Analysis Overview
SHA256
13e22cb8af9f1fc3fa475e011f56db8780e619b304961b2a68dc900e57ca7e8b
Threat Level: Known bad
The file Capture d'écran 2024-03-05 185134.png was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Downloads MZ/PE file
Disables Task Manager via registry modification
Possible privilege escalation attempt
UPX packed file
Modifies file permissions
Checks computer location settings
Executes dropped EXE
Modifies system executable filetype association
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
NTFS ADS
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
System policy modification
Modifies registry class
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 18:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 18:47
Reported
2024-08-12 18:50
Platform
win10v2004-20240802-en
Max time kernel
164s
Max time network
165s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\"" | C:\Windows\system32\wscript.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" | C:\Windows\system32\wscript.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\MrsMajor 2.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\MrsMajor 2.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eula32.exe | N/A |
| N/A | N/A | C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe | N/A |
| N/A | N/A | C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\"" | C:\Windows\system32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\example.txt | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\checker.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\rsod.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\bsod.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\majordared.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\MrsMajor 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eula32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors | C:\Windows\system32\wscript.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" | C:\Users\Admin\Downloads\NRVP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\Downloads\NRVP.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\MrsMajor 2.0.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Capture d'écran 2024-03-05 185134.png"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {538a47c5-c2c4-4633-b8c5-04834127aabd} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b48865f0-aa40-4344-a3fd-b8a498a9aaa2} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 1384 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54dec1f1-6382-4be7-aafb-1eab2855d3c8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4216 -childID 2 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9d0536-dc30-4ba6-a6d2-e6337a0d3c63} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4864 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e94f4856-65f2-47c6-ba28-69bcfcba0b75} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa3eb57-25ad-4cf2-b07f-5da93769a875} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4acdcee6-a58a-4761-87a1-0e9d503515f5} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0944038-baa5-4658-b3e5-8eab99251399} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2204 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc9d1bc5-5c03-4e49-b764-34354eb00640} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 7 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55543a8e-86ce-4f7a-8fdb-47ab8a528cd8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 8 -isForBrowser -prefsHandle 5500 -prefMapHandle 5508 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {757c054e-4c6d-47ee-9e8f-e2940346fd58} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6452 -childID 9 -isForBrowser -prefsHandle 6380 -prefMapHandle 5736 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ec8559-e08b-4187-8293-5d9631a6829c} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6900 -childID 10 -isForBrowser -prefsHandle 7000 -prefMapHandle 7004 -prefsLen 27817 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddf6196f-7073-4e51-b41a-ce53a7a2c4af} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Users\Admin\Downloads\NRVP.exe
"C:\Users\Admin\Downloads\NRVP.exe"
C:\Users\Admin\Downloads\NRVP.exe
"C:\Users\Admin\Downloads\NRVP.exe"
C:\Users\Admin\Downloads\NRVP.exe
"C:\Users\Admin\Downloads\NRVP.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -childID 11 -isForBrowser -prefsHandle 7244 -prefMapHandle 7132 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fd012b4-95d6-4adb-8083-d1bf6a204f50} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 12 -isForBrowser -prefsHandle 6320 -prefMapHandle 6316 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {162cdacd-9b2b-4d01-9dea-7bf8d4420033} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 13 -isForBrowser -prefsHandle 3536 -prefMapHandle 4700 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730ac1b3-f923-4ba7-8268-7f529169b432} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7668 -childID 14 -isForBrowser -prefsHandle 3536 -prefMapHandle 2748 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a80c1edb-a48e-412a-8c01-4d78e67247bc} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30146:82:7zEvent30235
