c09a45ceca751f9eebbee296fe26cbb2dc01f32ac08d66c02693520a9eaad5e9a0437 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\Downloads\3CXLoader.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e3ab07a39062f01922873cc2fea955d9 |
| SHA1 | 0b02db5f638cf9edbc5028994772984987f7591a |
| SHA256 | 15534f65fce71eef0d9b0fdd1f625b8c6be656997c254f7c4c8e6bc5a5848e6a |
| SHA512 | 11fd6b50d5ef3a380e8aa7626ced3ca1a8e51f12f2befe773c553615412b7242ac42e8249b80678acb50f23aadea0dada7c515762e65272343bd11a97a013721 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fbb1e6b246708a08eb2773ccc47624c9 |
| SHA1 | c0ce2dc7b708c3888bd8ef77e9cb99b82b85bdc0 |
| SHA256 | f4b8a69fdd9c5751bd006ed8db104f1a703ae330228a958b07fa0dd5467cb8b0 |
| SHA512 | cc9f128891d2d6a91440609ea5f92cab23f1dabb116d5339f55392e54c13ad4d4b7e402ab95ed799734f569bfb9592fbe57cdffc3e09387caabfb72c985f3eae |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe
| MD5 | 59c231f52b80f128a8f5ef1216980c82 |
| SHA1 | 710bfdbca2cc26a856619808121e23160fae874f |
| SHA256 | e8452a2ffae08315c802c2ac4de41ea328de6fed942890e0682d261e89391502 |
| SHA512 | 93024af146d4586ada9410ba59f49811454fad40bf61349e99c5b4920449d5fcea3c70ba6a7df53b80464d61efcca708c22847f27f02be4ede4b97ce1678c5f1 |
memory/2864-102-0x000002491EED0000-0x000002491EEE8000-memory.dmp
memory/2864-103-0x00000249395A0000-0x0000024939762000-memory.dmp
memory/2864-104-0x0000024939DA0000-0x000002493A2C8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d2ed5b9e3acf8a25bf8d350153893742 |
| SHA1 | b2ef1c7b93dcbd650f15fafb1cf3b8a076fe4fec |
| SHA256 | cdd1598339738cd1a0b179193f2de8bb5bd1646561fe76427c7651695ed85217 |
| SHA512 | f50bf821ce42eb8a829964cb1680526b514fadd0025bbcad2ad018041d703745bdee166503a84c23b55487bf1a463e176a5cca6b080236c443f5aad19dfecffa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 36bf23409b636e4eee4cc0f1284e81a9 |
| SHA1 | e0e52ea361622a92a68cbbaa02d481f7d9653d2e |
| SHA256 | deca4d6aa5bf1b957f8e82b9c2972391bdbb5ec6fe00c6d09eea4dc971ace2a1 |
| SHA512 | c8e3e3ef4f2f7c3f09628a9ff06063aae2f1aa5dc2aeaf66b8b3dfd8247a40ac1572545353dfea64c5d4177607afeac40a827ec7a86fc7b15303eba7c16662ba |
C:\Users\Admin\Desktop\NewClear.svg
| MD5 | 59147dee96cee869da6fc9f4f08ca759 |
| SHA1 | 8853b7ae1bbd48770d8e50cdcd91e8baf8ef7e9a |
| SHA256 | 034c2f7efcfd956aa0e476ce692a0205c8036a74f536de99cebc972d4b4a7703 |
| SHA512 | 2d6456c3850876a825f1ff1e0aa4d31907396f2d493485c1af52d50e49a30734e07e28c905d92c6e5aed9e6052c76123ad045c91f943c3e696c1c766a8552235 |
C:\Users\Admin\Desktop\RenameSuspend.emz
| MD5 | 825611d638f43567b6acadd3d8ec6746 |
| SHA1 | 289bf65c3ccbc6f24b128ddcfb7bf6d34f87b505 |
| SHA256 | 11ad45df72fa1692ac3160915f5eec452f2b8cc64118d0999042d9a354d1d927 |
| SHA512 | 857615b98b3d97d61cccc1dd0546f75bc706cc201cbe8602ff15562be404df8ef1336899408de6101978d0a4099bca66260981884f110646f059c8c674b3d0fc |
C:\Users\Admin\Desktop\EnableSkip.jfif
| MD5 | f7984b9c72ae5a9bf32c5249013a9668 |
| SHA1 | 2e26577bacc4e767886e6a9d31f6182e44a16e60 |
| SHA256 | 317b87fc287b026ce1b725fbe67c907b7f3f984850d1842deab884205b0f0111 |
| SHA512 | 8f9fa55964ee18d8e655750fdb5ad9008df0771d53650b8c9f6f84638d18d5c9dc74136f364287ad25d20f084a611d627b51e15e513687564a25b5e582c24fa1 |
