Malware Analysis Report

2024-11-16 12:53

Sample ID 240812-xfehhsyelb
Target Capture d'écran 2024-03-05 185134.png
SHA256 13e22cb8af9f1fc3fa475e011f56db8780e619b304961b2a68dc900e57ca7e8b
Tags
defense_evasion discovery evasion exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13e22cb8af9f1fc3fa475e011f56db8780e619b304961b2a68dc900e57ca7e8b

Threat Level: Known bad

The file Capture d'écran 2024-03-05 185134.png was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence trojan upx

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Downloads MZ/PE file

Disables Task Manager via registry modification

Possible privilege escalation attempt

UPX packed file

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Modifies system executable filetype association

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

NTFS ADS

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

System policy modification

Modifies registry class

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 18:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 18:47

Reported

2024-08-12 18:50

Platform

win10v2004-20240802-en

Max time kernel

164s

Max time network

165s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Capture d'écran 2024-03-05 185134.png"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\"" C:\Windows\system32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\system32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\MrsMajor 2.0.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\"" C:\Windows\system32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\sethc.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\taskmgr.exe C:\Windows\system32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\example.txt C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\checker.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\rsod.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\bsod.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\majordared.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat C:\Windows\system32\wscript.exe N/A
File opened for modification C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\Major.exe C:\Windows\system32\wscript.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\MrsMajor 2.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Cursors C:\Windows\system32\wscript.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" C:\Users\Admin\Downloads\NRVP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\Downloads\NRVP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" C:\Users\Admin\Downloads\NRVP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\Downloads\NRVP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" C:\Users\Admin\Downloads\NRVP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\Downloads\NRVP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor 2.0.rar:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eula32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3748 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Capture d'écran 2024-03-05 185134.png"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {538a47c5-c2c4-4633-b8c5-04834127aabd} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b48865f0-aa40-4344-a3fd-b8a498a9aaa2} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 1384 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54dec1f1-6382-4be7-aafb-1eab2855d3c8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4216 -childID 2 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9d0536-dc30-4ba6-a6d2-e6337a0d3c63} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4864 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e94f4856-65f2-47c6-ba28-69bcfcba0b75} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa3eb57-25ad-4cf2-b07f-5da93769a875} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4acdcee6-a58a-4761-87a1-0e9d503515f5} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0944038-baa5-4658-b3e5-8eab99251399} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2204 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc9d1bc5-5c03-4e49-b764-34354eb00640} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 7 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55543a8e-86ce-4f7a-8fdb-47ab8a528cd8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 8 -isForBrowser -prefsHandle 5500 -prefMapHandle 5508 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {757c054e-4c6d-47ee-9e8f-e2940346fd58} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6452 -childID 9 -isForBrowser -prefsHandle 6380 -prefMapHandle 5736 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ec8559-e08b-4187-8293-5d9631a6829c} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6900 -childID 10 -isForBrowser -prefsHandle 7000 -prefMapHandle 7004 -prefsLen 27817 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddf6196f-7073-4e51-b41a-ce53a7a2c4af} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Users\Admin\Downloads\NRVP.exe

"C:\Users\Admin\Downloads\NRVP.exe"

C:\Users\Admin\Downloads\NRVP.exe

"C:\Users\Admin\Downloads\NRVP.exe"

C:\Users\Admin\Downloads\NRVP.exe

"C:\Users\Admin\Downloads\NRVP.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -childID 11 -isForBrowser -prefsHandle 7244 -prefMapHandle 7132 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fd012b4-95d6-4adb-8083-d1bf6a204f50} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 12 -isForBrowser -prefsHandle 6320 -prefMapHandle 6316 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {162cdacd-9b2b-4d01-9dea-7bf8d4420033} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 13 -isForBrowser -prefsHandle 3536 -prefMapHandle 4700 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730ac1b3-f923-4ba7-8268-7f529169b432} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7668 -childID 14 -isForBrowser -prefsHandle 3536 -prefMapHandle 2748 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a80c1edb-a48e-412a-8c01-4d78e67247bc} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30146:82:7zEvent30235

C:\Users\Admin\Desktop\MrsMajor 2.0.exe

"C:\Users\Admin\Desktop\MrsMajor 2.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5625.tmp\5626.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe

C:\Users\Admin\AppData\Local\Temp\eula32.exe

eula32.exe

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe

"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\AA21.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""

C:\Windows\System32\takeown.exe

takeown /f taskmgr.exe

C:\Windows\System32\icacls.exe

icacls taskmgr.exe /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls sethc.exe /granted "Admin":F