C:\Users\Admin\Desktop\MrsMajor 2.0.exe
"C:\Users\Admin\Desktop\MrsMajor 2.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5625.tmp\5626.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe
C:\Users\Admin\AppData\Local\Temp\eula32.exe
eula32.exe
C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\AA21.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 5
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3921855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:49553 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 161.99.165.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49560 | tcp | |
| US | 8.8.8.8:53 | www.mozilla.org | udp |
| EG | 108.159.125.152:443 | www.mozilla.org | tcp |
| US | 8.8.8.8:53 | www.mozorg.moz.works | udp |
| US | 8.8.8.8:53 | www.mozorg.moz.works | udp |
| US | 8.8.8.8:53 | 152.125.159.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| GB | 184.28.176.16:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | e86303.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e86303.dscx.akamaiedge.net | udp |
| GB | 184.28.176.16:443 | e86303.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | 16.176.28.184.in-addr.arpa | udp |
| GB | 184.28.176.16:443 | e86303.dscx.akamaiedge.net | tcp |
| GB | 184.28.176.16:443 | e86303.dscx.akamaiedge.net | tcp |
| GB | 184.28.176.16:443 | e86303.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 184.28.176.56:443 | th.bing.com | tcp |
| GB | 184.28.176.56:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 56.176.28.184.in-addr.arpa | udp |
| GB | 184.28.176.56:443 | th.bing.com | udp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | tcp |
| GB | 184.28.176.49:443 | r.bing.com | udp |
| US | 8.8.8.8:53 | 49.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.71:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | www.tm.ak.prd.aadg.akadns.net | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | www.tm.ak.prd.aadg.akadns.net | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | e-0001.e-msedge.net | udp |
| US | 8.8.8.8:53 | e-0001.e-msedge.net | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.tm.v4.a.prd.aadg.akadns.net | udp |
| US | 8.8.8.8:53 | www.tm.v4.a.prd.aadg.akadns.net | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 172.217.168.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 172.217.168.206:443 | drive.google.com | tcp |
| NL | 172.217.168.206:443 | drive.google.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| NL | 142.250.179.129:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| US | 172.64.154.167:443 | www2.bing.com | tcp |
| US | 8.8.8.8:53 | www.bing.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | www.bing.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | 129.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.154.64.172.in-addr.arpa | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.110.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-5hne6nsk.gvt1.com | udp |
| NL | 172.217.132.38:443 | r1---sn-5hne6nsk.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-5hne6nsk.gvt1.com | udp |
| US | 8.8.8.8:53 | 174.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r1.sn-5hne6nsk.gvt1.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| NL | 172.217.132.38:443 | r1.sn-5hne6nsk.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.132.217.172.in-addr.arpa | udp |
| NL | 142.250.179.129:443 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | e86303.dscx.akamaiedge.net | udp |
| GB | 184.28.176.107:443 | e86303.dscx.akamaiedge.net | udp |
| GB | 184.28.176.107:443 | e86303.dscx.akamaiedge.net | tcp |
| GB | 184.28.176.107:443 | e86303.dscx.akamaiedge.net | tcp |
| US | 8.8.8.8:53 | e86303.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | tiny.cc | udp |
| US | 8.8.8.8:53 | 107.176.28.184.in-addr.arpa | udp |
| US | 157.245.113.153:443 | tiny.cc | tcp |
| US | 8.8.8.8:53 | tiny.cc | udp |
| US | 157.245.113.153:443 | tiny.cc | tcp |
| US | 8.8.8.8:53 | tiny.cc | udp |
| US | 157.245.113.153:443 | tiny.cc | tcp |
| NL | 172.217.168.206:443 | drive.google.com | udp |
| NL | 172.217.168.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 153.113.245.157.in-addr.arpa | udp |
| NL | 172.217.168.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 42.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| NL | 142.251.36.14:443 | apis.google.com | tcp |
| NL | 142.251.36.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| NL | 142.251.36.14:443 | plus.l.google.com | tcp |
| NL | 142.251.36.14:443 | plus.l.google.com | tcp |