C:\Users\Admin\Desktop\UnprotectGrant.wmf
| MD5 | 7331cf0cd10fa2321a83c15b33497e55 |
| SHA1 | dc11b427d60a21071e496b00172d8be44b125700 |
| SHA256 | 2665eddc6187117843be856680266d3d9d15388c0e725d2fecae06ac641d2a6d |
| SHA512 | a474e3d91edd799ee9c2171bf2d5b7a5a4683f0bf5ce2a685e080cda0e16d024a222f3815f054df8737489a1ea8e4b507f87a67f24b2428d1bd52d3e9e6291c6 |
C:\Users\Admin\Desktop\PopSearch.vst
| MD5 | b8027a8092d4d3fbd8194b567ecbdb70 |
| SHA1 | 90245687ead855d1f15acbf3fb91524607e3a798 |
| SHA256 | 6edfb8ea881ba46d371d8ca8c5161c429e6eee5d8df147e210523bbc47263552 |
| SHA512 | c50efb529838f65b7c1e7081d564c67d677d2c351c3f2c8aebacba0976a86010337dc593e5443ba01b93019641ce1f750631363ffd57d68bfc68b792023d0be1 |
C:\Users\Admin\Desktop\InitializeRemove.cfg
| MD5 | 3184a3215113522209b6fff6c6cde13c |
| SHA1 | 998c47bacd974e614f6d7bcf68b9394641a7551f |
| SHA256 | 410833f7806f5862788acc071676da96c1c08e5c6ef92bc636ac0a664b561968 |
| SHA512 | 6ee649c1bdf9d04f88f4d0c83c6b4f9017db16b3e8a9fa48a92e4508ce4fe51aa117a928c3bbdc066d6e2f92095ab172654842f698bf3d04e6351e15aea26fcc |
C:\Users\Admin\Desktop\MoveConvertFrom.bin
| MD5 | de96dd78af37bd42dfb2556f96508eda |
| SHA1 | 0c0833a07dc71594e4f304455c241056638789bf |
| SHA256 | fe14e0d981c1352713533471325c7d6cf0b1b912672ea5ec84e0a419c3067bfe |
| SHA512 | 978ea1c90643ad57d66592f9f5a29e3199a4cc116ad6b9d7710df6f9e07ed4da927113b8c448ee5fb77675e4956569fe9c68335046aff92e73d58188a297f183 |
C:\Users\Admin\Desktop\InvokeWatch.vsdm
| MD5 | 77987d11f003ca40f555f4db501fea6f |
| SHA1 | a2b56f2c763dfe173f0208296711b54417afb45b |
| SHA256 | 3693c8b72fd54a7335423fa83746ee5e15f6a61da987e129ad596bc933f92adc |
| SHA512 | 6454dd14b51e2b5fe34c514865aa372c9620eaa69f5fdafa51bceea7f43d438e4c48fe28e84b67566aff87c6c37a25a0830efdca3445f13a30908f2c5092f0bd |
C:\Users\Admin\Desktop\ConvertFromClear.mp2v
| MD5 | 2b31c0059c37bc7acf4242389eb2c048 |
| SHA1 | 1bbb064c73f4b94799650057a80dffec37689078 |
| SHA256 | ec7c4a2e12dbbc9d432ad1a8d383539d0b26d3889c4e16fdc84c04bae260c64c |
| SHA512 | 21e4e9e7b4f7c876b718cc0804225f69a902c68408ba339ec3efc6fc7a757f791795207545f679daebcecd715c3b845f41f2414c46b253d7fe85f36523c2683c |
C:\Users\Admin\Desktop\ConfirmGet.xht
| MD5 | 0c28cd7d685737895ac2fb5eb00de961 |
| SHA1 | 068d36d39afdccab3eaf521535d32ad5725f01e5 |
| SHA256 | 302d4aad3e81900c40fcf22334577e03d509fb4b0f347b4fe625efb162b9dc52 |
| SHA512 | 4849b70587c3f5566f10552f9cdfd4aaec1f1fcc85491340677acc0000d0b816a18c7796a2f919f08a3bd59dedf2c5625ba7619c05918b8271a23601852e93b4 |
C:\Users\Admin\Desktop\ProtectStop.tmp
| MD5 | c00fccef89dffb4ab4623ab31eb54e4d |
| SHA1 | 50fb51af7198ed7ff7eb04949d9d7f0d2c05a8af |
| SHA256 | c208057260fcbcf4104aa3e12e5f2a8f771cd7b36c3745f2b5c1c2b34309660d |
| SHA512 | 1c50ee55002f952188b5147921199b228f6bfec7e4a36821b96f0b5db799acf068bee484e6535dd4a1925e6516b696b4e88a995dcdff7999e96885ea2c878eae |
C:\Users\Admin\Desktop\TraceResume.sql
| MD5 | b2e6927e7cbb62e958bbf295148c5bf8 |
| SHA1 | 7cb375ed24ce89b9c88312d4c94e4dfecb83b7ca |
| SHA256 | 12f66114299e3267ee80496faf720bc154caa489ec06e430d607ad586e5ee6b7 |
| SHA512 | 72cbae652ebd191ed67495d969ed0e0fad0c28e4f42308560c1c83f0899ff800d8b6c7f8415800233442534243c7a1dc71819a0fa6ce74c5a98b2db1b0f7f795 |