C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe

"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 5

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3921855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
N/A 127.0.0.1:49553 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49560 tcp
US 8.8.8.8:53 www.mozilla.org udp
EG 108.159.125.152:443 www.mozilla.org tcp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 152.125.159.108.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 184.28.176.16:443 www.bing.com tcp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
GB 184.28.176.16:443 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 16.176.28.184.in-addr.arpa udp
GB 184.28.176.16:443 e86303.dscx.akamaiedge.net tcp
GB 184.28.176.16:443 e86303.dscx.akamaiedge.net tcp
GB 184.28.176.16:443 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 184.28.176.56:443 th.bing.com tcp
GB 184.28.176.56:443 th.bing.com tcp
US 8.8.8.8:53 56.176.28.184.in-addr.arpa udp
GB 184.28.176.56:443 th.bing.com udp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com tcp
GB 184.28.176.49:443 r.bing.com udp
US 8.8.8.8:53 49.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.71:443 login.microsoftonline.com tcp
US 8.8.8.8:53 www.tm.ak.prd.aadg.akadns.net udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 www.tm.ak.prd.aadg.akadns.net udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 e-0001.e-msedge.net udp
US 8.8.8.8:53 e-0001.e-msedge.net udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 www.tm.v4.a.prd.aadg.akadns.net udp
US 8.8.8.8:53 www.tm.v4.a.prd.aadg.akadns.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.206:443 drive.google.com tcp
NL 172.217.168.206:443 drive.google.com udp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.250.179.129:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 172.64.154.167:443 www2.bing.com tcp
US 8.8.8.8:53 www.bing.com.cdn.cloudflare.net udp
US 8.8.8.8:53 www.bing.com.cdn.cloudflare.net udp
US 8.8.8.8:53 129.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 167.154.64.172.in-addr.arpa udp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.110.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
NL 142.250.179.129:443 drive.usercontent.google.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
GB 184.28.176.107:443 e86303.dscx.akamaiedge.net udp
GB 184.28.176.107:443 e86303.dscx.akamaiedge.net tcp
GB 184.28.176.107:443 e86303.dscx.akamaiedge.net tcp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 tiny.cc udp
US 8.8.8.8:53 107.176.28.184.in-addr.arpa udp
US 157.245.113.153:443 tiny.cc tcp
US 8.8.8.8:53 tiny.cc udp
US 157.245.113.153:443 tiny.cc tcp
US 8.8.8.8:53 tiny.cc udp
US 157.245.113.153:443 tiny.cc tcp
NL 172.217.168.206:443 drive.google.com udp
NL 172.217.168.206:443 drive.google.com tcp
US 8.8.8.8:53 153.113.245.157.in-addr.arpa udp
NL 172.217.168.206:443 drive.google.com tcp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.251.36.14:443 apis.google.com tcp
NL 142.251.36.14:443 apis.google.com tcp
US 8.8.8.8:53 plus.l.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.251.36.14:443 plus.l.google.com tcp
NL 142.251.36.14:443 plus.l.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.251.36.14:443 plus.l.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 content.googleapis.com udp
US 8.8.8.8:53 blobcomments-pa.clients6.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 plus.l.google.com udp
NL 172.217.168.234:443 blobcomments-pa.clients6.google.com tcp
NL 172.217.168.234:443 blobcomments-pa.clients6.google.com tcp
NL 142.251.39.106:443 content.googleapis.com tcp
US 8.8.8.8:53 blobcomments-pa.clients6.google.com udp
US 8.8.8.8:53 content.googleapis.com udp
US 8.8.8.8:53 content.googleapis.com udp
US 8.8.8.8:53 blobcomments-pa.clients6.google.com udp
NL 142.251.39.106:443 content.googleapis.com udp
US 8.8.8.8:53 234.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
NL 172.217.168.234:443 content.googleapis.com udp
US 8.8.8.8:53 peoplestackwebexperiments-pa.clients6.google.com udp
NL 142.251.39.97:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 googlehosted.l.googleusercontent.com udp
US 8.8.8.8:53 googlehosted.l.googleusercontent.com udp
US 8.8.8.8:53 97.39.251.142.in-addr.arpa udp
NL 142.251.39.97:443 googlehosted.l.googleusercontent.com udp
NL 142.250.179.138:443 peoplestackwebexperiments-pa.clients6.google.com tcp
NL 142.250.179.138:443 peoplestackwebexperiments-pa.clients6.google.com tcp
NL 142.250.179.138:443 peoplestackwebexperiments-pa.clients6.google.com tcp
NL 142.250.179.138:443 peoplestackwebexperiments-pa.clients6.google.com tcp
US 8.8.8.8:53 peoplestackwebexperiments-pa.clients6.google.com udp
US 8.8.8.8:53 peoplestackwebexperiments-pa.clients6.google.com udp
NL 142.250.179.138:443 peoplestackwebexperiments-pa.clients6.google.com udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 172.217.168.234:443 content.googleapis.com udp
NL 142.250.179.138:443 peoplestackwebexperiments-pa.clients6.google.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 73f69292de0726f3878a4ced1270edb1
SHA1 850ed42b66d175ab38ee282cca615cdd2cde93a9
SHA256 dcfbf207f602ab573832720630d9e68a87fa152fc20c5cd9e88bdacca57becc5
SHA512 7d22c7ee713f6b0188719cba49a6a5f11fcecffb0e093354cfb5d3c883d9af21fbd3afd3c18b28aabd2cfff78a2763d621194e47856f4eb1de780bee44ad54f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\4fa21705-4c94-4b44-a6f2-752df78f6ae2

MD5 a553f3f41004ee20d7131ecc5157c15a
SHA1 4c900e90f90eefd00f889e77a56dd090d69c36a4
SHA256 cbc84af48b5a0ed08fd6ddc1af85c6e85285d2feaf3268d86e252c47a1202e22
SHA512 73b4544d1689e1353affeae2aef240901bc313be0aadca1a21c7c3f3bfe9ee0be4822bae6b27e74b6b789c82b293630969ea8d4bc8814db820d9d17cf8361bc2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\94a62ded-8f24-4842-a275-f6884e6a0204

MD5 1bb738dc04bea6537c9b9306c3161bdf
SHA1 850e99943e0e772dadaae519d2e834069e1dcfd8
SHA256 48c7f860e6e3a29aaae2c342b27fb7d009ad4b1e7cb8cacf248350ca04315c9b
SHA512 12a365c38f3f8186a3460fce039f506a9edc279d587bf330f557b5581817cbbc657468520add360e3517b2c3fca312f1c0bf4f8fe46f21cbed8de353eb0c97ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\3a75fe0f-ea7d-48cc-bef5-c3ce12cac597