| NL | 216.58.214.14:443 | play.google.com | udp |
| NL | 142.251.36.14:443 | plus.l.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | blobcomments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| NL | 172.217.168.234:443 | blobcomments-pa.clients6.google.com | tcp |
| NL | 172.217.168.234:443 | blobcomments-pa.clients6.google.com | tcp |
| NL | 142.251.39.106:443 | content.googleapis.com | tcp |
| US | 8.8.8.8:53 | blobcomments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | blobcomments-pa.clients6.google.com | udp |
| NL | 142.251.39.106:443 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | 234.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| NL | 172.217.168.234:443 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | peoplestackwebexperiments-pa.clients6.google.com | udp |
| NL | 142.251.39.97:443 | lh3.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | googlehosted.l.googleusercontent.com | udp |
| US | 8.8.8.8:53 | googlehosted.l.googleusercontent.com | udp |
| US | 8.8.8.8:53 | 97.39.251.142.in-addr.arpa | udp |
| NL | 142.251.39.97:443 | googlehosted.l.googleusercontent.com | udp |
| NL | 142.250.179.138:443 | peoplestackwebexperiments-pa.clients6.google.com | tcp |
| NL | 142.250.179.138:443 | peoplestackwebexperiments-pa.clients6.google.com | tcp |
| NL | 142.250.179.138:443 | peoplestackwebexperiments-pa.clients6.google.com | tcp |
| NL | 142.250.179.138:443 | peoplestackwebexperiments-pa.clients6.google.com | tcp |
| US | 8.8.8.8:53 | peoplestackwebexperiments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | peoplestackwebexperiments-pa.clients6.google.com | udp |
| NL | 142.250.179.138:443 | peoplestackwebexperiments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | 138.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 172.217.168.234:443 | content.googleapis.com | udp |
| NL | 142.250.179.138:443 | peoplestackwebexperiments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e86303.dscx.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e86303.dscx.akamaiedge.net | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 73f69292de0726f3878a4ced1270edb1 |
| SHA1 | 850ed42b66d175ab38ee282cca615cdd2cde93a9 |
| SHA256 | dcfbf207f602ab573832720630d9e68a87fa152fc20c5cd9e88bdacca57becc5 |
| SHA512 | 7d22c7ee713f6b0188719cba49a6a5f11fcecffb0e093354cfb5d3c883d9af21fbd3afd3c18b28aabd2cfff78a2763d621194e47856f4eb1de780bee44ad54f5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\4fa21705-4c94-4b44-a6f2-752df78f6ae2
| MD5 | a553f3f41004ee20d7131ecc5157c15a |
| SHA1 | 4c900e90f90eefd00f889e77a56dd090d69c36a4 |
| SHA256 | cbc84af48b5a0ed08fd6ddc1af85c6e85285d2feaf3268d86e252c47a1202e22 |
| SHA512 | 73b4544d1689e1353affeae2aef240901bc313be0aadca1a21c7c3f3bfe9ee0be4822bae6b27e74b6b789c82b293630969ea8d4bc8814db820d9d17cf8361bc2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\94a62ded-8f24-4842-a275-f6884e6a0204
| MD5 | 1bb738dc04bea6537c9b9306c3161bdf |
| SHA1 | 850e99943e0e772dadaae519d2e834069e1dcfd8 |
| SHA256 | 48c7f860e6e3a29aaae2c342b27fb7d009ad4b1e7cb8cacf248350ca04315c9b |
| SHA512 | 12a365c38f3f8186a3460fce039f506a9edc279d587bf330f557b5581817cbbc657468520add360e3517b2c3fca312f1c0bf4f8fe46f21cbed8de353eb0c97ba |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\3a75fe0f-ea7d-48cc-bef5-c3ce12cac597
| MD5 | 624ce985459f499e6e0278592ca05944 |
| SHA1 | e3826b8a9cb382f5cd8a3b10cb34ae44faf6d1bc |
| SHA256 | c32d0e3816c2c35424e4e743b8088d30e93af70f2138bda4f08c07f3d7ea843b |
| SHA512 | 649ac90090707b815ab16c3d760629aa537f394266a5bdcef2b80e6a755ae0a31dabe79728da9f34f63d7264bea03211d42e654dc9e9b9727dd91070fc4d64fa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 28b87a0572784497b25d783d08a01a31 |
| SHA1 | 1f0ce49069ef39df70d639d76aaad04ca4b03325 |
| SHA256 | 6e84bfd86ac4b7bb2b567def77bf0d4823e96b6e2fa07d460a1d3654fedd68c5 |
| SHA512 | b817c1f07263c16b7dae7956b7de74bb82c8f74368186cedede615b49dbf2898ca563a463d949c31ff6e11fe33a99f824c564feb5d04d4e852ba8d11e39ca6a8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json
| MD5 | fb4bd49fd596f4e5533f655002ff6f10 |
| SHA1 | 0854170063595043546abc9f67113d42a0910253 |
| SHA256 | f10e9975d694af4efdeaddefb8bc0b47ece530dbdc94ff5347138f8b03d24c69 |
| SHA512 | b217fa1f094b279b39afd1113f0ac4a4f96ed87d7a49dd53cf0707b0db776ffcf0efafbbd97bbb2c45bcf5cc6fd5648c0cb4a70ea33ef1c9d0a68b7a6633d7be |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js
| MD5 | 01278923b9a39053945b2780e8b0fcd1 |
| SHA1 | cb1dafa95a81284db993e5b236c3234a8d282bfc |
| SHA256 | c4fb9c0803428e48726442bebb6bfc5064044cf57270292903ecbf351e7be118 |
| SHA512 | 76d99138cc21416b93dff426b02ae8bc30dcf673127e90299bdd4173abdd732fba01ee23ecc39bd29b393cecaba1f84e622feb89676dec625a00bae5e1a02de5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
| MD5 | c038114742b2876fa07d461ca09896fa |
| SHA1 | 96dc87cd5dbdcebe9f9c67375f71f4235323ccea |
