Malware Analysis Report

2024-11-13 16:19

Sample ID 240828-lmmlxsvfkk
Target https://github.com/TheDarkMythos/windows-malware
Tags
agilenet bootkit discovery evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/TheDarkMythos/windows-malware was found to be: Known bad.

Malicious Activity Summary

agilenet bootkit discovery evasion execution persistence trojan

UAC bypass

Executes dropped EXE

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

NTFS ADS

System policy modification

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-28 09:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-28 09:39

Reported

2024-08-28 09:46

Platform

win10v2004-20240802-en

Max time kernel

409s

Max time network

416s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\windows-malware-master\SpySheriff\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\windows-malware-master.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2456 wrote to memory of 2188 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 1036 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2188 wrote to memory of 3000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/TheDarkMythos/windows-malware

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {636ea9d1-9cd4-4397-9d83-a8df1484c0d2} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {029e9776-92fe-4144-85b5-94d2588cb343} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3400 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f05a6f-94af-4757-9d92-f3fa5e8c30d5} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2956 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8baf124-ea09-4436-88bb-9968e9648611} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4656 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4664 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07a1537-2a43-4820-bbcf-b2526584e07e} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5268 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d0b7828-c002-4e02-ae5b-af54ba487abb} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5388 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a925573-d18b-40c8-ac0b-6ac02bf19470} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2bc317c-ad0f-48dd-a52e-fd1ffadccc31} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6112 -prefsLen 29159 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28343d21-1020-430c-8ffc-8d6852264c99} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6792 -childID 7 -isForBrowser -prefsHandle 3612 -prefMapHandle 3080 -prefsLen 27108 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a48f6f3-0935-40b0-8d12-6a07d577a879} 2188 "\\.\pipe\gecko-crash-server-pipe.2188" tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "

C:\Windows\system32\cscript.exe

cscript x.js

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe"

C:\Users\Admin\Desktop\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe

"C:\Users\Admin\Desktop\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\87A6.tmp\87A7.tmp\87A8.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe"

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d0d846f8,0x7ff9d0d84708,0x7ff9d0d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs"

C:\Users\Admin\Desktop\windows-malware-master\SpySheriff\Install.exe

"C:\Users\Admin\Desktop\windows-malware-master\SpySheriff\Install.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16433196871063836933,8280336076445260780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:61313 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 github.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 255.254.81.35.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:61322 tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 www.mozilla.org udp
IE 18.66.173.186:443 www.mozilla.org tcp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 186.173.66.18.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 172.217.169.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 140.82.113.22:443 glb-db52c2cf8be544.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.200.14:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.178.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 google.co.ck udp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.187.228:80 google.co.ck tcp
GB 142.250.179.228:80 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 support.google.com udp
US 8.8.8.8:53 228.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
GB 142.250.179.228:443 www.google.com udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\901c4869-1995-42ae-be2e-9bb6c165c06e

MD5 c728c6da2b4d525302741750925a967e
SHA1 ad97656387c7cf5337272dbff7bbcf4e31e39b75
SHA256 530e05aaf09a62cdb9cd9a4f5f14aa0a6cd00b4ccfa27ced6d17ea2ff60ea34b
SHA512 bb800e4119e67de53b9fe5472a2c22d1b277735a1fb7761fa266a8c784748321688c7f8df9a5a96e5ec019812e950f3d0c0c1f2119b6086ece5d36bbbc21e5da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\2ceb333c-c767-421a-a834-7468b06cfcdf

MD5 3c4e7b4cb9a93c579ff423e96d3801f3
SHA1 0af47ec2d469b3ee0ae14da707989fe5d777eb09
SHA256 5ae315acdd299f4e38b4d5b4fa26bc8bccdaadbb62e4e715377539ced8740334
SHA512 d91caacb8f5126b7e3304210b81bf0701a7463ee1473d4af3baad469afa5c99e557c08b94af0db5b51559a0c1e4a6b609ab62988be8047fc2d7f0f741a542198

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\9b1e58d0-1894-499b-996d-5ea571cd1e6f

MD5 c2b912382b41bcac5c8052773d02ddc4
SHA1 48b880b5e288973a62c37019275596c814699195
SHA256 1c07a70aaf34f33f508d8a0c4f94d082135f2471b5b91695a0a9bcfd02918f6d
SHA512 9400847e038b6b1241ee7661b6313b257ae4c962e013b9dcb4489103edcb1d09e6c2f592966d770ff8cdc5b377c4a6c7f8dae56bad99f864d60f71a49fa5380a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 0b755d0cef0796ba0cb6f016f2620388
SHA1 cbe11f52fe9b4d9feca5c1e264838ef84e47dd0d
SHA256 7d623a09f51c8fab7d70752a82cae6a497160a4e936f3a83b34d37d937a8d7ed
SHA512 154b1d86be7be363df7f87ef615d8b7cfc237204d25399a78e655a5726c78e2c87e2a9ddefd21d4fb959d363d9ba4abf7502b466643df4385cff9ee9c0b3b411