MD5 624ce985459f499e6e0278592ca05944
SHA1 e3826b8a9cb382f5cd8a3b10cb34ae44faf6d1bc
SHA256 c32d0e3816c2c35424e4e743b8088d30e93af70f2138bda4f08c07f3d7ea843b
SHA512 649ac90090707b815ab16c3d760629aa537f394266a5bdcef2b80e6a755ae0a31dabe79728da9f34f63d7264bea03211d42e654dc9e9b9727dd91070fc4d64fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 28b87a0572784497b25d783d08a01a31
SHA1 1f0ce49069ef39df70d639d76aaad04ca4b03325
SHA256 6e84bfd86ac4b7bb2b567def77bf0d4823e96b6e2fa07d460a1d3654fedd68c5
SHA512 b817c1f07263c16b7dae7956b7de74bb82c8f74368186cedede615b49dbf2898ca563a463d949c31ff6e11fe33a99f824c564feb5d04d4e852ba8d11e39ca6a8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

MD5 fb4bd49fd596f4e5533f655002ff6f10
SHA1 0854170063595043546abc9f67113d42a0910253
SHA256 f10e9975d694af4efdeaddefb8bc0b47ece530dbdc94ff5347138f8b03d24c69
SHA512 b217fa1f094b279b39afd1113f0ac4a4f96ed87d7a49dd53cf0707b0db776ffcf0efafbbd97bbb2c45bcf5cc6fd5648c0cb4a70ea33ef1c9d0a68b7a6633d7be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 01278923b9a39053945b2780e8b0fcd1
SHA1 cb1dafa95a81284db993e5b236c3234a8d282bfc
SHA256 c4fb9c0803428e48726442bebb6bfc5064044cf57270292903ecbf351e7be118
SHA512 76d99138cc21416b93dff426b02ae8bc30dcf673127e90299bdd4173abdd732fba01ee23ecc39bd29b393cecaba1f84e622feb89676dec625a00bae5e1a02de5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 c038114742b2876fa07d461ca09896fa
SHA1 96dc87cd5dbdcebe9f9c67375f71f4235323ccea
SHA256 c774a6c5654cf11f2c691f40969a9b4bdc00b5e27bcfd0b8aff6d2f0758a9a3a
SHA512 d7fca5b93df1dec9f3b592db94074e2c3f51550e16dee83b48ae8fba94ae4d648e01ece5883e23612bd3348c550bcee1fe49147a00e2a353bc6ff51ad5c2c872

C:\Users\Admin\Downloads\NRVP.exe

MD5 f7349874043c175bee2d0ff66438cbf0
SHA1 da371495289e25e92ad5d73dff6f29beea422427
SHA256 f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b
SHA512 878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 988e1494011c428332068910b916b57e
SHA1 e8e67bb79a2a9780e02efac35e03559834201f8d
SHA256 934f4323f8ba474c19271d0f3f6acc6413ee02b27a26a8cb5f426f8269e9204f
SHA512 69ff8d0a3a6260a654922f7c5afa61a83a065a7f266ca62b17d100b959844bb577402a1c6d0fc835982388bfb2e994130e801acd53f4f7de031d55b71a9e02fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

MD5 25b73078cff3f7174c9987a3f8261e94
SHA1 6ec8eb003cd32ea616ffc7c417850bc3dbdc1643
SHA256 8ee7ee65a4818dc247b9733f24e63642f260ddf7b8866317dffdf5a3937b105a
SHA512 b2b1bcfb79d6c729f39851b3da7d2fc20349aeb07c13f3ecad38b7ee2ab7fdca3b521f09665b049ba45c2ff05b2e306768235550b9ef4929b25c69adbac0cb9b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 a3609c329cbb6bffbf2c62b2f2c4433a
SHA1 4660b7b6a68c0ec2bc7e23c9198b56b5566e67b7
SHA256 fe1e9dc8a87e233e8d5bf0222940d29aaa1a506fe9419a5cbf1372544afc180e
SHA512 d06b133a225d5fc617e49ee234c2d3409d451cf4c0841facda5433708c8ab88cb0080a80afeb674c390cc8fc7c9ba7f05446f52a7a791bd3c1d9613c653aeec3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 a026cfb640607162edc97a28289bcf1f
SHA1 a1dc8838a78d59c8550160769c852667bd4908e6
SHA256 80ef8a01ba9c74b596d00205b8658799b1a0b946c28363ab34153b970129c56c
SHA512 8e3dd67d694878bae649a8868ab8ccc07b0f1cb3e0ba2e002d37d7c68bc90f4ccca98272caaebe1c15b0d7a739a0f25163cd6e4452fa549bc782d5d20de20ba4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\Downloads\MrsMajor 2.tVzK6ok4.0.rar.part

MD5 a61889efca36007831250fffb358bd17
SHA1 c835f75a8de83cbff5787f8143476b424458e7c4
SHA256 50e0b0a6e806a837e3a7346ec2a7c0f4c36e7618553c799a88ae1658d97e505a
SHA512 8fe704c55094cba451cf12197557bd44c696b58eae2a0a9827a7feb96d67bda89e15bcf763212fdd072e8272ec6537efb738b3e18cb24c26ac7920f70837cb2f

memory/1480-1100-0x00007FF6A84B0000-0x00007FF6A84BC000-memory.dmp

memory/1480-1105-0x00007FF6A84B0000-0x00007FF6A84BC000-memory.dmp

memory/5980-1113-0x00007FF7B20E0000-0x00007FF7B20EC000-memory.dmp

memory/5980-1117-0x00007FF7B20E0000-0x00007FF7B20EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

MD5 bdc1cb17b9b43fb803619bd37dbdad79
SHA1 043c2f7100eaa4d49bf7e47f3d2d77a75ef26bba
SHA256 14a7be12df758979a243accd244985b0ff1492e274deeead1624658fe8e93b36
SHA512 4e4285f26aa406ed5fce74f541984bd77552b4a6f156749031bc5691f736514e670a0cf9524bf09eb17c0257e0193597b3b64e3a3209e2580338b42b26560507

memory/388-1129-0x00007FF710170000-0x00007FF71017C000-memory.dmp

memory/388-1133-0x00007FF710170000-0x00007FF71017C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