| SHA256 | c774a6c5654cf11f2c691f40969a9b4bdc00b5e27bcfd0b8aff6d2f0758a9a3a |
| SHA512 | d7fca5b93df1dec9f3b592db94074e2c3f51550e16dee83b48ae8fba94ae4d648e01ece5883e23612bd3348c550bcee1fe49147a00e2a353bc6ff51ad5c2c872 |
C:\Users\Admin\Downloads\NRVP.exe
| MD5 | f7349874043c175bee2d0ff66438cbf0 |
| SHA1 | da371495289e25e92ad5d73dff6f29beea422427 |
| SHA256 | f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b |
| SHA512 | 878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 988e1494011c428332068910b916b57e |
| SHA1 | e8e67bb79a2a9780e02efac35e03559834201f8d |
| SHA256 | 934f4323f8ba474c19271d0f3f6acc6413ee02b27a26a8cb5f426f8269e9204f |
| SHA512 | 69ff8d0a3a6260a654922f7c5afa61a83a065a7f266ca62b17d100b959844bb577402a1c6d0fc835982388bfb2e994130e801acd53f4f7de031d55b71a9e02fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 25b73078cff3f7174c9987a3f8261e94 |
| SHA1 | 6ec8eb003cd32ea616ffc7c417850bc3dbdc1643 |
| SHA256 | 8ee7ee65a4818dc247b9733f24e63642f260ddf7b8866317dffdf5a3937b105a |
| SHA512 | b2b1bcfb79d6c729f39851b3da7d2fc20349aeb07c13f3ecad38b7ee2ab7fdca3b521f09665b049ba45c2ff05b2e306768235550b9ef4929b25c69adbac0cb9b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js
| MD5 | a3609c329cbb6bffbf2c62b2f2c4433a |
| SHA1 | 4660b7b6a68c0ec2bc7e23c9198b56b5566e67b7 |
| SHA256 | fe1e9dc8a87e233e8d5bf0222940d29aaa1a506fe9419a5cbf1372544afc180e |
| SHA512 | d06b133a225d5fc617e49ee234c2d3409d451cf4c0841facda5433708c8ab88cb0080a80afeb674c390cc8fc7c9ba7f05446f52a7a791bd3c1d9613c653aeec3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
| MD5 | a026cfb640607162edc97a28289bcf1f |
| SHA1 | a1dc8838a78d59c8550160769c852667bd4908e6 |
| SHA256 | 80ef8a01ba9c74b596d00205b8658799b1a0b946c28363ab34153b970129c56c |
| SHA512 | 8e3dd67d694878bae649a8868ab8ccc07b0f1cb3e0ba2e002d37d7c68bc90f4ccca98272caaebe1c15b0d7a739a0f25163cd6e4452fa549bc782d5d20de20ba4 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\Downloads\MrsMajor 2.tVzK6ok4.0.rar.part
| MD5 | a61889efca36007831250fffb358bd17 |
| SHA1 | c835f75a8de83cbff5787f8143476b424458e7c4 |
| SHA256 | 50e0b0a6e806a837e3a7346ec2a7c0f4c36e7618553c799a88ae1658d97e505a |
| SHA512 | 8fe704c55094cba451cf12197557bd44c696b58eae2a0a9827a7feb96d67bda89e15bcf763212fdd072e8272ec6537efb738b3e18cb24c26ac7920f70837cb2f |
memory/1480-1100-0x00007FF6A84B0000-0x00007FF6A84BC000-memory.dmp
memory/1480-1105-0x00007FF6A84B0000-0x00007FF6A84BC000-memory.dmp
memory/5980-1113-0x00007FF7B20E0000-0x00007FF7B20EC000-memory.dmp
memory/5980-1117-0x00007FF7B20E0000-0x00007FF7B20EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4
| MD5 | bdc1cb17b9b43fb803619bd37dbdad79 |
| SHA1 | 043c2f7100eaa4d49bf7e47f3d2d77a75ef26bba |
| SHA256 | 14a7be12df758979a243accd244985b0ff1492e274deeead1624658fe8e93b36 |
| SHA512 | 4e4285f26aa406ed5fce74f541984bd77552b4a6f156749031bc5691f736514e670a0cf9524bf09eb17c0257e0193597b3b64e3a3209e2580338b42b26560507 |
memory/388-1129-0x00007FF710170000-0x00007FF71017C000-memory.dmp
memory/388-1133-0x00007FF710170000-0x00007FF71017C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 0718359d9110a8b6115b9959503763ad |
| SHA1 | 92e24fb697bf0c040f6f790a36b26363e9dd69b8 |
| SHA256 | d856a5cfbe2c8bd1fc0630610bb2f7fa68b34b5427f43863b71e5011003e658c |
| SHA512 | 7c80c221c5d4ac9befd7bdeabeaf0719b0adcd6c496444dba110513010d00a4473806d0d9335f0c922e29799b10a1a7eb9163d267b5d5d8df82b04a779c12e2b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\B701EA34F02B5FCDD07CD92AAAD365F4372776F2
| MD5 | 8c33b62c2a564eb5845fbf6a4fdfedea |
| SHA1 | f7f005bc9ea888f2c02b18a60fc31c6b71c681ba |
| SHA256 | 97766f329f0bd776c18eebadce187f14d9a86500047237668a4db78d8fb9facf |
| SHA512 | 8bfb4dd653f8424d78c25404dbe43dedeaad8db4fef7754d125b7d5f436a88222317c12cfb3a0e2cdf153b37177c5d9e5b4fade0dca5b14d91cf9bd19fa4d84b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d77aceeb753e1e4955d248593036fc02 |
| SHA1 | aac061d01e955d55880a70c3de6fd0b7ca9312e1 |
| SHA256 | 96956749b828d58142228ff55aa328bc0481fa8664e3d6c7ae0de505a847dae4 |
| SHA512 | 441d47cabe0712d06bf463f8f8e982b7b2202f6118196a654d4193191e3095c9a9a5ce87c33caac35b5767a20ede002c7a690e78d64c6ff6bf44acad161bc7d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 9fcb039872a0913caa1118711e558a1b |
| SHA1 | 0cd2bb70f9a8636bd8e9ce07f6ab5a7dcbe710d5 |
| SHA256 | 86237bc84f64b0d3c46eb9aaa72b3e8decc638b574445c9d02c1438ecad1dc85 |
| SHA512 | 0ab6c61faea733e1f8ea50f00b81e25231b1db800660070319d448157fb3b62d7973a42683830c8c7699e11579ee8396688c97c1a02a3f049074bf34e2538b25 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js
| MD5 | 0331a7b9c4572430eb67a1ef0b213e6f |
| SHA1 | 6d9cc1c8c40fade73a468eec5697e1e7fc4ec309 |
| SHA256 | c8d1c00c1b7297b90ceab3c4b9ed8c96892289688cb2ebfefc247316d089d1b9 |
| SHA512 | a6c3f175a65213d1a6e2f0d3a64e8343ba8fb70e54d269a6fe327331a2f0df236877bda1b6680329ac0699d552b25ab774e9b00c53b999fd05480cbcfaae2243 |
C:\Users\Admin\Desktop\BlockJoin.xltx
