Analysis Overview
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
Threat Level: Known bad
The file ModStickInjectorV1.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Quasar payload
AsyncRat
Quasar RAT
Detect Xworm Payload
Async RAT payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Looks up external IP address via web service
Enumerates connected drives
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:40
Reported
2024-06-28 00:42
Platform
win10-20240404-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe
"C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"
C:\Users\Admin\AppData\Local\Temp\Part1.exe
"C:\Users\Admin\AppData\Local\Temp\Part1.exe"
C:\Users\Admin\AppData\Local\Temp\Part2.exe
"C:\Users\Admin\AppData\Local\Temp\Part2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.121896678\353775410" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e77e6e-78fd-43f3-b68c-4af30dbe84e8} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1812 1d9708f4b58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.69972961\1932005376" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f784eff1-78a8-49b3-b156-ab0946ac3871} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2168 1d965872e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.1214060070\2002426679" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2828 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e89bae5-2101-4d94-94ce-46856a296386} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3044 1d9748ae758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.1457478902\643697522" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66aa583b-2d70-4024-b5dc-895111665620} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3540 1d965862858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.1945322316\795949869" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {622bc04a-02af-4510-97eb-7d9776160947} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4184 1d976bb4158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.467935924\739925453" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4876 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1b96359-ea16-4bfd-b27f-afa81e145801} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4884 1d96582d258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.991326892\915362930" -childID 5 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f79544b-ca84-4c1a-9f16-4fdb131b380b} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5104 1d976bb6b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.359580583\1088516435" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {937bd292-4176-4947-a4e3-9c38dcb44e66} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5212 1d9770e9158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.8.61771887\54006143" -childID 7 -isForBrowser -prefsHandle 2768 -prefMapHandle 2636 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa4a44b-94d0-42f5-9988-66c7c863b69d} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2772 1d971fc5858 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 147.185.221.20:25844 | finally-grande.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.160:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | head-experimental.gl.at.ply.gg | udp |
| US | 147.185.221.20:27196 | head-experimental.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 160.58.19.162.in-addr.arpa | udp |