MD5 0718359d9110a8b6115b9959503763ad
SHA1 92e24fb697bf0c040f6f790a36b26363e9dd69b8
SHA256 d856a5cfbe2c8bd1fc0630610bb2f7fa68b34b5427f43863b71e5011003e658c
SHA512 7c80c221c5d4ac9befd7bdeabeaf0719b0adcd6c496444dba110513010d00a4473806d0d9335f0c922e29799b10a1a7eb9163d267b5d5d8df82b04a779c12e2b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\B701EA34F02B5FCDD07CD92AAAD365F4372776F2

MD5 8c33b62c2a564eb5845fbf6a4fdfedea
SHA1 f7f005bc9ea888f2c02b18a60fc31c6b71c681ba
SHA256 97766f329f0bd776c18eebadce187f14d9a86500047237668a4db78d8fb9facf
SHA512 8bfb4dd653f8424d78c25404dbe43dedeaad8db4fef7754d125b7d5f436a88222317c12cfb3a0e2cdf153b37177c5d9e5b4fade0dca5b14d91cf9bd19fa4d84b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

MD5 d77aceeb753e1e4955d248593036fc02
SHA1 aac061d01e955d55880a70c3de6fd0b7ca9312e1
SHA256 96956749b828d58142228ff55aa328bc0481fa8664e3d6c7ae0de505a847dae4
SHA512 441d47cabe0712d06bf463f8f8e982b7b2202f6118196a654d4193191e3095c9a9a5ce87c33caac35b5767a20ede002c7a690e78d64c6ff6bf44acad161bc7d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 9fcb039872a0913caa1118711e558a1b
SHA1 0cd2bb70f9a8636bd8e9ce07f6ab5a7dcbe710d5
SHA256 86237bc84f64b0d3c46eb9aaa72b3e8decc638b574445c9d02c1438ecad1dc85
SHA512 0ab6c61faea733e1f8ea50f00b81e25231b1db800660070319d448157fb3b62d7973a42683830c8c7699e11579ee8396688c97c1a02a3f049074bf34e2538b25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 0331a7b9c4572430eb67a1ef0b213e6f
SHA1 6d9cc1c8c40fade73a468eec5697e1e7fc4ec309
SHA256 c8d1c00c1b7297b90ceab3c4b9ed8c96892289688cb2ebfefc247316d089d1b9
SHA512 a6c3f175a65213d1a6e2f0d3a64e8343ba8fb70e54d269a6fe327331a2f0df236877bda1b6680329ac0699d552b25ab774e9b00c53b999fd05480cbcfaae2243

C:\Users\Admin\Desktop\BlockJoin.xltx

MD5 5407321cec85ef4d66a60d793b9280c1
SHA1 f2cf3010a42e160d066a021bda5f6afb9e2f8fc4
SHA256 4ea921eec886ecf356ef7d265d7489b14d276b07a54651dab529f5ab4f8eb1c0
SHA512 3c1f52283114e21706fdd933f4dba4403ffe6439984e1bbd375fe85cd1eeae9205080f12732d820df43e99f69bb9da604e1405fe9f7106856af8d641a21d7686

C:\Users\Admin\Desktop\CheckpointPublish.doc

MD5 de030c30cc49e66feee92531e1e7b484
SHA1 3a047b7657e29bdb689669beb6cdbf4158012165
SHA256 2ca1eafeb407af1c97c6ca55a707b304b06e832c21a4aa6151c2c920e8fdfbff
SHA512 7d66712740764dc65bd02524046736a29fe260c13a1a0bb1551aaef1a86ee5e3fe946b405556b78770fcdd1745be67f4c55c753bce2786cb8e0a03d0fb8cfb88

C:\Users\Admin\Desktop\CheckpointSave.rle

MD5 224acef13159d55e114ffad771037c1f
SHA1 45d7d1e65515c8314cc0e0894fab66344053f90a
SHA256 55e493000fc8f2b7c76f2e7a2249e209a175d8aa46ea1db227a590220443b9fe
SHA512 bebf16bb5b265612e7eee9d7928a63ea8ed3c20d3405fbd6c3ae88def8a192988d1bdb4badb66b08192ddbceed345eecb63daeb317836da9627e120cbaa6437f

C:\Users\Admin\Desktop\ConnectRedo.asp

MD5 fda3154588db0f089e0df2d8895bc5d6
SHA1 e79c8f01a06de0252042fd6d39dfd9fe2991759b
SHA256 70423c5d381d286b8115e6bb190d1b326506f808823511bea113d0a4b9a2a45b
SHA512 8962c7d98351f3bb5373ffcfd0de1128b8002adcc40cdd448eb5e2049b5d985154e9f44e27200219fad0f777c9cd33595c890f50a488ff946f90902f70d25308

C:\Users\Admin\Desktop\CompleteSuspend.ini

MD5 68babbb057a9618dad0e7e6ae17bb8f8
SHA1 7bc10fcfc94f1052acfb1668bbd9fb928c65116b
SHA256 9f7229c558989a83d64311bfa5ac1854d321d20f581179d7b65e1d6e7ac536d5
SHA512 861868d83eeebf5173b1f8ddaa593be52f0835178bde0e2ccca1ca9721c34be9c2bb3e2fafbabcfd12abe5b42d7abccdf60a0dd6c8c36bb940b4d8fbfa3842f4

C:\Users\Admin\Desktop\DisableInitialize.zip

MD5 5d524022f1a38f6c9c054351fc332f24
SHA1 6528e15988a0e03f6dd383022bd486a571fc6eee
SHA256 571d47f965c1c8d4f69827c9d4c82b4d0f13e48f39ec06cfb42db47e69731ee7
SHA512 048fe234f740e8f133e706d0d0096f0f43affe93579c0b1b78e698c49a4c8b9882e32d0b2e20cd5549a638247f408e32ebd23055d2bdd97cef07b6fe995892bc