C:\Users\Admin\Desktop\SyncOpen.mov
| MD5 | c18c3082574d26682d85bbd731700812 |
| SHA1 | 740ca86a7ea8aa7cf730274f2fd629e25e595663 |
| SHA256 | b32b4326f2b46724be2983be0cf8ecf6f99672c8d57b0687b7e9f558edee31fc |
| SHA512 | 700bfe5f90a26845e5336799d82563d8dfe4a2b6331a71f128f96486dd26895b4a75454814b57d18964dfc9e8af3d22a9188cd3f47c5f21520fb7cdb80b722c2 |
C:\Users\Admin\Desktop\SwitchRedo.temp
| MD5 | 38eff3193aebd7e5d4b7c594d9d1cfa1 |
| SHA1 | 8f2fe3436954ba91aca675d2fd6d9645aadd2093 |
| SHA256 | 7ff29c12080e52119ad6ff46bfc751cb6ef719cdbad2fab6b428d095027fbc5b |
| SHA512 | dda83a218c70fe4ac5c2c7897aec71b99fa83e6a26ca55ee1c205193d3fa606698316612527693acce40654f07f463a6c59d5df46b3ea471823698dbb245c164 |
C:\Users\Admin\Desktop\StopProtect.ico
| MD5 | a453b067c218756df846628624e4252f |
| SHA1 | 091d21189bfa5b991ab0860a6825c38ae44387e9 |
| SHA256 | c2aeef943ce316618a0ede23e8d996479be276be2d980536a4a78d75bbf79a1b |
| SHA512 | 9fb4c319ba3bd4570b14ad450deee6633d4c8713fd305c2be1164203ab50b804c2e3744c16684cf1a71ff9104180d42d971355714544fb403a796b78de836e51 |
C:\Users\Admin\Desktop\RedoExport.rtf
| MD5 | e6f3a5a024bee17556771e69163f0dbc |
| SHA1 | 5d4230224e0a6600004e9a5a0932b84811062dae |
| SHA256 | a2d2d67aff261523d984210c4815724b6611e7faab2a917918ad318e441c4430 |
| SHA512 | 5c91d0b0e977a9690f1a83240c600cd007e1ec39888d4141f7595c53cc44fb1cd637aaa2f6d6e5e42ef72b0f37b9b62d7dbc1125c8600cee0bfdcb432dde1ac8 |
C:\Users\Admin\Desktop\SkipUnregister.vsdm
| MD5 | bd3fe76ace159c2a164144ae01d6f2ca |
| SHA1 | d8a0600a8d954f7bec6c001d8ce4887845dc4e61 |
| SHA256 | ef0ed742a55d4b6e7204087bf650270539e6508a060d2d56036a4c4a39446848 |
| SHA512 | 9bd0ad1934bac08624c81ddb46d67291b3e5aca4fda7645cb3cbba03365e2cc73e065bb182cb16896446aa3fb65420700f50aaf7864098c7a4ab53fa242cdc40 |
C:\Users\Admin\Desktop\ShowMove.wvx
| MD5 | 8ec1734aa6471f426bb2c9bb159725b8 |
| SHA1 | 6377a6fbf804878ba8594d6d62beb26571badd50 |
| SHA256 | dcb1d0ec4357a7fdc2b0a68ff7dc2e8dc89b648705ed4c4711b6cd0386b11980 |
| SHA512 | 9dbcb1a6edf3f647354463941461418c19f0b7c93f69e8453b47f820ede126a89218132e2b156866ea271a7009af02e1a68d311be5b212162898e5165c5fcf13 |
C:\Users\Admin\Desktop\SendCompress.gif
| MD5 | b6f55a6ad836bd1e3d29f863263c04e5 |
| SHA1 | 5cfc5447401cd50ff504b5aeab551b391b58eed1 |
| SHA256 | e22f4abaaf1f37a4573707360658f3402d91b44b7523d1fc41c9fa9f29d33010 |
| SHA512 | 3d1e35e867872562e308941f92d058f28a06002788f5ac2dc14f69c566faeed2622327fb2144292abd72e02c3a648043171433944eb30dfd87b0e7828b67180f |
C:\Users\Admin\Desktop\SelectImport.vsx
| MD5 | 8e3e080b56d5e078e445ce7ad704a9fd |
| SHA1 | 5705e2dac3cfc1b3cf19124e5fd799e8f92b772c |
| SHA256 | 3c8efbe53226ff68a0aade617be31eadc7de5d0757ac3089b8a462fa1019b3e6 |
| SHA512 | 92ac1ed2929290af6ddade7861bba640e42084ce3f54d9f3ad63b83aa3cdfe097493f87077c0299bff7dc9f1099a5afe613aa8548f1373aaac6ba4d9bc8249d4 |
C:\Users\Admin\Desktop\SearchUnprotect.i64
| MD5 | 456a6768642c1ec7d0ef1d860220b0d6 |
| SHA1 | 0c99454701aacc987560fafd947bb0a2b8dfa51e |
| SHA256 | 46bd1767e6959dc237f45c8eb6ff4796c2d54cf8b87bf3e4e9b1c6ea624ee896 |