| US | 147.185.221.20:25844 | head-experimental.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | head-experimental.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.151:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 151.144.14.145.in-addr.arpa | udp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | redir.metaservices.microsoft.com | udp |
| SE | 23.201.43.25:80 | redir.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | onlinestores.metaservices.microsoft.com | udp |
| NL | 23.63.101.177:80 | onlinestores.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | 25.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.101.63.23.in-addr.arpa | udp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| N/A | 127.0.0.1:50405 | tcp | |
| US | 52.25.179.107:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.179.25.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50412 | tcp | |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.238:443 | consent.google.com | tcp |
| GB | 142.250.187.238:443 | consent.google.com | udp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | clients1.google.com | udp |
| US | 8.8.8.8:53 | clients.l.google.com | udp |
| GB | 142.250.187.238:443 | clients.l.google.com | tcp |
| US | 8.8.8.8:53 | clients.l.google.com | udp |
| GB | 142.250.187.238:443 | clients.l.google.com | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | super-nearest.gl.at.ply.gg | tcp |
Files
memory/5068-0-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp
memory/5068-1-0x0000000000BD0000-0x0000000000C92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part1.exe
| MD5 | e35a7249966beef31a45272c53e06727 |
| SHA1 | cc54648f9c9423f7a625e96256c608791b1ab275 |
| SHA256 | ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998 |
| SHA512 | 1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114 |
memory/5088-10-0x0000000000020000-0x0000000000038000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part2.exe
| MD5 | c47c0d681b491091209c54147c33da81 |
| SHA1 | 58cb51be41aa576ce56d4c16c9c443e70e648f62 |
| SHA256 | 429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720 |
| SHA512 | f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c |
memory/768-14-0x0000000000370000-0x000000000041C000-memory.dmp
memory/5088-16-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/768-17-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
memory/2588-27-0x00000000002A0000-0x00000000002B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
| MD5 | 4daae2de5a31125d02b057c1ff18d58f |
| SHA1 | e1d603edfcc150a4718e2916ae3dda3aa9548dc8 |
| SHA256 | 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f |
| SHA512 | 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a |
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/648-39-0x0000000000310000-0x0000000000326000-memory.dmp
memory/212-44-0x0000000000CC0000-0x0000000000CDA000-memory.dmp
memory/1892-45-0x00000000002D0000-0x000000000033C000-memory.dmp
memory/768-46-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/1892-47-0x0000000005070000-0x000000000556E000-memory.dmp
memory/1892-49-0x0000000004CA0000-0x0000000004D32000-memory.dmp
memory/864-50-0x0000000000C30000-0x0000000000C3E000-memory.dmp
memory/864-51-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/1892-53-0x0000000004C00000-0x0000000004C66000-memory.dmp
memory/1892-54-0x0000000005000000-0x0000000005012000-memory.dmp
memory/5088-55-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/1892-56-0x0000000005C00000-0x0000000005C3E000-memory.dmp
memory/3556-61-0x000002782BEA0000-0x000002782BEC2000-memory.dmp