| MD5 | 5407321cec85ef4d66a60d793b9280c1 |
| SHA1 | f2cf3010a42e160d066a021bda5f6afb9e2f8fc4 |
| SHA256 | 4ea921eec886ecf356ef7d265d7489b14d276b07a54651dab529f5ab4f8eb1c0 |
| SHA512 | 3c1f52283114e21706fdd933f4dba4403ffe6439984e1bbd375fe85cd1eeae9205080f12732d820df43e99f69bb9da604e1405fe9f7106856af8d641a21d7686 |
C:\Users\Admin\Desktop\CheckpointPublish.doc
| MD5 | de030c30cc49e66feee92531e1e7b484 |
| SHA1 | 3a047b7657e29bdb689669beb6cdbf4158012165 |
| SHA256 | 2ca1eafeb407af1c97c6ca55a707b304b06e832c21a4aa6151c2c920e8fdfbff |
| SHA512 | 7d66712740764dc65bd02524046736a29fe260c13a1a0bb1551aaef1a86ee5e3fe946b405556b78770fcdd1745be67f4c55c753bce2786cb8e0a03d0fb8cfb88 |
C:\Users\Admin\Desktop\CheckpointSave.rle
| MD5 | 224acef13159d55e114ffad771037c1f |
| SHA1 | 45d7d1e65515c8314cc0e0894fab66344053f90a |
| SHA256 | 55e493000fc8f2b7c76f2e7a2249e209a175d8aa46ea1db227a590220443b9fe |
| SHA512 | bebf16bb5b265612e7eee9d7928a63ea8ed3c20d3405fbd6c3ae88def8a192988d1bdb4badb66b08192ddbceed345eecb63daeb317836da9627e120cbaa6437f |
C:\Users\Admin\Desktop\ConnectRedo.asp
| MD5 | fda3154588db0f089e0df2d8895bc5d6 |
| SHA1 | e79c8f01a06de0252042fd6d39dfd9fe2991759b |
| SHA256 | 70423c5d381d286b8115e6bb190d1b326506f808823511bea113d0a4b9a2a45b |
| SHA512 | 8962c7d98351f3bb5373ffcfd0de1128b8002adcc40cdd448eb5e2049b5d985154e9f44e27200219fad0f777c9cd33595c890f50a488ff946f90902f70d25308 |
C:\Users\Admin\Desktop\CompleteSuspend.ini
| MD5 | 68babbb057a9618dad0e7e6ae17bb8f8 |
| SHA1 | 7bc10fcfc94f1052acfb1668bbd9fb928c65116b |
| SHA256 | 9f7229c558989a83d64311bfa5ac1854d321d20f581179d7b65e1d6e7ac536d5 |
| SHA512 | 861868d83eeebf5173b1f8ddaa593be52f0835178bde0e2ccca1ca9721c34be9c2bb3e2fafbabcfd12abe5b42d7abccdf60a0dd6c8c36bb940b4d8fbfa3842f4 |
C:\Users\Admin\Desktop\DisableInitialize.zip
| MD5 | 5d524022f1a38f6c9c054351fc332f24 |
| SHA1 | 6528e15988a0e03f6dd383022bd486a571fc6eee |
| SHA256 | 571d47f965c1c8d4f69827c9d4c82b4d0f13e48f39ec06cfb42db47e69731ee7 |
| SHA512 | 048fe234f740e8f133e706d0d0096f0f43affe93579c0b1b78e698c49a4c8b9882e32d0b2e20cd5549a638247f408e32ebd23055d2bdd97cef07b6fe995892bc |
C:\Users\Admin\Desktop\EditDisable.mpa
| MD5 | cb04cc09ffc12b4760e9a556c14de612 |
| SHA1 | 6a693015a73d43cda6200436a6e5eadefe28e828 |
| SHA256 | df195fd63a66232c324625b24dbd2715efc2408145f9f96d08a83308d9b56d80 |
| SHA512 | 4d98199747ab8100ffa42ffbed5123a251ffa8b06888480c5fc5acf52cf76f5e1a93e35d448dc5af0093faa51e790d49ff379c9ae66fcb073158ed1474dfa2fe |
C:\Users\Admin\Desktop\PopMeasure.jpg
| MD5 | 17f8c29086aa97315a45686ceca843e9 |
| SHA1 | 4ee8d51a74080b75274760d5b27422be0dd4ce0e |
| SHA256 | 3c195146694e75bd4e6178c1e29818d59b556205d360b8f193bfa3fb6b210657 |
| SHA512 | fa7c5df1846dc727d81b48551278ca9ae901754586df67400a1326e14308cdac7b8fac436c4d659d660d8a120e2f28c0e6e3fc0850984a7baddaedc0b6c99401 |
C:\Users\Admin\Desktop\RedoFormat.asf
| MD5 | 27b524a3db52b3a9f9bd57a9a6ba7d09 |
| SHA1 | d51b391cd3e9c9fa49b921c8eed596d21f7c16c3 |
| SHA256 | 6fc9e73dfab028faa10e3671e6c07c2ca27d1271d2865a0463988918e5990b07 |
| SHA512 | 6d8b01b8c7a607f4581a6511171e65e9aed7043cdaa668440e86e878610000e9f149c0a41e21cd0d9b5f22a36c80212586ddac09f64d7d1812cfa62762770de1 |
C:\Users\Admin\Desktop\PopPing.otf
| MD5 | f345895831ce0f152d4da5594cc7fad9 |
| SHA1 | dc2a36e1a7a0a733d1a5cf9c5e8c747000e92c9b |
| SHA256 | 96a1414e6428b51256dd3457d25a0faa63c2c48092a86efa217fb3556b26fc3a |
| SHA512 | 7daca0527851ddf6b1d630630bef8ae27fc782eb9aa2befe914c35e84bad1e8402daac8f15fa3aff19b0094f065b54e4b4d1041b9e2632cc1bfbf4bc08785aa2 |
C:\Users\Admin\Desktop\RemoveGrant.emf
| MD5 | 04bbed6818ee0d087b43e2fece46b77e |
| SHA1 | 52b48cf8254af5b49fddd0a9df05782b194dec7a |
| SHA256 | afc251455ed0e1b0f062f71a96aafa068a54c85c6c0025908bfd50bf73843500 |
| SHA512 | c388c4af287c07c2fc34e3aa91e26908a7bfce575b2c0ae576091663173b02c0204e160e86f9c6b16429e83e66eed06d4b1f834d463ba2aa50c418b30f3b5037 |
C:\Users\Admin\Desktop\SaveCompare.vbs
| MD5 | 59b30dba9269a2b176b2463969d6f5fa |
| SHA1 | 76a7f0a377cbf8cf72abd536d689188862e8358b |
| SHA256 | b9744f9e868d19a4d877dad130ee05e68e1dcfdec6e844bd52496e867e58e14b |
| SHA512 | ccde7cb1009c76d0089aab7450f222bfedfe8d4963b58c4853b21c27c99fbe685207a6a881b1c09d3df6e50c0994b89e516b0719ad9dc438d91cbc88c44c3612 |
C:\Users\Admin\Desktop\TestSplit.pot
| MD5 | adf6fe2628b1cd05207f2e9cd91cf5f7 |
| SHA1 | e097971b73e2a38a30d4c5dd49aec14bd9826930 |
| SHA256 | 234adfb49a16c55d8a5175efca06217cfdcaaba2882e01facf490cb327786455 |
| SHA512 | 329705e2f718795176f3d98fae04fbfaeb68c36aa48818c340b5648a842f8af6f0ea71663daa7cf274b61bcdcbb04b1082ee5064485ae19c0ca6ec536fefc1d2 |
C:\Users\Admin\Desktop\UnprotectConvertTo.wpl
| MD5 | b05084f2ae6f61e3762616bf05499bd0 |
| SHA1 | f3d5053b3d8f0887d5defae3a4656f6f74c97853 |
| SHA256 | 0595e44ef5c275efadc493da8ede14e5048235922397a2bda2cc6563c5f08443 |
| SHA512 | b416a9f4dea65a3c078598db376ad65980ea445e2023ead4c264d5ffe97b3429910be001cf5a301672dca3d9a0980fd06d17c11912502e47d34c2589bb467606 |