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 7f7425c66b00a058fa2e0f2f3882981e
SHA1 370db5d115747470ef24eba4783c153c6457b338
SHA256 f34622140535691018256a81b34fea7a07fe073f056b97e75a062d488dd666fc
SHA512 328b089190a6a2b770f076067660079698661d11f0f561fb76626f18c3b5260c3af75dbc7b8b4d6d345a3de79a567ea33469831a4245f7dac2a4d404ed080af0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 fe8c20ffea2025758a38ee83a3251f0c
SHA1 69f0c1259e3742ee74b1fd9c62e0564d5958adda
SHA256 b667844e0da3eb8395e4182188afbc09020c191d71a624b69ef262bc2ed97c2f
SHA512 24e2eb21b0422378a9eced8f3dc721eebe9f9e8e66ea7e89a3fd653a49f45ff25fef72d6a870da73595fea877a12015bb9cfd9a4425a0cd5c6bc70ec965bac39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 ad5f865cd819b8731ed5afafcc6d51a4
SHA1 378c0eefc5c5824b12d313cce0b27468eb310690
SHA256 b0737a781d8acb6227da1991092d258a8d16ac97a54b9b18480e0285ebdce339
SHA512 f74cd57153c60fb3de3971d2b6806740b9bcf609f7711f95380f2d1016c2111b9530dd2d9519fac7df60ee6f89168ecc9868987ee0941aa62cbd1295041f82cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 7b51391cac7a35c95bb1fe95d36b4775
SHA1 e3aac91152db6ae6b28ecbc793c9d3e4c74d9c95
SHA256 a61678e8ad3513635d602b4cf3bf29e25f85464598ae745dd7c49804e6904070
SHA512 559ea562a63eabca05f0c19449c06248a8a8a873bfa03c38bb87a70b60fc3a0a625de05b8c92f42bb81b007dd315f0ed64fe0aabcbd38dc19edb90df8dad528a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 0d10621b83a1c8aef7d5b5ed3da43bbb
SHA1 79524dec52e1c54b531a128f0f94a87b07fa26a8
SHA256 cf3838d4330749f4bb967bf8abb91409290b2ceb764c0060e9283946d328a11c
SHA512 040448c4006ecc3e6828ee85aa39be025bdf0d0727cfcf9595a2455dd5f24cfae41426c0cda64d760a0e45da66a212517d9621d3b957671fd3f494fb88090e13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 fd7fed7b9e2d45a9f9fe93e8c345700c
SHA1 aab5a7fed0ce77340ac991dc0b53a6753ca3d640
SHA256 611a70c73a738760ca00d07deb053c55354fc1ff4a8132a512ea2f9a8e9e7db0
SHA512 0571f982573288960b495be70ea650f3effa0866e76a87337e0ff9043a3e9c4f460092457f209121ddd51297fbfc3384ce69478a31edf8bba548002b80b13167

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 749103d23e23565ac73d972cc72e5d4b
SHA1 f4675259fb2428fec060e4ba00e8bae69cf736a3
SHA256 3c7bed3dcf25f25bc59406fcb85f37ea306e1be401761b499b7db8865ebcaf35
SHA512 ebf1d7ddb7df7444a6b53a5b75a523b010deca86b60d2965bbe31181f60feaf9369fbcea1b409f026ce6d709a80b07ac8116b03d34174e7021452d8ea714330e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 10a5e93e07683aadfb6fb9f5dfc832b3
SHA1 b0b38c2424b514d30b8ab3294ff488b9caf79f7d
SHA256 b43c99e7d956a26162ccec65fccf6fb2d60bbd81fa23c210fe1e726d1648ed88
SHA512 705821604910291b015e069056a9ce6ce6549cdd6fd7c3d9f156f737975b814d32d60bc9d601a03e0e09663236711576818391efa5c79acc8a52716ba6f82484