memory/3556-68-0x000002782C050000-0x000002782C0C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ows1ds1i.3df.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1892-139-0x0000000006300000-0x000000000630A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d72db63dec8b8e84e8a1155e8e0ca96 |
| SHA1 | b4728a0fc4a47592806b3da1d30eb0291c4d05d1 |
| SHA256 | a1e91ce3b1f6b419c88a0b371225a6fac03881b39c8184bf2ff65129a00ed6d2 |
| SHA512 | 5aef675942f6157ab2d678c7ce800360488c0948be42577574afec0486c5ce903802e4971b80ede2fddb131b8ac8c81b022233f88b0210cdc7835739465f1c1c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 268e3ab5bd6ea508c0515ab314df0fb1 |
| SHA1 | 74e8cdac4f575c6ff03b47598ed7609e087b58cb |
| SHA256 | 0888e55e56347f87915971d29b90df893972939d619226cee38f7e9e6ec9d07a |
| SHA512 | d404df608ae5cdf96c76550a14705373fe2de095f2d443298d86021fc79d9cbefee7b25de60f7fa1b9fe248da2b0e2fef12e4af2a36324d7cb932400c60946bf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c701107fcb3e97641ef7688d38e59e66 |
| SHA1 | a532643c6e2bf7d61518374c5f4c1c54aef450e9 |
| SHA256 | 333d5421332259853961845e3a1c4fa3b47997254ed6e60c4de5be7dae9a34cb |
| SHA512 | 983c3ec067cc63b7c79092193b5af3bf99c71347e66c6c8108482e045e43dffdd5d71c658197e54084b520f2d123746d7fbdd93d88850b58b44b66899f973b04 |
memory/2588-320-0x000000001BD90000-0x000000001BD9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 80603f6028189884e24b8a780976d181 |
| SHA1 | 0d47668b6977f8c3feaf20e18654fbd513196061 |
| SHA256 | 69ee9cd6ce6ff16f4009615297bde6b881845867777b6fc333e112e9e0a9fbea |
| SHA512 | 13ae1ff9bb572ed0be1c6ef3f13aa22b03beadd831509f7c0215e25eda4404099062b6ef6e45565914a1e5b4e1af0f25d1a925e083ed58b3c8f6dfb7edb9eca7 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | a6c4aa8987b07b1b28bba7617cc1199f |
| SHA1 | 90c0bb0ca13be76776104d9ba2d85e9c44d8a76d |
| SHA256 | c6de2f0efdc81b58e0570ebe061ad37ff0f0c3a50d8e5c1a777a9bb5ca74b522 |
| SHA512 | e35902547cae6497f215fee7defe20c325642552ba50dcce0628a083eba0aea11decf097a380cf3e0349a36247ac6ff119c9655388c63daa8e00b5daa6d18034 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 66dafe9a82f5220ae53e4a7114a13fe9 |
| SHA1 | 8f6b1835b7761d6168a5c46ad3482dc0f4babd47 |
| SHA256 | 6d85de2b5746a7232e34b06a447333bb945122fef63ee2d886ed1d7b29908f80 |
| SHA512 | 502d0b26b0b016b260ed63558b24b69728fab15ba290cdefdf721b45b3f233c86481432be07e55836de1cba09b81f1ef692c1d918ced06c581a5646c959c4a85 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | e262a4367ebe8550bd9f9c2f9588f310 |
| SHA1 | bbab8b7e8866407907d6848fbe0bd013581b938d |
| SHA256 | bf08aba948eeda47184bba079d6ca5df51b0a24bd3c3f957a5df6068f1769ea5 |
| SHA512 | 4572a8ce18b51cd3e91455ef3565be3e373d8ff30783f511ae3dec1c0a4a491a2a8cba92a8545f1142904542fefadcaaaf5aa99aef3bdd775076ba27573f5f3f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 2e4fa44dca42b1e252e5a7e5afde259b |
| SHA1 | 1cca88a30ba22b05083d2827086cdd405811fb21 |
| SHA256 | 728f015a739f65deb112abea5274d2a4bcf87ee4f21165a5772d7904503b0a3a |
| SHA512 | b04b680062398f39ff1e0487457c547ad744ebca293cb2a7561f4d76b60e415bc3b1af9e7b7cdb08746be5b6f1552b7304b4a2e84b9ad34d35015972be99b776 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 89cc97f18aba3c5e2209bb0d2f176f7a |
| SHA1 | 0c63f5692ce172493b573c1a7dcb27fe4d742f27 |
| SHA256 | e73a5bf8b5cd1c513d487e95d0cb9250f62a39f8613f476acad93764dfac319c |
| SHA512 | 840982bd9acf6ff7fa757f8ab145c56b2af4210a486a84c83ac0aea0ac7f75fa2d1d06d1a2c9f4b2901973dddbc1b0aa7a84d6ab7f23a0b2dee8cc2d0c130cd2 |
memory/5088-346-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 636ee902a912fdfef013329686cccc27 |