C:\Users\Admin\Desktop\UndoSet.xlsx
| MD5 | 66a43aab31863d41bdef2fc2f08ba61c |
| SHA1 | a9ea16b345c646d9d596238fd0ffd649a4394f37 |
| SHA256 | 7b65117fa100117346029b16ac4e6ec21e137cd4e40f771893c7d86ab5650071 |
| SHA512 | 0b33d0da5c05fa936e7ab302653a978ffaa19a39b9caeb3218fe7ef634adafba8cabc4075aca34284c65d010bf46ff3c49110299bf32667a532b417088f50dc3 |
C:\Users\Admin\Desktop\SuspendBlock.cmd
| MD5 | 2ed9a2fef08dba0db666d666ea594f16 |
| SHA1 | 0ae6ec345001caf6de978bd39a8a8fd49bcf45c5 |
| SHA256 | ebe29db6ad129089852756ab44223d435bf67b36f2f9d33bd00e7e45c38eac3c |
| SHA512 | 38dcd07d38aafb27707504fef8b1781e2c61afc38017298698c8d8fba9cee2273417e36b14d3a3ae08b286203b282f4dbcbd4d6d26cedb883015f2dc7102d967 |
C:\Users\Admin\Desktop\PublishCopy.emf
| MD5 | cf5150964f0b928f374a2dd1a360e4e3 |
| SHA1 | 0c9b1eb2fc58798d57644b739a606f34cc3ecf21 |
| SHA256 | ccad0934026168eaea2fb9a7211413759c78a04a54d969574cf7871318812520 |
| SHA512 | 839614b7ec817f7f075b494aa49305fbd043b879fad0ba598e59a56871418793663e0a406a6b7ac0b7c037c275eab04ed322ddbbb5688d40cdffc40cd05d93d1 |
C:\Users\Admin\Desktop\MoveReset.midi
| MD5 | ef10127dcf727f340ce77742e82ffd70 |
| SHA1 | 05b6f6aadf4ffffa936c21b9db51b53925928882 |
| SHA256 | 29b8a1a12758e61385f1e3382e3d30834dd3cf8b814ab07c171c96c63ccd600b |
| SHA512 | e286a9c6fedd67e052b304ba04f846027dac3561d798e171fb2d8ec9d0400f03e3f3e15ce638ca10467fcd52a658743459b87503402fd7dcc2f2b17f6cd58d06 |
C:\Users\Admin\Desktop\StartInstall.WTV
| MD5 | bd80afafeb9c4c62c53cfedf86c620b8 |
| SHA1 | 110695465471aa51bb6e269b635c6b0be42dc620 |
| SHA256 | 38db7acce59f830d3cebf136d2d547036c147183ad1287a0d5823effc0b0d160 |
| SHA512 | 4902a7d9d054e838af1a7e0d2d0f25bfc916af52a6aabf6dcf3a0585de85d959c4d56b673e25500d47fb3774654fb7775fb38fdebf257d1d6c98b9ea415bdf8e |
C:\Users\Admin\Desktop\SearchEdit.tmp
| MD5 | cb2aba1bc0bf69fb8d38ccaaa37c7562 |
| SHA1 | 65171d966830699e956dce1f25eccbca706e2574 |
| SHA256 | 66c5b9d7d69ad9c75db69898834b9dc53bdda927e01e53fde61f1bfd3d4a5e7b |
| SHA512 | b93bd22a6ee9877b7870bf04955e58051faf6d8e411c9d893bf10efb44ef4266bb6b52c495cc18b25a093d755ee5798dd04acfadc315cb5cc3829331d397a7d4 |
C:\Users\Admin\Desktop\MovePop.wmv
| MD5 | 5911ae26dff5fb4b76838d54243931b8 |
| SHA1 | be4b9aaa7b9792f0f2a816d06082ad35352fdd71 |
| SHA256 | ac1fca5b95fd73be794cc39beda97826c0302f527157a0338463f0019430d1f7 |
| SHA512 | c6778d62b3c222ca7f36b5d3b448798b75a0e65055ee7b2b1d69b8b9731d77e66eec43c7c763b873b5dc461fad06285ac249148cb2a6f0ae2fc602ca4e1a39e2 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 9253b64c57b7754bf7ff42b789234065 |
| SHA1 | bca1d943330019d2e8028bc2623f14f76b61bdc9 |
| SHA256 | 855da959ae3efe01ed624401fdca5cc84e8caa4e5b5a29f8fba12c8b563b42af |
| SHA512 | b67809afee8a962bf99d079b6f1d7fd0b24f0c2420b363cce8ed7ae53c0832323e6596e7ad7d37727d88a353fc4f7fa5833aa89a1629318075fa21e643d69086 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 94fbf29ac49f960a97142fcca249a8e0 |
| SHA1 | 83e54ffa1f02d45337fd64fd84f6cd6e8096f028 |
| SHA256 | b72f0356775d619e4f446b88a505df1a5127c328823477798e6dbe8fd7d118ac |
| SHA512 | 3b4739dc518a8a973fd8f4f2e2489997fe03559e88c34018bb9c5032aee367ae035f29b9f4fc5e6c5bb14372f302e68cce4fc0338957b5fc1138f0e6cfc13995 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 67913434fcd1009efd6b4c83f329709f |
| SHA1 | 0bc1749cdcef21e3bcc3753863633362ff01178a |
| SHA256 | 26b81ce529eb494a8eb3aa6b5e1be0640794819145fd8ccc5f38ca41f77ae1b2 |
| SHA512 | 19431d71ffa5c35e6e144081d35ab6afb07ad962bee5f554738dbdae7284e8247f51a8cc93ae652a237f2fef9c34e4e7060b27aeb66c78ef54ef46cee06bf04f |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 6dc957633abbb62377fa033cc0ad4f7f |
| SHA1 | d553b851fcc8ddd9768fa050b4e5898a062db1d6 |
| SHA256 | f2994bce04d6ac27ffec2d8428fc0af150cbc319c9a2ce8ecfd97387931214b8 |
| SHA512 | a79581626d09aedf3349e27d7f8ed31ca148d520a888069e1c8aa06f42645f80a8a2335591051d5daed40ce14797cefb6ea7f9b495c2ea529536bf75da6c0cc5 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | da01925bfed202823e5eb8a80f42f4d7 |
| SHA1 | d794b2c4d5ed9807baef75696aec03116f86e5e0 |
| SHA256 | b8ecc80fbd5c36efd59658a954c9a1a95a09e698ca0b2dec88d762f698deaaa0 |
| SHA512 | 2ed6d673a234e4d52d0493bf796b7c6a4072533b4ec0ccde6194c64c150b1999b22d11abdc20c4cde1095290d6491c2e49e5c02002411792b35634c8d6da1841 |
C:\Users\Admin\Desktop\MrsMajor 2.0.exe
| MD5 | 247a35851fdee53a1696715d67bd0905 |
| SHA1 | d2e86020e1d48e527e81e550f06c651328bd58a4 |
| SHA256 | 5dd4ea169cabf9226f54bb53e63ea6a1b5880a0d1222242aee378efb6255b57d |
| SHA512 | a173801aaef4fab608d99b52223b5b2400d69b91edcbf33c21fcb47bd832eef9d771dfd36da350a502a371ed1739c869a7c2b4dca456c93f2feed9ac9c647c7c |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\5626.vbs
| MD5 | fd76266c8088a4dca45414c36c7e9523 |
| SHA1 | 6b19bf2904a0e3b479032e101476b49ed3ae144a |
| SHA256 | f853dddb0f9f1b74b72bccdb5191c28e18d466b5dbc205f7741a24391375cd6f |