| SHA512 | 324ad01388e1f8fb92a449a5ed61ac34a4df59161d4a5bf553eeabf4e9a1325582b49aaaea86203db3d4665cf6728b87b1777ab04ecdf19edbf4638b642ed867 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | f51178e1c50b1727a38b1bcff6c555d5 |
| SHA1 | e2a412915b96f4ae26df0f6ac3decc1b6175eb96 |
| SHA256 | fcc0cc1dce69fb4b4d4992aef86c4b71545c0b641c48b53a90406ffc917b06d6 |
| SHA512 | c88034a4e4036bdaeb6728a68fe9c787b97e2316f88f72638dc4bf670b65f6c4d234f0d170dc8f101370581af57d99bf6f8cdd873d88b301c38815bded6b6eda |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 91c2f8db56f7dbe35f60e937b78dfade |
| SHA1 | ed2d1516f6c3d49b0875d0bb4562b7b6c9f0ee5e |
| SHA256 | e9ec7cea454b2bf5dba4240bf1c39bd630239dd3c379de90601473076bd22efe |
| SHA512 | 06dd5c6434a6ce07d1885e2dee923feda71000db2c188c25570f7e8b35100639cd0d7c50a7424d8029395eef61a4a0825d3a4f762ef769b0ed614eb5141cd5ca |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 95bdf4453e476638766345631e3dfcd4 |
| SHA1 | de82d78ab4c3e1f24cb80debb63280d2c8cd8b5f |
| SHA256 | 52f600454f62fd1665cb50d10e7af8211acf0993a95651811cf58635a76440c2 |
| SHA512 | ff23a8644f86d98c151baee39a7efd0897e7200d1245e78ebc6785977e12917320fe42c2b790e2a78efc623b6bf524aad7d885cae67cfcc84baf7bc9a0cf40bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 094ab275342c45551894b7940ae9ad0d |
| SHA1 | 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e |
| SHA256 | ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3 |
| SHA512 | 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7n4npafm.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | bf1dc374fc4ecef4aa1f10f2a05c3969 |
| SHA1 | af5872d47290b0176f2bac5c85ac00bf7048f6a5 |
| SHA256 | 1ecfc3044aec4101c0fcd03d47c78fd709e0017fff9a01a27434efab1c084720 |
| SHA512 | 47f2b9ef36e39adbb1cea82894923723fb8ca2fdce607b29a7f20bf7ce28c55ed03cfa935f893f4a789848709ca3dad92dd1ab6a8b70af718cc6913f817192c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bec7b998340ca5c44ff66208a4db2f33 |
| SHA1 | 02d668bd4fe7d015624ee57f37308d018752cf51 |
| SHA256 | 5ffdc2de3a1e83eb412fa2c9ca5a13253d69d1a051e542aa3e0d0f67bfe91814 |
| SHA512 | 5b0d3065574631831536024df09893c323d58134d82c6db3b3bd412e9663a23e228210c8b5de6cd241d6835bac7af4779debec0b28875375d63c35e00fd98eda |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\prefs-1.js
| MD5 | b05524e1516f6fac1ba79d23b2f2a3ac |
| SHA1 | 2a95ae9968d4ba7dbee286cfda41f753cf7b0c8f |
| SHA256 | 3229803aad6790ca1af9f29d57d7b950cbbff51282c5ac2c473135ac5128a272 |
| SHA512 | a46e948b5063e7bc6f981a712fa0be7db0238a513762c23ed9193aa01d8cd37e6376d5fe4d6081d94a8f6656d4dab147aa86e28907d0de7717cb7602208f066b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionCheckpoints.json.tmp
| MD5 | 648ea624280e409ac3a7f120b5e9000e |
| SHA1 | 168bd9dd85eb0603e0db6bef23a0df64f916bf83 |
| SHA256 | ea208bf36fe4e150165db9ff5972004c6f468114058d6dbe5d0350f85e8fc08a |
| SHA512 | 49520e85cd86cdb0b9fcefecaabc99ba3915ed5ce0b622ffe752de94df6d1fbf3f2fbae13ee18397b32477aadfb23280e42be6f92ec1c74feb4f246c60eb7e32 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7n4npafm.default-release\sessionstore.jsonlz4
| MD5 | 024c260ae6adf7a60c0a8860bd0d89e0 |
| SHA1 | afd64c5ee79de562d9b67a086ee7025035a27e4b |
| SHA256 | 340f965df1b262ae0e5b12014e6f6ed4e66614b666d777815fc49d922472db46 |