C:\Users\Admin\Desktop\EditDisable.mpa

MD5 cb04cc09ffc12b4760e9a556c14de612
SHA1 6a693015a73d43cda6200436a6e5eadefe28e828
SHA256 df195fd63a66232c324625b24dbd2715efc2408145f9f96d08a83308d9b56d80
SHA512 4d98199747ab8100ffa42ffbed5123a251ffa8b06888480c5fc5acf52cf76f5e1a93e35d448dc5af0093faa51e790d49ff379c9ae66fcb073158ed1474dfa2fe

C:\Users\Admin\Desktop\PopMeasure.jpg

MD5 17f8c29086aa97315a45686ceca843e9
SHA1 4ee8d51a74080b75274760d5b27422be0dd4ce0e
SHA256 3c195146694e75bd4e6178c1e29818d59b556205d360b8f193bfa3fb6b210657
SHA512 fa7c5df1846dc727d81b48551278ca9ae901754586df67400a1326e14308cdac7b8fac436c4d659d660d8a120e2f28c0e6e3fc0850984a7baddaedc0b6c99401

C:\Users\Admin\Desktop\RedoFormat.asf

MD5 27b524a3db52b3a9f9bd57a9a6ba7d09
SHA1 d51b391cd3e9c9fa49b921c8eed596d21f7c16c3
SHA256 6fc9e73dfab028faa10e3671e6c07c2ca27d1271d2865a0463988918e5990b07
SHA512 6d8b01b8c7a607f4581a6511171e65e9aed7043cdaa668440e86e878610000e9f149c0a41e21cd0d9b5f22a36c80212586ddac09f64d7d1812cfa62762770de1

C:\Users\Admin\Desktop\PopPing.otf

MD5 f345895831ce0f152d4da5594cc7fad9
SHA1 dc2a36e1a7a0a733d1a5cf9c5e8c747000e92c9b
SHA256 96a1414e6428b51256dd3457d25a0faa63c2c48092a86efa217fb3556b26fc3a
SHA512 7daca0527851ddf6b1d630630bef8ae27fc782eb9aa2befe914c35e84bad1e8402daac8f15fa3aff19b0094f065b54e4b4d1041b9e2632cc1bfbf4bc08785aa2

C:\Users\Admin\Desktop\RemoveGrant.emf

MD5 04bbed6818ee0d087b43e2fece46b77e
SHA1 52b48cf8254af5b49fddd0a9df05782b194dec7a
SHA256 afc251455ed0e1b0f062f71a96aafa068a54c85c6c0025908bfd50bf73843500
SHA512 c388c4af287c07c2fc34e3aa91e26908a7bfce575b2c0ae576091663173b02c0204e160e86f9c6b16429e83e66eed06d4b1f834d463ba2aa50c418b30f3b5037

C:\Users\Admin\Desktop\SaveCompare.vbs

MD5 59b30dba9269a2b176b2463969d6f5fa
SHA1 76a7f0a377cbf8cf72abd536d689188862e8358b
SHA256 b9744f9e868d19a4d877dad130ee05e68e1dcfdec6e844bd52496e867e58e14b
SHA512 ccde7cb1009c76d0089aab7450f222bfedfe8d4963b58c4853b21c27c99fbe685207a6a881b1c09d3df6e50c0994b89e516b0719ad9dc438d91cbc88c44c3612

C:\Users\Admin\Desktop\TestSplit.pot

MD5 adf6fe2628b1cd05207f2e9cd91cf5f7
SHA1 e097971b73e2a38a30d4c5dd49aec14bd9826930
SHA256 234adfb49a16c55d8a5175efca06217cfdcaaba2882e01facf490cb327786455
SHA512 329705e2f718795176f3d98fae04fbfaeb68c36aa48818c340b5648a842f8af6f0ea71663daa7cf274b61bcdcbb04b1082ee5064485ae19c0ca6ec536fefc1d2

C:\Users\Admin\Desktop\UnprotectConvertTo.wpl

MD5 b05084f2ae6f61e3762616bf05499bd0
SHA1 f3d5053b3d8f0887d5defae3a4656f6f74c97853
SHA256 0595e44ef5c275efadc493da8ede14e5048235922397a2bda2cc6563c5f08443
SHA512 b416a9f4dea65a3c078598db376ad65980ea445e2023ead4c264d5ffe97b3429910be001cf5a301672dca3d9a0980fd06d17c11912502e47d34c2589bb467606

C:\Users\Admin\Desktop\UndoSet.xlsx

MD5 66a43aab31863d41bdef2fc2f08ba61c
SHA1 a9ea16b345c646d9d596238fd0ffd649a4394f37
SHA256 7b65117fa100117346029b16ac4e6ec21e137cd4e40f771893c7d86ab5650071
SHA512 0b33d0da5c05fa936e7ab302653a978ffaa19a39b9caeb3218fe7ef634adafba8cabc4075aca34284c65d010bf46ff3c49110299bf32667a532b417088f50dc3

C:\Users\Admin\Desktop\SuspendBlock.cmd

MD5 2ed9a2fef08dba0db666d666ea594f16
SHA1 0ae6ec345001caf6de978bd39a8a8fd49bcf45c5
SHA256 ebe29db6ad129089852756ab44223d435bf67b36f2f9d33bd00e7e45c38eac3c
SHA512 38dcd07d38aafb27707504fef8b1781e2c61afc38017298698c8d8fba9cee2273417e36b14d3a3ae08b286203b282f4dbcbd4d6d26cedb883015f2dc7102d967

C:\Users\Admin\Desktop\PublishCopy.emf

MD5 cf5150964f0b928f374a2dd1a360e4e3
SHA1 0c9b1eb2fc58798d57644b739a606f34cc3ecf21
SHA256 ccad0934026168eaea2fb9a7211413759c78a04a54d969574cf7871318812520
SHA512 839614b7ec817f7f075b494aa49305fbd043b879fad0ba598e59a56871418793663e0a406a6b7ac0b7c037c275eab04ed322ddbbb5688d40cdffc40cd05d93d1