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 731e74f1c24ead5ac4f1bfd911876594
SHA1 8e43e8a6d958ca9b8f70132a6d525f8eb1b7632e
SHA256 3ddeeef54e19a2078a1b2f995d4b01513552c9604b23a971f1c5237710197755
SHA512 76abb2f28000e75f761309714e1e836845745561da1404e3cf56c04f290c1c048f7a53f669a5b54b0add20700f88ca3e0fc572a18c2ce6f0ab8f0692b3ea8ab2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 e38b939d60ae8ebc4e0fbaaa835c54eb
SHA1 0e9ffc29b879817fea60980910335fb8e056d9aa
SHA256 5b774d5e7eff0d1936b933d4e9f3f8812281c892c77ee9f31b94565b3ab32c8c
SHA512 f7ec750ddb937c53b0d62f3ad775ee71028d31dc99bd9569211d910ae9e2b0f36e1ed12d2d2ee5a67112d6685787e22d88a5c522fe9eb3c8974e9c98d3f2785b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 5865564e77009f7bb52499ce5b175cae
SHA1 f14ac419802d508d1da9605906d8134197eb3d5e
SHA256 f7a1bc64070f4fc1754d50673dad3ab23ca1561e3383deefce12e7c0aea0fb6b
SHA512 13fd6c3bbb00b1dedc66a143143f73c4076915581f64f81d2843f0ebae35224c2b0c5e0320d8a98ee4c916d83ff518855b99851e80b5f492261d8695c1634ac2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 095587fe7a2071181ffc511cf883447a
SHA1 da3f34d924ad9892c0318d858e0d45139d668ecf
SHA256 822b2052688ca6485bd040ea4da3a8b8ccf1f18f756c64f0623670a8618a9acf
SHA512 9bd3e7f7e9340cad25454bf499cf1f6e7319d0ef963faed3d6f09c6ae819f7210e06af6f2fcc9e57fa38fa508e28a60739deba5ab04120d57e459ec5b123d100

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\04AF3DF2C0644295C5AA12083A3265F4C82831A0

MD5 6aeda9eac502a9e2a7b272791e48be64
SHA1 9c96d44296ae1539877f9cfb8d2f47d0d160c820
SHA256 ed4bd62c3ddf875938ccca1b70301cb5938c6be6c8a42b05c014bb24c6872435
SHA512 ca736c322fecb3f874c3f3c4450630f7c932f6fd90025f40a0dc78fa2827bec4faeb011e87f1b469a66686be733970c2b2b1bcc18a4970f9ba72a08adf13cd1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 40580ea55471cda75bbcd4852ed670c5
SHA1 e456ed0e84db2442c033e8d9945b577f4dc4099b
SHA256 5c2d18928dc469713e7c3d8862ce3336dc510ba84a92a27313e1d4d56c9a2462
SHA512 c66cfd65ae1607cffc3ce90dd13a9d0762fb69fd2c99e8f13beecd72bf333329768f9d32c8839aa6891d0e81fe6df2f49ed102b68e6ed59f3f4d714469e557d0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 ebe6a66d79444551607cb3a499bed1e5
SHA1 62b6897ebc79569829ab417cd986065f6ef9172e
SHA256 e702002db9f8dacb61f70b43a7f30e959aa87f3da34e097eec70287736a1e2e8
SHA512 14dee0747d09af7ba977228fdbdb6bed3da76fed7f5b701bcd56df0d1b3740516319a50254db1306a2b38c062bf7fb885617325e04375660128b8c3354e492fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 a2fe57c867223e65e770a0e56c9fe6db
SHA1 96734daa658d7e84e7c37d174f6ca3103410ef89
SHA256 8d486b0c0203288866c40d6383a47c58fc16b9e183ccfb20e3cb48f29e5fdb5c
SHA512 aafa436b5d45516913e7a39e292f79a60a412cb627387bc7b23eb45a83aa7cf2f58582a3aaab4f7fc29561260dd2b0075b643b0702580c3a16f6fe7abb422a84

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 48007286e668e907b0c18df6b1c2ca99
SHA1 100243aa2a18e14fc2b57206cd6f6b571fcc011c
SHA256 24b70e5fa2518dbd891017db886ab3392c5493ab95f57ffd56584a32c345334d
SHA512 131ee5249357b507e09472a7eb58094652fe363fa05737a360c20cc1b232cbbb57013e720b4262926b8897cc71b528d6d8ccc238c75bbbcb7cd081b80a461aec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H0WQJ3E979V8TTH418VQ.temp