| SHA1 | b892e2f49bef0b24b358c2f85a00546cec4e92f6 |
| SHA256 | 9a718a26a5bcf9b75808cf5efb19e53f2cbea2c8b5dca6e6fb49e69d2f0c66ca |
| SHA512 | 80b9cd2d9ab573a86c33b00254e9fb3ed6c648d08455dcd32e6e61b2e580ee43041819edf0a8d278763a18825a343f74a380bfe686b884087371ad33a55e50db |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9d1a59e637ca3025226a983174d5b3e3 |
| SHA1 | 818c8d59ecd163c3baffd262a38c541f89c0461c |
| SHA256 | 2a4b5339a8fedd6a5373ee429a07bc60cae4e3137a1a8a7f588dccabbc92c6b9 |
| SHA512 | 18d8562a58c31360f938cabb8f9651e044d32d8c4743c5b723e6650288e7f61b9944a45e5a9dcd8950555580dbb2804fddca516eb988b04fa7ec02af3c79c561 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3dd2004b13c17c38f04918246a90253e |
| SHA1 | 44847e82707fccd97e1f60e1a119aaced3647f1b |
| SHA256 | 9f0f28763007b0384bfddb35e1e4e5be7da7a47bf71bf891a2bef932a12ea5a8 |
| SHA512 | c16e8bf63d56b754fc5742aa7508371652f5ab91c97ae2bcf4eed6e531c277a9e302754028bf654918afa5026dfd5bfb7fad4d79c7e9d763eb5f8c3dd50c7b62 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4bd89a23fdb960e9b8aea31f233728dd |
| SHA1 | 4a954c2d28d8d446e96b6f329a4865e5e30f1589 |
| SHA256 | 0cb9758f66131e0b89276f7b53ccdbb7be8db51aa8b3253cd94cbd6fb3765a34 |
| SHA512 | c6af1b621986e4a10a57248b518a7319aee705533cba4ba9822d40e743676d6e55efcc18ae9b16dcd675dc5e31b184aef8c581900675dd1f4c47a8562176cc0a |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 443dd412f47970d43cba217c1aefd6e5 |
| SHA1 | 99e0a5a3e42d2182e3b8042266be7a7c321b0bf5 |
| SHA256 | 6d143e3a58fad17d58f59e958a95df0d90de92f11c517cda01d83f9fa69d018b |
| SHA512 | 61d0cf0e1a512a111d86d5d35a10e4e81080a49cd3d3817df19028b6e8e4cb9b8f3fd3399ac6a8642d7a0d5c489b61eb5d3180286343052d2c520d27998ca3e2 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 668974009c5c913ae156669c98cb612d |
| SHA1 | c8cf27e94d09c8f20e32e472b802196b44927717 |
| SHA256 | 203d76a9235a44903617a7fcabd0dc9a91bdf805caf0e23495f99a8f6dbbb2fd |
| SHA512 | 6df3818119955b0a9b30287160dea5fcbc19d171e04ce0e8c63f1e991020d4358dddfa03597de1133a3ab10cdad8d2ab4c5e27646d0fef2fd508fa0dd2fa9bbc |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | beb7a3ab23f136e83b9c82ce0a920b78 |
| SHA1 | 3bba9c1f9f30b36503505ac99687a19b81167b19 |
| SHA256 | 745be143f694f538d814c525f3c7d28f11782ccf3af5a7f38323c93383977b4a |
| SHA512 | 5cf489b78478e79d8511b794cb9f5034d3f28c23046f1c0350bd9beb92d1f4695a885aca4b46624d896506aa4be1235a54f67f4367fc64d5b972d9c854d4d2f1 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 8b7501fe745eea511cf62c277c9a28f0 |
| SHA1 | dfbbc7cbcf6f667489632626e0356dd0fca79fa3 |
| SHA256 | 386eaea70b96e722c7da499213d7f3deb755df1e9bc1d5df89c2078996f54fd7 |
| SHA512 | 6e8e76ef54bb6c2501be7f2e62dadd2a13e56d01cbe710336c33645024cbd8a0b14a827e0d171afca04e52ae79c28110f046faeb6c16b11215030952aa731a7a |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 412f389bf26aa7132febd4818fcceaba |
| SHA1 | 7cc8939dd5eefe9d9ecde5e09e063016dec444db |
| SHA256 | 2285c7335ff791173aff1d33cfc72bc4223e7f91bb6980decc5e799bffd02d64 |
| SHA512 | 816ca33b620aac6cfcc378882f3cf3dc09ae66e42e9419cdc7878b390bb3f3df10389cc312de22c0c02c6cab43e25ceccb627bbcbac4716938027fe1e4e1b57c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 026f6f10afb83e24cd9a36dbfb2d0caf |
| SHA1 | 2714f7b7a5630eee55b9c0663a12347d26328386 |
| SHA256 | 6f0294667dc744cfe441180739957ae8b54ec6afd992fdd74fda846959a63eb4 |
| SHA512 | 6aa11095a1a4f89687f7bddfe55b60bfb62b5303931438a41f5f223c35d4c0cf82d67154a70fe06cb109bd34dba9607316bdffadc2c3859b6b03270c35bfddbd |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | ae2a016b9fac85ff2bb57aed029d16c8 |