C:\Users\Admin\Desktop\MoveReset.midi

MD5 ef10127dcf727f340ce77742e82ffd70
SHA1 05b6f6aadf4ffffa936c21b9db51b53925928882
SHA256 29b8a1a12758e61385f1e3382e3d30834dd3cf8b814ab07c171c96c63ccd600b
SHA512 e286a9c6fedd67e052b304ba04f846027dac3561d798e171fb2d8ec9d0400f03e3f3e15ce638ca10467fcd52a658743459b87503402fd7dcc2f2b17f6cd58d06

C:\Users\Admin\Desktop\StartInstall.WTV

MD5 bd80afafeb9c4c62c53cfedf86c620b8
SHA1 110695465471aa51bb6e269b635c6b0be42dc620
SHA256 38db7acce59f830d3cebf136d2d547036c147183ad1287a0d5823effc0b0d160
SHA512 4902a7d9d054e838af1a7e0d2d0f25bfc916af52a6aabf6dcf3a0585de85d959c4d56b673e25500d47fb3774654fb7775fb38fdebf257d1d6c98b9ea415bdf8e

C:\Users\Admin\Desktop\SearchEdit.tmp

MD5 cb2aba1bc0bf69fb8d38ccaaa37c7562
SHA1 65171d966830699e956dce1f25eccbca706e2574
SHA256 66c5b9d7d69ad9c75db69898834b9dc53bdda927e01e53fde61f1bfd3d4a5e7b
SHA512 b93bd22a6ee9877b7870bf04955e58051faf6d8e411c9d893bf10efb44ef4266bb6b52c495cc18b25a093d755ee5798dd04acfadc315cb5cc3829331d397a7d4

C:\Users\Admin\Desktop\MovePop.wmv

MD5 5911ae26dff5fb4b76838d54243931b8
SHA1 be4b9aaa7b9792f0f2a816d06082ad35352fdd71
SHA256 ac1fca5b95fd73be794cc39beda97826c0302f527157a0338463f0019430d1f7
SHA512 c6778d62b3c222ca7f36b5d3b448798b75a0e65055ee7b2b1d69b8b9731d77e66eec43c7c763b873b5dc461fad06285ac249148cb2a6f0ae2fc602ca4e1a39e2

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 9253b64c57b7754bf7ff42b789234065
SHA1 bca1d943330019d2e8028bc2623f14f76b61bdc9
SHA256 855da959ae3efe01ed624401fdca5cc84e8caa4e5b5a29f8fba12c8b563b42af
SHA512 b67809afee8a962bf99d079b6f1d7fd0b24f0c2420b363cce8ed7ae53c0832323e6596e7ad7d37727d88a353fc4f7fa5833aa89a1629318075fa21e643d69086

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 94fbf29ac49f960a97142fcca249a8e0
SHA1 83e54ffa1f02d45337fd64fd84f6cd6e8096f028
SHA256 b72f0356775d619e4f446b88a505df1a5127c328823477798e6dbe8fd7d118ac
SHA512 3b4739dc518a8a973fd8f4f2e2489997fe03559e88c34018bb9c5032aee367ae035f29b9f4fc5e6c5bb14372f302e68cce4fc0338957b5fc1138f0e6cfc13995

C:\Users\Public\Desktop\VLC media player.lnk

MD5 67913434fcd1009efd6b4c83f329709f
SHA1 0bc1749cdcef21e3bcc3753863633362ff01178a
SHA256 26b81ce529eb494a8eb3aa6b5e1be0640794819145fd8ccc5f38ca41f77ae1b2
SHA512 19431d71ffa5c35e6e144081d35ab6afb07ad962bee5f554738dbdae7284e8247f51a8cc93ae652a237f2fef9c34e4e7060b27aeb66c78ef54ef46cee06bf04f

C:\Users\Public\Desktop\Firefox.lnk

MD5 6dc957633abbb62377fa033cc0ad4f7f
SHA1 d553b851fcc8ddd9768fa050b4e5898a062db1d6
SHA256 f2994bce04d6ac27ffec2d8428fc0af150cbc319c9a2ce8ecfd97387931214b8
SHA512 a79581626d09aedf3349e27d7f8ed31ca148d520a888069e1c8aa06f42645f80a8a2335591051d5daed40ce14797cefb6ea7f9b495c2ea529536bf75da6c0cc5

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 da01925bfed202823e5eb8a80f42f4d7
SHA1 d794b2c4d5ed9807baef75696aec03116f86e5e0
SHA256 b8ecc80fbd5c36efd59658a954c9a1a95a09e698ca0b2dec88d762f698deaaa0
SHA512 2ed6d673a234e4d52d0493bf796b7c6a4072533b4ec0ccde6194c64c150b1999b22d11abdc20c4cde1095290d6491c2e49e5c02002411792b35634c8d6da1841

C:\Users\Admin\Desktop\MrsMajor 2.0.exe

MD5 247a35851fdee53a1696715d67bd0905
SHA1 d2e86020e1d48e527e81e550f06c651328bd58a4
SHA256 5dd4ea169cabf9226f54bb53e63ea6a1b5880a0d1222242aee378efb6255b57d
SHA512 a173801aaef4fab608d99b52223b5b2400d69b91edcbf33c21fcb47bd832eef9d771dfd36da350a502a371ed1739c869a7c2b4dca456c93f2feed9ac9c647c7c

C:\Users\Admin\AppData\Local\Temp\5625.tmp\5626.vbs

MD5 fd76266c8088a4dca45414c36c7e9523
SHA1 6b19bf2904a0e3b479032e101476b49ed3ae144a
SHA256 f853dddb0f9f1b74b72bccdb5191c28e18d466b5dbc205f7741a24391375cd6f
SHA512 3cd49395368e279ac9a63315583d3804aa89ec8bb6112754973451a7ea7b68140598699b30eef1b0e94c3286d1e6254e2063188282f7e6a18f1349877adeb072