MD5 a98ab9185fd95389bec8397fbb8274d2
SHA1 4f59dbdda346d7d1c22fd975c7458461b33bf76c
SHA256 8426b9f2687f2450656e4f8e0e92ac6349e2a9016a062f623a08d015a76b53da
SHA512 d91b6ea4b18d31168c0a2eec2c560c66d53f0a6723c4d820fa63c02fa60d2c05d2d631bb2fec68822fc4696eae247227b6884fc359cdd1b7e2d1b12b1aa80995

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 500ab457a8e35cb07bfa6ef5eb387df4
SHA1 a1bf6973668b762a53f664888b8af681d5bd86dd
SHA256 812799769090a9e763c798678638af529ddd7fdf9b233f399b0f3d95eb665c54
SHA512 fadd8e9830646e49a2ec8d1c4d082258bffd2794adb0be49c1fa867f4aeb699d8d220a37d40e8238bf14a66809690e5732532c910bc3f3fe32159dfec881770a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\80E40493E66F98650D12C73CDEFE29BBACA89328

MD5 ef8cca55b40b9d8a14e8018c50e2f7bf
SHA1 16847c2a515f874dd265339cca18c5052a916a94
SHA256 053fc2d241d3393a72cc08df8ecdda781f4b6f84f59b49a666816e6d9fe23906
SHA512 b19a51fb3e2c055eb6fb1b51bda130c51c89171011a8dd73c630b7ab3ee553ca0c0fd8990390039e5cd73ee92cc19951f2ea41dc0f92d7bde68d034075182397

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 296cbd6988f5335a84d51dc203a79c6c
SHA1 b973ecd66c456aa18b950ccd38aa8c00471b848a
SHA256 41ca7a8b5324e4d9d937309f368afa83bb9af99c351d3afc0e0705eb76143960
SHA512 5c4e82a9c92120c627326893a4825de7b147c32fa6b17322ebda7536d0766d3839856393c84635ea89eaba796b5e47a3aeb72e9d4167e5dd096cfacb35cfeec1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 9e42eddbbdcd9331365e3d2fa2c8d524
SHA1 ddfe82d5702ccb9650595c70f6283deed6e5976b
SHA256 5fae68f16718f11b70612177f6da303aa73f40379eea245cd7256a21bae20fa3
SHA512 4eae74ec867a7d630adbd7a8322ea4a59d3ee6e4453aa48ec7b0730c52f699fc62a7487eb013fcdd78257ec7db9e60daf22d84a511e8460beef51305b8ce4e61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 8988c2a0b6b954067b905ed3bd2ef8d4
SHA1 841a32c2bd943fa7fbc8a73cb694202eb3040aab
SHA256 1d34e989d1420c6bc5ed9cc234188cabdbc27dbbf26bd56d08f8c21735a25197
SHA512 09fb6ce0038c7c7b495361f78df8e744862f5b51a69fad793a48cab4a2c12986d131e0fba4cb5a4730a27d4100d0a41909106d108c7ab5e75b352fa308c06c0e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 cdab6a57529d3a18dacb273e82af52c9
SHA1 36c9a03039e9ae6c9f82e93ced6ee9899e583d96
SHA256 a8bf3d527b8f29de9dae5c6af540fe23704e48e35f9738bcab843b8426ead1e8
SHA512 e8254a9d37f6c2fdaeb6beb810e24c0517f16399c39b16c52645646b865112855282d6f5b14bfdc9f9826b21899ded7e2e9fe03a744b7d61dec4cbf5720a49a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\fcc65fd8-32f9-4a1b-a4ae-ede72ec36927

MD5 29892f088ebc825e200a6d5a09dd8057
SHA1 b4470c1bb6c913bf1ca3bc286c7124de81bf4b55
SHA256 27fefeea9425c644beb89aaa702624042199c04c8e943cda25bd3569f3377bf6
SHA512 4fafe2d4a6f4bda82dcc0ce657d140fbef1fffe5f1f38f765d82576c1585d3d5e63c5d017863be7e203e7ff7166ab92ef84dc0c0361fcf948db247e4bf041b38

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\28820b2f-3a97-4e40-b954-2ac024f4e9e8

MD5 7957f3a1e7d93628c1179088f91301f5
SHA1 16dd86f309322fee4011d3c1a3fa94eb997c288a
SHA256 d384b657d283366751471efa49561bcd980e915304752c2b2f93c2823c79cb67
SHA512 8fce14118259290c7ee9820693e70ab5c16d606c6741d27fcc8882f2451586dfd559464c0374534b334639a7830cf2d90541a0009e7f6c5c98dbccd3628adebd