| SHA1 | 9b3f2c34a4a81553493aa478dfbf423f0b07077d |
| SHA256 | e24ab01e442054c58aafa041441b154acc302ad8385e9df8b6049097caffb946 |
| SHA512 | be894136ac6183f6f8aafafbc0facf1c5aa96511d35538c8ed43f4206e922d983b23c580d73dcada4b327ab23fe05795bfac0c0912a881df1f4c2691325dfaa9 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fadc2bcca56ec2e5610118553e50c37c |
| SHA1 | 833bb55c2197385fef71020b2cc2a9cad1a54d41 |
| SHA256 | 561e4edc0ab98121a15e88f3b5ecf9e53b6b9165a288b25f4572627eff52c048 |
| SHA512 | c95a71194ca9e8d1cd05b2f48673873f930d7cad4e19772a42f070c264db173ea28585c9370dadc73257a1d5662efd61036810019bd23850ee43f561d13763f4 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4c6ab6c175d5731f044644a3c340c3ce |
| SHA1 | 6ca370da3f884ed6ea1ce314423e64a6673fb228 |
| SHA256 | a31a08d485f5b4b80d1df448587c81bb8f7bb079434bcc5bf66d1dfdda8148cd |
| SHA512 | 3a43442901e82d510d8a627fd5d610e77de092f4b385507fe117abeac93baeab9d342e1cb0acdf5ba125979d34354a5517513908bbea56aaa7810d117d851372 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | b54b09b8f35071c2e1ba4ebf2f3375c8 |
| SHA1 | 2f61ef91f4500a058e0d454f2e6eb6a7e3410cf9 |
| SHA256 | 07731800bc30e5d81c5e4a2cf80db962d9494530b3975f4bd49a9051061ad1a1 |
| SHA512 | edd6e3f815b366a534853ed96b57e9417a6c24bea8a321d6e2817bcc1fd30f155f8a9671d52b5801aed7bf1084b5cd1ce838f53c08010bbf53eca33bcd22de98 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 794dde7091fd7883ace4fb676916c7b2 |
| SHA1 | 7a77806f431cb5ee5dd9d101e8ae5aa0de78faf1 |
| SHA256 | 13f6991bdcfb3e550aaafb65480880187b68e4a96da7b9864cd51ef14c4536cc |
| SHA512 | 7448ed0ab51120b464356d417b8910cc94522522023e8751ba207eb98ae794a8d32e9bdd103e8e1a8dceabe6a6de072d9c3d3456f1091382267bda04c44b82d6 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7f04d6abcb679702ce1f488651307c87 |
| SHA1 | 0ee0d61fe4fa31963bb5cbd409c4737a582f4de7 |
| SHA256 | 5c2828cb2dc75f010660ef77766c51d9b7b688a6a2b6cd7270bd1e5841e34cdf |
| SHA512 | 7969f7e65a3f2fcd4305b7e2828bd47333403192c927aa8e2aaee8e9504c8b300dd9a3846a70da96c3022af4ebede9fa124364f69aa6082deb99b9b94998d777 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 0a79efb183c62bdfed4a593250ad12e9 |
| SHA1 | 1b6b0654be552e1cc8a572e88072281fe5f66542 |
| SHA256 | aa84d1404aa9d336aa6b53313e6d4e3aecde774f50f39e612c2ba3720303ee84 |
| SHA512 | 6ef509435a29a879ba2991bb7c4cc407595ed62c00ed9eeb9edcffe5a41b265f87557eb93a2db1b110a1a5a6aa9c0417ea6d2ebb40347b118599acbdfab65b42 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | d20c85ee331b2ba521b7db52ce048040 |
| SHA1 | b8feed1d304b862d3274f1246e7bb00947bed581 |
| SHA256 | a46c83bf8a6af2c98411e6bae87547999acef63a095e7e925c21aa5536227c05 |
| SHA512 | 9c1bba85880d376d9b1ce4f97bc9bb6a8045ea78de396a0d58781dfb9b8133191e81ae152bc66803d1f7c4c493bc4cf6fe923411d02f60631631216a68d91f13 |
memory/5088-389-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 2e81bf98663b56fe60b8ecd3e38d20cc |
| SHA1 | ebd0b247420ef3d8c95d9422ab0f6db923aeaf08 |
| SHA256 | 1b9aeb663df380c530d97bed9792910ea1d287fd494b88d9994cca992efb96d2 |
| SHA512 | 6dabe0bc1be0000c86ec62729309b2862fca0e34eabd0bd06af4dbf2feaf98d349ad1d649b06095307798d64bf05a0e0becc986fc6db904f2944cdda5fd36f08 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | ca9b5b1360104824ee66df10c2a7abc8 |
| SHA1 | 740abc84a16f831619427610cc6f84bab13e560a |
| SHA256 | 223a88a12eb8478b38297de8ad120dbbdbc11cfff178b243828be3eb9bf53865 |