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\AppKill.bat

MD5 d4e987817d2e5d6ed2c12633d6f11101
SHA1 3f38430a028f9e3cb66c152e302b3586512dd9c4
SHA256 5549670ef8837c6e3c4e496c1ea2063670618249d4151dea4d07d48ab456690c
SHA512 b84fef88f0128b46f1e2f9c5dff2cb620ee885bed6c90dcf4a5dc51c77bea492c92b8084d8dc8b4277b47b2493a2d9d3f348c6e229bf3da9041ef90e0fd8b6c4

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\CallFunc.vbs

MD5 5f9737f03289963a6d7a71efab0813c4
SHA1 ba22dfae8d365cbf8014a630f23f1d8574b5cf85
SHA256 a767894a68ebc490cb5ab2b7b04dd12b7465553ce7ba7e41e1ea45f1eaef5275
SHA512 5f4fb691e6da90e8e0872378a7b78cbd1acbf2bd75d19d65f17bf5b1cea95047d66b79fd1173703fcfef42cfc116ca629b9b37e355e44155e8f3b98f2d916a2a

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\bsod.exe

MD5 8f6a3b2b1af3a4aacd8df1734d250cfe
SHA1 505b3bd8e936cb5d8999c1b319951ffebab335c9
SHA256 6581eeab9fd116662b4ca73f6ef00fb96e0505d01cfb446ee4b32bbdeefe1361
SHA512 c1b5f845c005a1a586080e9da9744e30c7f3eda1e3aaba9c351768f7dea802e9f39d0227772413756ab63914ae4a2514e6ce52c494a91e92c3a1f08badb40264

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\breakrule.exe

MD5 bcb0ac4822de8aeb86ea8a83cd74d7ca
SHA1 8e2b702450f91dde3c085d902c09dd265368112e
SHA256 5eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4
SHA512 b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\clingclang.wav

MD5 1c723b3b9420e04cb8845af8b62a37fa
SHA1 3331a0f04c851194405eb9a9ff49c76bfa3d4db0
SHA256 6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29
SHA512 41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\checker.bat

MD5 f59801d5c49713770bdb2f14eff34e2f
SHA1 91090652460c3a197cfad74d2d3c16947d023d63
SHA256 3382484b5a6a04d05500e7622da37c1ffaef3a1343395942bc7802bf2a19b53f
SHA512 c1c3a78f86e7938afbe391f0e03065b04375207704e419fe77bf0810d1e740c3ef8926c878884ad81b429ec41e126813a68844f600e124f5fa8d28ef17b4b7bc

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\fileico.ico

MD5 a62eeca905717738a4355dc5009d0fc6
SHA1 dd4cc0d3f203d395dfdc26834fc890e181d33382
SHA256 d13f7fd44f38136dae1cdf147ba9b673e698f77c0a644ccd3c12e3a71818a0cd
SHA512 47ffac6dc37dac4276579cd668fd2524ab1591b594032adbeb609d442f3a28235a2d185c66d8b78b6827ac51d62d97bdc3dffc3ffbaa70cf13d4d5f1dc5f16c2

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\healgen.vbs

MD5 8837818893ce61b6730dd8a83d625890
SHA1 a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614
SHA256 cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb
SHA512 6f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe

MD5 57f3795953dafa8b5e2b24ba5bfad87f
SHA1 47719bd600e7527c355dbdb053e3936379d1b405
SHA256 5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725
SHA512 172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\DgzRun.vbs

MD5 a91417f7c55510155771f1f644dd6c7e
SHA1 41bdb69c5baca73f49231d5b5f77975b79e55bdf
SHA256 729f7540887cf32a5d4e1968a284c46cf904752821c734bd970ecd30a848477a
SHA512 f786699c1ab9d7c74dd9eb9d76a76728980b29e84999a166a47b7ee102d8e545901ed0fcb30331712490a36de2d726115b661ad3900cdc2bfcfc601d00b76b07

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\thetruth.jpg

MD5 7907845316bdbd32200b82944d752d9c
SHA1 1e5c37db25964c5dd05f4dce392533a838a722a9
SHA256 4e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476
SHA512 72a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\runner32s.exe

MD5 87815289b110cf33af8af1decf9ff2e9
SHA1 09024f9ec9464f56b7e6c61bdd31d7044bdf4795
SHA256 a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4
SHA512 8d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\excursor.ani

MD5 289624a46bb7ec6d91d5b099343b7f24
SHA1 2b0aab828ddb252baf4ed99994f716d136cd7948
SHA256 b93b0cb2bb965f5758cb0c699fbc827a64712d6f248aaf810cde5fa5ef3227eb
SHA512 8c77696fe1c897f56ea3afdecf67ad1128274815942cd4c73d30bf0a44dd1a690d8c2f4b0be08e604853084e5515020c2e913d6e044f9801b6223c1912eec8f8

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\data\eula32.exe

MD5 cbc127fb8db087485068044b966c76e8
SHA1 d02451bd20b77664ce27d39313e218ab9a9fdbf9
SHA256 c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9
SHA512 200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\majorlist.exe

MD5 230970ec5286b34a6b2cda9afdd28368
SHA1 e3198d3d3b51d245a62a0dc955f2b1449608a295
SHA256 3cdafc944b48d45a0d5dc068652486a970124ebe1379a7a04e5cf1dcf05c37c8
SHA512 52912b6b2ba55c540316fcfc6f45d68771d1c22ddf4eb09c2cc15fb8ddd214812c18fd75cd61b561c29f660e2bf20290a101b85da1e0bbf8dfbf90b791892b57