| SHA512 | 3cd49395368e279ac9a63315583d3804aa89ec8bb6112754973451a7ea7b68140598699b30eef1b0e94c3286d1e6254e2063188282f7e6a18f1349877adeb072 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\AppKill.bat
| MD5 | d4e987817d2e5d6ed2c12633d6f11101 |
| SHA1 | 3f38430a028f9e3cb66c152e302b3586512dd9c4 |
| SHA256 | 5549670ef8837c6e3c4e496c1ea2063670618249d4151dea4d07d48ab456690c |
| SHA512 | b84fef88f0128b46f1e2f9c5dff2cb620ee885bed6c90dcf4a5dc51c77bea492c92b8084d8dc8b4277b47b2493a2d9d3f348c6e229bf3da9041ef90e0fd8b6c4 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\CallFunc.vbs
| MD5 | 5f9737f03289963a6d7a71efab0813c4 |
| SHA1 | ba22dfae8d365cbf8014a630f23f1d8574b5cf85 |
| SHA256 | a767894a68ebc490cb5ab2b7b04dd12b7465553ce7ba7e41e1ea45f1eaef5275 |
| SHA512 | 5f4fb691e6da90e8e0872378a7b78cbd1acbf2bd75d19d65f17bf5b1cea95047d66b79fd1173703fcfef42cfc116ca629b9b37e355e44155e8f3b98f2d916a2a |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\bsod.exe
| MD5 | 8f6a3b2b1af3a4aacd8df1734d250cfe |
| SHA1 | 505b3bd8e936cb5d8999c1b319951ffebab335c9 |
| SHA256 | 6581eeab9fd116662b4ca73f6ef00fb96e0505d01cfb446ee4b32bbdeefe1361 |
| SHA512 | c1b5f845c005a1a586080e9da9744e30c7f3eda1e3aaba9c351768f7dea802e9f39d0227772413756ab63914ae4a2514e6ce52c494a91e92c3a1f08badb40264 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\breakrule.exe
| MD5 | bcb0ac4822de8aeb86ea8a83cd74d7ca |
| SHA1 | 8e2b702450f91dde3c085d902c09dd265368112e |
| SHA256 | 5eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4 |
| SHA512 | b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\clingclang.wav
| MD5 | 1c723b3b9420e04cb8845af8b62a37fa |
| SHA1 | 3331a0f04c851194405eb9a9ff49c76bfa3d4db0 |
| SHA256 | 6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29 |
| SHA512 | 41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\checker.bat
| MD5 | f59801d5c49713770bdb2f14eff34e2f |
| SHA1 | 91090652460c3a197cfad74d2d3c16947d023d63 |
| SHA256 | 3382484b5a6a04d05500e7622da37c1ffaef3a1343395942bc7802bf2a19b53f |
| SHA512 | c1c3a78f86e7938afbe391f0e03065b04375207704e419fe77bf0810d1e740c3ef8926c878884ad81b429ec41e126813a68844f600e124f5fa8d28ef17b4b7bc |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\fileico.ico
| MD5 | a62eeca905717738a4355dc5009d0fc6 |
| SHA1 | dd4cc0d3f203d395dfdc26834fc890e181d33382 |
| SHA256 | d13f7fd44f38136dae1cdf147ba9b673e698f77c0a644ccd3c12e3a71818a0cd |
| SHA512 | 47ffac6dc37dac4276579cd668fd2524ab1591b594032adbeb609d442f3a28235a2d185c66d8b78b6827ac51d62d97bdc3dffc3ffbaa70cf13d4d5f1dc5f16c2 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\healgen.vbs
| MD5 | 8837818893ce61b6730dd8a83d625890 |
| SHA1 | a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614 |
| SHA256 | cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb |
| SHA512 | 6f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516 |
C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
| MD5 | 57f3795953dafa8b5e2b24ba5bfad87f |
| SHA1 | 47719bd600e7527c355dbdb053e3936379d1b405 |
| SHA256 | 5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725 |
| SHA512 | 172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\DgzRun.vbs
| MD5 | a91417f7c55510155771f1f644dd6c7e |
| SHA1 | 41bdb69c5baca73f49231d5b5f77975b79e55bdf |
| SHA256 | 729f7540887cf32a5d4e1968a284c46cf904752821c734bd970ecd30a848477a |
| SHA512 | f786699c1ab9d7c74dd9eb9d76a76728980b29e84999a166a47b7ee102d8e545901ed0fcb30331712490a36de2d726115b661ad3900cdc2bfcfc601d00b76b07 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\thetruth.jpg
| MD5 | 7907845316bdbd32200b82944d752d9c |
| SHA1 | 1e5c37db25964c5dd05f4dce392533a838a722a9 |
| SHA256 | 4e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476 |
| SHA512 | 72a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\runner32s.exe
| MD5 | 87815289b110cf33af8af1decf9ff2e9 |
| SHA1 | 09024f9ec9464f56b7e6c61bdd31d7044bdf4795 |
| SHA256 | a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4 |
| SHA512 | 8d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\excursor.ani
| MD5 | 289624a46bb7ec6d91d5b099343b7f24 |
| SHA1 | 2b0aab828ddb252baf4ed99994f716d136cd7948 |
| SHA256 | b93b0cb2bb965f5758cb0c699fbc827a64712d6f248aaf810cde5fa5ef3227eb |
| SHA512 | 8c77696fe1c897f56ea3afdecf67ad1128274815942cd4c73d30bf0a44dd1a690d8c2f4b0be08e604853084e5515020c2e913d6e044f9801b6223c1912eec8f8 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\eula32.exe
| MD5 | cbc127fb8db087485068044b966c76e8 |
| SHA1 | d02451bd20b77664ce27d39313e218ab9a9fdbf9 |
| SHA256 | c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9 |
| SHA512 | 200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\majorlist.exe
| MD5 | 230970ec5286b34a6b2cda9afdd28368 |
| SHA1 | e3198d3d3b51d245a62a0dc955f2b1449608a295 |
| SHA256 | 3cdafc944b48d45a0d5dc068652486a970124ebe1379a7a04e5cf1dcf05c37c8 |
| SHA512 | 52912b6b2ba55c540316fcfc6f45d68771d1c22ddf4eb09c2cc15fb8ddd214812c18fd75cd61b561c29f660e2bf20290a101b85da1e0bbf8dfbf90b791892b57 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\majordared.exe