| SHA512 | 148f6b1171e789525606da620402ca8a992ba20b7480c02608bb0ec3ab214beb391128f0cca4c298f37110794647664aacf122294e9301452cdc00ddb590ff31 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 605902f1fe603fb15ab7696868ed6d53 |
| SHA1 | 1e9251f82805bd5b70cf2f13e12815b40e1796f8 |
| SHA256 | fde3790325262b8a9bd8a8b523108016b98e2ca823324672d5bdf71bd3765c45 |
| SHA512 | 3b5b14c67c3b0d7298972830f5c79ef73ed1bb2837a87389bb84817172be948c0dce9666a2c96a07f709f3a9499b8cf22e2c3ec0af8d3c4841485c420f713581 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 6e5d2eb00a50ac066f4ea49d0d17a97e |
| SHA1 | 8ce6461cde079b2f60fa706a0902dbd08c301d5d |
| SHA256 | 052d258e395232d3a564a0f883fcbb2956754252ae2c93a58a5d0649e5f18524 |
| SHA512 | dcd5abfd1f29603bc32d99da484783603e77f7a2da5ac6800da167b59def342a0389e309ee510da4fcbd2ed99a9bf5b141056e58ab691b44ebba1fedf18fc1de |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 85dcd329c581b20a3d80ceed065ce3a0 |
| SHA1 | cce17c0f5cbcae1df96425ab7294d388d0fdd57e |
| SHA256 | 3432cd3bf0c0381948016d6f0f0c9cc2b9fcf061e74d21ef59ec85161dc3064c |
| SHA512 | 470b83cdfdb662c05e054f859e6f09cf0df0a1707fa1ddad98bd8ee38fc7c495fc00d04fc8c62bb4ef3eee1c0ba005d5886bf078122e4320c5cf94528b315634 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | a7824625fa3d66411af5a7a981a18f60 |
| SHA1 | 297ae7a870d03e1e99d8ad43659b973d39500678 |
| SHA256 | 2e29dbf12c2ca08f279103045173b0d97819fa755e3fa0ec191a46b92f0d1ea2 |
| SHA512 | 08ace6b857a48b183b3d8cb1cbaf7c4d95f6d7f3c1235ba8df7353910ba36864c0f49e05f56608c3ec6ef0c0e645b52f81d1747e7f0910fbbec98eaed617265c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4046b4b93f27a9aeb15973f05f869f78 |
| SHA1 | 9c8e8d3edfa3100ffc342e5779bbf41158f8cd5d |
| SHA256 | 87fbf01c0fe68bb1dfac429734568041778ac161316da647b39745b39d064b9b |
| SHA512 | 5100d049fdbb652543f3912143886e853cd07d15ea68d2babdd85f296b1bb4ad682a7cd52d609e57726f3c7c2cffe8f41dd4cfd7f55178f0a913c75e7238d83e |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3b35f04823a2b037e9674c6e4835eb32 |
| SHA1 | 6323bd7d02bdfbe0e99fab801d640436fd7c824b |
| SHA256 | abac3ed9ff2de50fa1f4299d5b13d9a2ac2a2a70da16bf757b227678c317251e |
| SHA512 | c28932932523f63bcc512c7765385bb983615ffa4649dff6812f98a16e890c958d47b183c0adc64a94a1334f005a4193363d81d80adbe40e047918ed567a51fa |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 2bce3cd60d6a15d3f322c02886a8b545 |
| SHA1 | bbc52c0b405e54e8a1235589b835ee33e9c8d54c |
| SHA256 | c9149a5cecd2dbf328b3ab2f8a5c4172292b03f759349de709482282f163bca2 |
| SHA512 | 6a5a19f8c086277daefae325188910a6b39a1b7960de8a5a2cb658e3be46709cc152d2d0b6e62c54fd6ddf42b2bc9ee8a60f23dbc31bc2da67436a94705f8713 |
C:\Users\Admin\$_.cmd
| MD5 | 19c389cb300bdb3f72043eacb6f7064b |
| SHA1 | 92f71b9aa2547c81c7bdadac0bf2b4842f6c5c97 |
| SHA256 | 98c2c44cd678ab133d44615d9f4826e7b4d8411cf1c81cd1691d1caba158f009 |
| SHA512 | 1713858584838acf0900fa5ead3ae935f59242d05d28250c26e6c87c9314fb0f9205ce34e1ad063bfa5ecab233951c9bc31b6d67a851b7983e66e9b454b27b2f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | f19cbc0fe6f95513f453d8c1d0bc0a43 |
| SHA1 | fe40eec93c9f2bbae036667757c786583a028592 |
| SHA256 | 4360d972da47246e9f52a016a2f2c1a43e101cb10f7203f9ab489de34c50011f |
| SHA512 | 6ff6fe4cc24f6bf89c4ba432abe506c0c3ea54eda519ce5f8ba94ecf01148e5f6c05924a5fee483af043e7acde745b20f851f991f5d1fd291c715e7ccdf88541 |
C:\Users\Admin\AppData\Local\Temp\tmp08328.WMC\allservices.xml
| MD5 | df03e65b8e082f24dab09c57bc9c6241 |
| SHA1 | 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf |
| SHA256 | 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba |
| SHA512 | ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\2a93fed9-53a0-43a8-ab51-83979c1666ff
| MD5 | eab5e66d19753c4cb3cd14fbf9056af8 |
| SHA1 | 8f937ae76f71d5b3fa1268860223d0d66e781744 |
| SHA256 | 95ddb4e3e2eaad8250fb741d887c2343aafb11e7dd19c5b441b59eb323da34eb |
| SHA512 | d024d1f8296891b473cd8a452b2f7dcd468f9557d1436f879963580f42ed411ac688d33eacfce7c3e52583644d437a0f403b972d878959551a0a389c9af5992f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 407d57da8a85c6b13fd84573c338f448 |
| SHA1 | 29ba91f6bb4e0b7543dd28f0011ce13f744154d5 |
| SHA256 | 2596dab7cf948b3696175d019530ce2198dc536b026f2c20e2a6e47679b2836e |
| SHA512 | 24e3845a35c550ab9a2b05ca1ecf7527fb16c78afef731861a4844fdca10ba0ffd9b9ff4846cdd0974d4109398fb1413b13a6683937e81883670dcb602d959e2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 25f2fde436fbe2d3c50b23b6dfc211ca |
| SHA1 | fb48bca66d7ac6271c365ffa3ac913664529acae |
| SHA256 | a9aba6aa1be260762fef09cbf85bae4e0ed5ed80dc01a678e9dfcbfc96e8f2d0 |
| SHA512 | d10d735e285801cfaf81f8a4d972054b8f87d9568cec293d767aa0f3b4cf019504d88a4e7adfd4f04a385aecc81b3a8febbf1f76380221c05e03a1ea11707052 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 0d0013d9708d9fef539adc917f5b87f6 |
| SHA1 | 5e071e6b4d8abf007c8bb78ee948caf5bb0439e1 |
| SHA256 | f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b |
| SHA512 | 851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 65668617ea75ad0a42533f2f0e4ad441 |
| SHA1 | 1c26086282903b6d872b7354744b9bdd09eec5e5 |
| SHA256 | e459237f9786b8cc381df418df2fa044cc4806c5b393d28e7e48464bc49f7f91 |
| SHA512 | deb90203e4069c9827ee67b27f42cc821cad3cc86f88910d6101d3c0e6e90d6a6750c59760897fc89dad91634350090aa407c58c6efca645554fcec200b9a09d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c5633ac621372a00963a58d07fc8d041 |
| SHA1 | 6de548c77eda8cdb7f85deb389cc3618bf930a19 |
| SHA256 | acd0f80b8c5fc81a7f10f03ab43180226d65af3113a03f11e33e6119479267b9 |
| SHA512 | 0d2dbf9aa58a76d12a7e1a60879e16d7de583cb69b42aa72edc9cd02a065dfb4c4194279f20868cb7a9766743fe5ab4485b877b8c509368a50299968187f2eb6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e7ecc635c33ad3f738c7d40c456da464 |
| SHA1 | 7d405632923e14aa6fc749895b8f13f03397a818 |
| SHA256 | 8bc8263a6775acaa6def3f859385fe8c412509a6d46d7d512730fce2d745813e |
| SHA512 | 5039389e55d82718a5fd7146eafec68bb421e68582970e1aa5d3b1671fa524ea8b8770e661349502a040aa64db44a2f9f17998597fa276d2e174d4efd5e00318 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | 46b2623b1ce3c1ec958cef0ee76c5149 |
| SHA1 | 9158b259a88c87171e565fc12af2b22b7ade0744 |
| SHA256 | 19a70aca7c5ee7e244eff55793f86d608e215cfab34e9d57bb7bacdea821abe5 |
| SHA512 | 26aa88cb2095c15ee18e9455356b3f87fe5aca14610fdf0683e8a8567215ad99d2b2456fe1e13ab4b81f757096ae9a3cfb2c7704517825ee0bc06329a1c9394c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4caa78bb4c132fb9de23854486ef0533 |
| SHA1 | c9530ec92215a5fafad4f992c1f58a33f1cb080f |
| SHA256 | 8ea3afc73c8d60c75464f707fe33f222a59869a91c9da2bcee6215474bfcbe0b |
| SHA512 | acb4ac18945d5b011b28f4fbf0587d81d19e70739d859480fcae44d622a981d4bc3593c43f798195a63a16130bf54fdd0152210e866668daaaa773dfa92480b3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\56A184BE013E192214E1133FBD0398E445432333
| MD5 | 4a96cd919035c3d6f7cb4c7361d11682 |
| SHA1 | 08cc0b662bcecdd170e0bd509f00a64fa148f32e |
| SHA256 | 7105ca034f946522e61ded48a6e99e8cc42919bfdc8d40a3928adbfdfa15f83c |
| SHA512 | c383ce3cbceba7cc7bf4d2381940b17681f6acb2e3c768d3e63a0900a56f8d9d1716b021dc9139f18f2c583aa79565a2ceb3b7992ca6bc735ee34f56a909734e |