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\majordared.exe

MD5 570d35aabee1887f7f6ab3f0a1e76984
SHA1 ae989563c3be21ee9043690dcaac3a426859d083
SHA256 fa24bc7bc366f2ad579d57a691fb0d10d868e501221df0c32a98e705d2d61e43
SHA512 9b68a8acacba451bbf028656c181fae29c5bcaed6a7ff4c1fc26ab708b62ca4be7bba9c777c598926d23331570617d20a0ce439f014461eccd8c3f595d21a54f

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\Major.exe

MD5 d604c29940864c64b4752d31e2deb465
SHA1 c1698ea4e5d1ba1c9b78973556f97e8f6dbbdef3
SHA256 da0233f5e5e9a34e8dd4f6911444ca1f3e29bb9cbd958a9f4508ac7d72ccd55d
SHA512 89a4a14574ba19fe319c766add0111feeb4320c08bf75f55a898d9acc783d5a862a6433758a413cc719b9179dcf873f1c850d1084851b8fc37aa1e3deabfcf54

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\rsod.exe

MD5 91a0740cfb043e1f4d8461f8cbe2ff19
SHA1 92e1ad31c34c4102e5cb2cc69f3793b2a1d5304e
SHA256 dcaabfd6955d3fec26a86217d1b1ab7e979c301d498473e4d885145ce031fc3b
SHA512 c60067655e5f191708af9b25382869e3ce65cd3ea2d6cac70f8cae4132942cfd6a8aa9dde1e2b7f3f12997d6d7411e21dc73ab4cd83ec555d74b82b86778a613

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\NotMuch.exe

MD5 87a43b15969dc083a0d7e2ef73ee4dd1
SHA1 657c7ff7e3f325bcbc88db9499b12c636d564a5f
SHA256 cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb
SHA512 8a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\majorsod.exe

MD5 b561c360c46744f55be79a25e1844e3c
SHA1 ed0f7eb00b4f1ae6cf92ad75e5701014f3d03d56
SHA256 d1094e91960ded15444c6f50756adc451a7c0b495b2ea28319b7184ba96236f7
SHA512 0a3a75d08f1d7afcd7a476fc71157983e04b0c26b00ace4d505aa644e5da3e242dd0f6afdb3c93f29ba0b08d2702d0e96b49acba4ed260330068b13f93973e9f

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\majorlist.bat

MD5 4cc606c63f423fda5324c962db709562
SHA1 091250ffc64db9bea451885350abed2b7748014c
SHA256 839301ef07178c100e7f4d47874faf995ae5d11dfd527dda096a284c8114671b
SHA512 f29ef2bc694f497499545d1fa4e14ca93c06049fff582af3a6caf3885153491a1cd9e96ab5a6746051aa972421f876c008e5d5b671bd34c3922b61c84151097f

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\Major.vbs

MD5 9192fd494155eab424110765c751559e
SHA1 b54fcc1e29617b3eee1c7bb215c048498881b641
SHA256 cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d
SHA512 b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\GetReady.bat

MD5 3dbccaadafb7f0227c1839be5ca07015
SHA1 bd636f73235d52d172ad8932a8e4a6a8b17389a0
SHA256 33a0c62f3f66bce3fc1beb37aca8ad731bfa5590177d933d9d4eae016019242a
SHA512 d981670f9d492d97931ab260a7d7d27d4f97621a1ef3e20246d4be2a9b4cfc01e01174a1d46432b4a3d937ad135c97eec9ef7bbc7da46034388843887df4637e

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\cmd.vbs

MD5 b181d5a4055b4a620dd7c44c5065bbe7
SHA1 36320f257026b923b923ad2c0e7fa93a257806e0
SHA256 4d2639e890d6d5988eb9cb6f8cb50647048bbfeeb83fc604c52567e7381c876c
SHA512 0bec0cf2e5b93065701c5458c1d7e047312971d7bbed3ce5444db710654fa0d84eabb7d7c243130e3cb2dae38eb05874929b5b08547174a6065f8accd4e0433d

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\bsod.bat

MD5 c94bb8d71863b05b95891389bed6365e
SHA1 07bb402d67f8b1fc601687f1df2622369413db3b
SHA256 3900e3b60b4691311e050c4cf8fac82ff178a06e3d04d5d6b2d7ea12cf5d53d1
SHA512 00e7ab3a91862faaf5ac5ca3de6dbf2cbb8aac4aba277e1e14b2ecf4650eea2e68134e0df549dca35ab715ed46e36fa9cfee1ba7bb3520511723bf567566682d

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\weird\breakrule.vbs

MD5 2609fde7a9604c73be5083e4bcfa0e20
SHA1 068c89f703fb11663143b9927f2a0c9f9f59c0e3
SHA256 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe
SHA512 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb

C:\Users\Admin\AppData\Local\Temp\5625.tmp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe

MD5 cd58990b1b7f6c68f56244c41ab91665
SHA1 7ccca9958d6aebbe3883b55f115b041b827bd2e7
SHA256 51f59e877a1c2a1c2760c677def7395ef2868c2ee3e56ffdc3ace570afa50428
SHA512 011bdd417ec3bf72daa2b32d3816b696be8b87423740dc2a0182e23515651deeb870a94f3415a73480145f9f5e36c1a3a492410b77ca95d7fab8b9826e9198cc

C:\Users\Admin\AppData\Local\Temp\xRun.vbs

MD5 26ec8d73e3f6c1e196cc6e3713b9a89f
SHA1 cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa
SHA256 ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0
SHA512 2b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195

memory/5936-1595-0x0000000000C90000-0x0000000000DCC000-memory.dmp

memory/5936-1596-0x0000000005D40000-0x00000000062E4000-memory.dmp

memory/5936-1597-0x0000000005830000-0x00000000058C2000-memory.dmp

memory/5936-1598-0x00000000057C0000-0x00000000057CA000-memory.dmp

memory/1552-1618-0x00000000008F0000-0x0000000000914000-memory.dmp