| MD5 | 570d35aabee1887f7f6ab3f0a1e76984 |
| SHA1 | ae989563c3be21ee9043690dcaac3a426859d083 |
| SHA256 | fa24bc7bc366f2ad579d57a691fb0d10d868e501221df0c32a98e705d2d61e43 |
| SHA512 | 9b68a8acacba451bbf028656c181fae29c5bcaed6a7ff4c1fc26ab708b62ca4be7bba9c777c598926d23331570617d20a0ce439f014461eccd8c3f595d21a54f |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\Major.exe
| MD5 | d604c29940864c64b4752d31e2deb465 |
| SHA1 | c1698ea4e5d1ba1c9b78973556f97e8f6dbbdef3 |
| SHA256 | da0233f5e5e9a34e8dd4f6911444ca1f3e29bb9cbd958a9f4508ac7d72ccd55d |
| SHA512 | 89a4a14574ba19fe319c766add0111feeb4320c08bf75f55a898d9acc783d5a862a6433758a413cc719b9179dcf873f1c850d1084851b8fc37aa1e3deabfcf54 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\rsod.exe
| MD5 | 91a0740cfb043e1f4d8461f8cbe2ff19 |
| SHA1 | 92e1ad31c34c4102e5cb2cc69f3793b2a1d5304e |
| SHA256 | dcaabfd6955d3fec26a86217d1b1ab7e979c301d498473e4d885145ce031fc3b |
| SHA512 | c60067655e5f191708af9b25382869e3ce65cd3ea2d6cac70f8cae4132942cfd6a8aa9dde1e2b7f3f12997d6d7411e21dc73ab4cd83ec555d74b82b86778a613 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\NotMuch.exe
| MD5 | 87a43b15969dc083a0d7e2ef73ee4dd1 |
| SHA1 | 657c7ff7e3f325bcbc88db9499b12c636d564a5f |
| SHA256 | cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb |
| SHA512 | 8a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\majorsod.exe
| MD5 | b561c360c46744f55be79a25e1844e3c |
| SHA1 | ed0f7eb00b4f1ae6cf92ad75e5701014f3d03d56 |
| SHA256 | d1094e91960ded15444c6f50756adc451a7c0b495b2ea28319b7184ba96236f7 |
| SHA512 | 0a3a75d08f1d7afcd7a476fc71157983e04b0c26b00ace4d505aa644e5da3e242dd0f6afdb3c93f29ba0b08d2702d0e96b49acba4ed260330068b13f93973e9f |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\majorlist.bat
| MD5 | 4cc606c63f423fda5324c962db709562 |
| SHA1 | 091250ffc64db9bea451885350abed2b7748014c |
| SHA256 | 839301ef07178c100e7f4d47874faf995ae5d11dfd527dda096a284c8114671b |
| SHA512 | f29ef2bc694f497499545d1fa4e14ca93c06049fff582af3a6caf3885153491a1cd9e96ab5a6746051aa972421f876c008e5d5b671bd34c3922b61c84151097f |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\Major.vbs
| MD5 | 9192fd494155eab424110765c751559e |
| SHA1 | b54fcc1e29617b3eee1c7bb215c048498881b641 |
| SHA256 | cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d |
| SHA512 | b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801 |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\GetReady.bat
| MD5 | 3dbccaadafb7f0227c1839be5ca07015 |
| SHA1 | bd636f73235d52d172ad8932a8e4a6a8b17389a0 |
| SHA256 | 33a0c62f3f66bce3fc1beb37aca8ad731bfa5590177d933d9d4eae016019242a |
| SHA512 | d981670f9d492d97931ab260a7d7d27d4f97621a1ef3e20246d4be2a9b4cfc01e01174a1d46432b4a3d937ad135c97eec9ef7bbc7da46034388843887df4637e |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\cmd.vbs
| MD5 | b181d5a4055b4a620dd7c44c5065bbe7 |
| SHA1 | 36320f257026b923b923ad2c0e7fa93a257806e0 |
| SHA256 | 4d2639e890d6d5988eb9cb6f8cb50647048bbfeeb83fc604c52567e7381c876c |
| SHA512 | 0bec0cf2e5b93065701c5458c1d7e047312971d7bbed3ce5444db710654fa0d84eabb7d7c243130e3cb2dae38eb05874929b5b08547174a6065f8accd4e0433d |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\bsod.bat
| MD5 | c94bb8d71863b05b95891389bed6365e |
| SHA1 | 07bb402d67f8b1fc601687f1df2622369413db3b |
| SHA256 | 3900e3b60b4691311e050c4cf8fac82ff178a06e3d04d5d6b2d7ea12cf5d53d1 |
| SHA512 | 00e7ab3a91862faaf5ac5ca3de6dbf2cbb8aac4aba277e1e14b2ecf4650eea2e68134e0df549dca35ab715ed46e36fa9cfee1ba7bb3520511723bf567566682d |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\breakrule.vbs
| MD5 | 2609fde7a9604c73be5083e4bcfa0e20 |
| SHA1 | 068c89f703fb11663143b9927f2a0c9f9f59c0e3 |
| SHA256 | 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe |
| SHA512 | 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb |
C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe
| MD5 | cd58990b1b7f6c68f56244c41ab91665 |
| SHA1 | 7ccca9958d6aebbe3883b55f115b041b827bd2e7 |
| SHA256 | 51f59e877a1c2a1c2760c677def7395ef2868c2ee3e56ffdc3ace570afa50428 |
| SHA512 | 011bdd417ec3bf72daa2b32d3816b696be8b87423740dc2a0182e23515651deeb870a94f3415a73480145f9f5e36c1a3a492410b77ca95d7fab8b9826e9198cc |
C:\Users\Admin\AppData\Local\Temp\xRun.vbs
| MD5 | 26ec8d73e3f6c1e196cc6e3713b9a89f |
| SHA1 | cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa |
| SHA256 | ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0 |
| SHA512 | 2b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195 |
memory/5936-1595-0x0000000000C90000-0x0000000000DCC000-memory.dmp
memory/5936-1596-0x0000000005D40000-0x00000000062E4000-memory.dmp
memory/5936-1597-0x0000000005830000-0x00000000058C2000-memory.dmp
memory/5936-1598-0x00000000057C0000-0x00000000057CA000-memory.dmp
memory/1552-1618-0x00000000008F0000-0x0000000000914000-memory.dmp