| SHA512 | feb9a472448c8af33accaa990a54d40152b27e3a319c086b66b5f63fc92d4b67d97cf62247f09583beb776b43330a1832fba4f64fb7b79b82a34f2731ac40030 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 9a7af7f1f08f7de9da3ba647286ee5a6 |
| SHA1 | d7a23961ba5f8c4242a03f20686ff516c2ae432c |
| SHA256 | dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b |
| SHA512 | 64b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58 |
memory/1212-417-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-418-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-419-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-421-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-420-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-422-0x00007FFEAFB60000-0x00007FFEAFB70000-memory.dmp
memory/1212-423-0x00007FFEAFB60000-0x00007FFEAFB70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\TCDAC4A.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of Document1.asd
| MD5 | 6d41c29c81c3323e0b449eca57b620fc |
| SHA1 | 79f9d198b82bab5af05600d0b58a72f93c2c6ea3 |
| SHA256 | 9d035370858103f0640980134d0a24cc20cc99e50b36b05a1b20ab62e28f4f41 |
| SHA512 | 207cd3f152ef8776917310169d78bb65421c4cf07f60e20c1678aff5e1647f9336105c5e38428e63fecf28bbfdf8fe8bc43c19a5802c067511d9bcec3e513670 |
memory/1212-946-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-947-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-949-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/1212-948-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-950-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-954-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-953-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-952-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-951-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D007DCFE-30F2-4A7F-AD5D-39162FB87714
| MD5 | 387f3e53f58131764caade1be504accd |
| SHA1 | 84ddb3731be97d0df26ca47e9b9ca7929ac366df |
| SHA256 | e3f75ff2e865d31a4620905c143f616e6537dddb7e5af46d657db956bb217e47 |
| SHA512 | 6587fab8cee29891b7e995f3bdc9868db60d5ac0035e9a21c4c84c34c74c45def12d77301515941a814731eaa44e2cc0c7ce0daa787015401db59cd0b14bc4a4 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
| MD5 | 874e05073239ce46fb73138f72a0b502 |
| SHA1 | 6c5cfb40cc141c26048fd1c06986983e21db47b0 |
| SHA256 | 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed |
| SHA512 | 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
| MD5 | f1b59332b953b3c99b3c95a44249c0d2 |
| SHA1 | 1b16a2ca32bf8481e18ff8b7365229b598908991 |
| SHA256 | 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c |
| SHA512 | 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | add56ec49f8f478e84a934606effef1c |
| SHA1 | 1262ae87ef755e40752740df90d21352d5fc81ec |
| SHA256 | 22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327 |
| SHA512 | c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1 |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
| MD5 | db6a7e426c92003496098278f7eecccb |
| SHA1 | 66d6aa21b4e62806a8dcd767f8bd6d8c52bc2e29 |
| SHA256 | d54e6224596809ed89ef63f47c5730309283ce8e72764c99687e49f71205fd6e |