C:\Users\Admin\Desktop\windows-malware-master\MEMZ\x

MD5 1c604b4fef887029e9a3fa342fa908fa
SHA1 27bd3753c25ea4ea49c7c7b564a1fd641bd0eb23
SHA256 d6a4b048b5f28963aeac2e56db9ceeb4607c068cbe06c041631b9c878964330e
SHA512 ff804c5b76e5aeb6efbd6a7650d5614e922ab605a45873aaeec0ae898e1a7275dc4ec862cd0bef20998e1b741b2add2846e4cfa9c0fcaaf197c4c50aa934cdf8

C:\Users\Admin\Desktop\windows-malware-master\MEMZ\x.js

MD5 8eec8704d2a7bc80b95b7460c06f4854
SHA1 1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256 aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512 e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

C:\Users\Admin\Desktop\windows-malware-master\MEMZ\x

MD5 1882f3dd051e401349f1af58d55b0a37
SHA1 6b0875f9e3164f3a9f21c1ec36748a7243515b47
SHA256 3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0
SHA512 fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

C:\Users\Admin\Desktop\windows-malware-master\MEMZ\z.zip

MD5 63ee4412b95d7ad64c54b4ba673470a7
SHA1 1cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA256 44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA512 7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

C:\Users\Admin\AppData\Roaming\MEMZ.exe

MD5 19dbec50735b5f2a72d4199c4e184960
SHA1 6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256 a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512 aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

C:\Users\Admin\AppData\Local\Temp\87A6.tmp\87A7.tmp\87A8.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\87A6.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/3552-1234-0x0000000000300000-0x000000000032A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/3552-1241-0x00007FF9D08B0000-0x00007FF9D09FE000-memory.dmp

memory/3552-1242-0x000000001CF10000-0x000000001D0D2000-memory.dmp

memory/3552-1243-0x000000001D610000-0x000000001DB38000-memory.dmp

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

C:\Users\Admin\AppData\Local\Temp\87A6.tmp\winfool.exe

MD5 0ec335d4024b8bce257fe324b2897212
SHA1 2065f4c48dbf38685cfb5696cd3d631c89144ec0
SHA256 1d979a5e213a301d157e4b93efe520552c7112d87549e0f02f79c080d38b4189
SHA512 ad9f16fb795c9d5d004639ba9c5c0d0f264232d596d1101b1182e8ef9408b05447bac27968f9bc0ebc57f9a765f45ba51bb06a0945b6b93483eef1919c7efd57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 719923124ee00fb57378e0ebcbe894f7
SHA1 cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256 aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512 a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

\??\pipe\LOCAL\crashpad_4020_MKHEMATJOETMIVWA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7114a6cd851f9bf56cf771c37d664a2
SHA1 769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256 d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA512 33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b728e017c1df69a262a4ddc78e037697
SHA1 d3456c91b162b838fc6295af63b93bcf1d485997
SHA256 9b40094219860781518f0a023314efa25ed7e7fbcc3c203c183184c36b6b2a59
SHA512 932be42a3f884d1d3e9ec517d9674c62177ab582ccf4c56ec22f7c477f4385933003be24c8dbb15b5b875538404bb8765b2b7c42a36831ec307cea8a8f151eb5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9fd436ddf6f7ffdc89d9b1477cb7e031
SHA1 bd37792f42512179a885c40d1bcedbd0f6330568
SHA256 cb589c6a62d0dec617bfc01d316af5c28d4b9ce19ba9b84ad8801be75b5eb790
SHA512 348981bd3e91ff28c4e771a9960d56fdd9331d51ae2af682fdafea07f632224c2b10304f653c7dd4a48bb42aa9db71132cab0bb349b14acd76cb331962baafd1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 649b8dac1ebfceeb17a0f2016e43e300
SHA1 4725ccbf22b352c2a6b1001bf6eca426282f9882
SHA256 8d204fc15dfd9999606694e40d5e31eade37646ef8c1113d5c2210195264904d
SHA512 af1e663c577aec1d060fd2ef477f77af0dad96355b4316a2c201adffb1a56e0fdcde7826d1e07c330461c0a67dc27212e05c5ecff13a680ffef21770bb1ba2fa

memory/5212-1335-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 004672e2ec1c05cdfe76955a436487a4
SHA1 e45d60502635f4da2d4b639799f4c9c9b2745046
SHA256 295976749f8a9811c4cf4a678d9375d7824836066fab537fbc780b6fd5c78756
SHA512 bec6a31c7a159e51b3e2cab77fbe403463915f9b5000a53b1acf181553b0e11864f554191dec490b8547540e0d3661a5d77b9b2cd73e71605c081a134ffe3644