| SHA512 | 211ccc3368478752c2941e77b2bfcb3d291f4b6cc55a055f0f98d0ae5955f7291cef483800c1531b3e0a67830fe6e761b2ddc1c4a495762c61cfb55212c13ab3 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | 0b9758ce05632dcafba9c4604b8bcbce |
| SHA1 | 3a8d684eb4685cd7784e43ae2c1da060e7e2aa74 |
| SHA256 | 04ba835e6ba1da2096672400b1e87a0209683c0e2810aae6ff1e1252c21167a3 |
| SHA512 | caa34e0541266001dbeb268551214d52960c94cb6661071fbc1e94ee6bb281d229437f7261c6b06f084e99db1cc1d826b01c900bd8d9145f6455481b6bc0e6ad |
memory/5384-997-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-999-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-1000-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
memory/5384-998-0x00007FFEB1E70000-0x00007FFEB1E80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 4566d1d70073cd75fe35acb78ff9d082 |
| SHA1 | f602ecc057a3c19aa07671b34b4fdd662aa033cc |
| SHA256 | fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0 |
| SHA512 | b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8 |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
| MD5 | 3250f58c931cb3d733975f349b7309c8 |
| SHA1 | a727278cb93e75f971143ad612d2f690152d2047 |
| SHA256 | 7325adba5ee96d74519004897051f92ca94aeca58a42ca30d105516392ac81f2 |
| SHA512 | 0d7b3e50ae74d718d7f9e6dc3ee1ee6f2c4f6790ec8f31144f489779f6e5cce2c0bb4763b16267ab52a46bd74ea808fea07a0cf0884992a029a313a2659ff559 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | a7f6f17d15d684bf1f545361134b2afc |
| SHA1 | 1302f09af0921f96cbe8b682d8dc29735e8e4ef2 |
| SHA256 | 85cc250e6ea0da15dca9c3a3ef7021b9f7e89a70f58bfd70230f5325c8cc284c |
| SHA512 | 7a7c04e65b76376d42ed36a689639e0211080845ce7e9781ae7546460f3e04038e7d50abf62475ec162f6c62b57062a5658a35569698544700528a198f4191bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | ca4be497708ef668245e3d221709f8cb |
| SHA1 | 5bc72a041d9ea93c548006a61d9fbcf80f406078 |
| SHA256 | b9d950b0ff2f6f872d4436858e3ed947b9a0be6359ef76d55cbc288cd1ed1f01 |
| SHA512 | 43bec36c87b53cc699677ffbc608309e084a0d60bfda46fc20ed48a3ad27f82c6a6861a922a316ca79d8d0e9905132b9d9227bfa82ffde196e902782403cf089 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 25aaf8f15e33925fdcd455e49e33f055 |
| SHA1 | dc6b4bf6c5ced6f15050e6df62566aab3e79ee71 |
| SHA256 | d363b0339d3184bf3b92523bd3391b5cf9fead48300c6a07ca501eafa77a2ef0 |
| SHA512 | e023b62c71dd9c1b2f46448be499a046e712261e218e82957680112ccea431d4505b8ce745876238d86c58a8e584febbc14986fb28768559406d2737c235d1d4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 08cf8e25069b42fc8ddc0426860ef1ce |
| SHA1 | 39aeb5bf39507eb765babd65a860bd815c396a25 |
| SHA256 | 6f64ed8b6d1f1e3656faf52550992c37fa804d1f7ba9e20596695bce40dd1705 |
| SHA512 | 91be3ff1144cfa57b33dd8e965ae62aeacbbcd01033a57e525199bbce6411883df68403d7120af7eab4ee7be5c5bfebda62c702e5b9cd0594f55d0824f4f8b0f |
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of These.asd
| MD5 | 7c86c22f58a6c94b255cc105e1ef62b7 |
| SHA1 | fa1742da4bd628fe00f5c6046e20d7589e566503 |
| SHA256 | ccd2990023e37bef95cb7ded0f0fc358723558c8d871606380a650d2e81a4ac9 |
| SHA512 | 6b133e0a11effc01359a773ba9fb5ca5848fa01be9e0cd331eea0930dcde915831048f2176ce91912897998ea073f7ec2a944ad01dca38a51d6f7bd72252bd3a |