Analysis Overview
SHA256
bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2
Threat Level: Known bad
The file 37626322_1871171556512529_4700140521996156928_n.jpg was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Adds autorun key to be loaded by Explorer.exe on startup
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Event Triggered Execution: AppInit DLLs
Downloads MZ/PE file
Disables Task Manager via registry modification
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Manipulates Digital Signatures
UPX packed file
Modifies file permissions
Checks computer location settings
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Modifies system executable filetype association
Loads dropped DLL
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Modifies WinLogon
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Maps connected drives based on registry
Writes to the Master Boot Record (MBR)
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
AutoIT Executable
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Access Token Manipulation: Create Process with Token
Event Triggered Execution: Netsh Helper DLL
Modifies Control Panel
Views/modifies file attributes
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
NTFS ADS
Kills process with taskkill
Suspicious use of SetWindowsHookEx
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Modifies Internet Explorer start page
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Gathers network information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-21 11:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 11:51
Reported
2024-09-21 12:10
Platform
win10-20240404-en
Max time kernel
1155s
Max time network
1170s
Command Line
Signatures
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\ArcticBomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ArcticBomb(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\physicaldrive0 | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Ana.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\ArcticBomb(1).exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\ArcticBomb(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Ana.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EN.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\ArcticBomb.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Walker.com:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\ArcticBomb(1).exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\Ana.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.0.1194124552\495465691" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab21ac8-b10d-41c2-a554-d24f51656224} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 1824 2922aed7058 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.1.1820892807\106588220" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9ef8649-3b38-47f8-873a-822933c08e90} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2180 29218be4158 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.2.909716552\1633828768" -childID 1 -isForBrowser -prefsHandle 2740 -prefMapHandle 2692 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecf161eb-aa06-4af6-9e6a-d9d6029768f0} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2828 2922f098858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.3.354299094\979098068" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e49a3d3b-158f-4d6e-a184-367fc841fcaf} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3400 29218b61f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.4.1826464598\874103315" -childID 3 -isForBrowser -prefsHandle 4408 -prefMapHandle 4404 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {258422a3-d2df-4f84-9233-35db0e5a0c75} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 4420 292300ea258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.5.792260466\1533761300" -childID 4 -isForBrowser -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd57bfb6-41e4-44a9-a132-30c653c8b11a} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 4884 2923155bf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.6.1092433181\331666472" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce27744-7097-483b-9040-6bda7f13d5a9} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5020 292316af558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.7.1657614343\1007215010" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f46921d-f9e6-44f2-aec5-19a1bc842911} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5220 292316afe58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.8.1020263999\452802352" -childID 7 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b440cfb-6830-47d6-b65a-36cc894e47aa} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5696 2923374f458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.9.188943350\502607874" -childID 8 -isForBrowser -prefsHandle 5988 -prefMapHandle 5640 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eecffca-116c-4edd-a43f-a40c55d099e9} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5996 29233f2ee58 tab
C:\Users\Admin\Downloads\ArcticBomb.exe
"C:\Users\Admin\Downloads\ArcticBomb.exe"
C:\Users\Admin\Downloads\ArcticBomb(1).exe
"C:\Users\Admin\Downloads\ArcticBomb(1).exe"
C:\Users\Admin\Downloads\Ana.exe
"C:\Users\Admin\Downloads\Ana.exe"
C:\Users\Admin\AppData\Local\Temp\AV.EXE
"C:\Users\Admin\AppData\Local\Temp\AV.EXE"
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
C:\Users\Admin\AppData\Local\Temp\DB.EXE
"C:\Users\Admin\AppData\Local\Temp\DB.EXE"
C:\Users\Admin\AppData\Local\Temp\EN.EXE
"C:\Users\Admin\AppData\Local\Temp\EN.EXE"
C:\Users\Admin\AppData\Local\Temp\SB.EXE
"C:\Users\Admin\AppData\Local\Temp\SB.EXE"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.0.1438447421\874826262" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1500 -prefsLen 21202 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92a45f87-779d-4f4c-a1cd-439a9f4fca96} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 1604 13f09ae5658 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.1.87610082\1992105305" -parentBuildID 20221007134813 -prefsHandle 1948 -prefMapHandle 1944 -prefsLen 21247 -prefMapSize 233536 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e105288-8c49-47c0-a2c3-6fce843913e3} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 1968 13f09735a58 socket
C:\Windows\SysWOW64\mycomputz.exe
C:\Windows\SysWOW64\mycomputz.exe
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /flushdns
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.2.1412574727\383529057" -childID 1 -isForBrowser -prefsHandle 2628 -prefMapHandle 2624 -prefsLen 21708 -prefMapSize 233536 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ecd29d7-5e6e-4e84-824b-5a83af5e334a} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 2640 13f0e244058 tab
C:\Windows\SysWOW64\cmd.exe
/c C:\Users\Admin\AppData\Local\Temp\~unins9203.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.3.1803188251\728282023" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 26100 -prefMapSize 233536 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {069da02b-fafd-42c7-82fa-7ce104515695} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 3376 13f10074d58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 127.0.0.1:49772 | tcp | |
| N/A | 127.0.0.1:49778 | tcp | |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.70.235.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 216.58.212.241:443 | csp.withgoogle.com | tcp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 216.58.212.241:443 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 2.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.180.14:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.180.14:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | aeravine.com | udp |
| US | 8.8.8.8:53 | middlechrist.com | udp |
| US | 8.8.8.8:53 | bemachin.com | udp |
| US | 66.96.162.135:80 | middlechrist.com | tcp |
| US | 8.8.8.8:53 | 135.162.96.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imagehut4.cn | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 45.196.163.119:80 | imagehut4.cn | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\13505344-f1bf-413e-b2ec-11d1e30b0dc4
| MD5 | c00b9f12178a6012c8b56062b6815d9d |
| SHA1 | 7ce13adf57007c8d0bd930bd35eb3a34a8240fa7 |
| SHA256 | b51588cf34928cf958dc89d658a85ab4991665e777a6f8429f5928d5b9079e98 |
| SHA512 | 2bdf73323617e85f87bcc669ba049f063d9fa7ad78aee5ddea37639a487d8d019662e4dca55a6726c292d6b15e94b88d03523115daea7261e0b3cf16382c1dfb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\2b7ddf3f-9bc3-433a-a9ed-7e33ee15294d
| MD5 | ba3528ec498df5a3904eb51f2c90e836 |
| SHA1 | 7873cae2ff9d061f49afccc0534ef3fb1f2343f0 |
| SHA256 | 07d296fd805e9326730a1585d68e59a48cf8ac2c81c9399f08384ae2b6668837 |
| SHA512 | 93e1dd62fde1c8bca5d34cd54c1ad30c85990acd6ff5e4c33c44b9c9485058350b13c96a833c7e046fe3fc20ececa8cb20b302a539d13ea82a3b6e09f7203fd4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 9d85ac1a29f93eab165f208af618f2e0 |
| SHA1 | 20902a4797e21c4d95815b78857b47a9cedbd244 |
| SHA256 | dd9c1c9f09a95e2807bcaa72af91603e2cfc26555df758e835088551d31800b1 |
| SHA512 | 376a4bc1993565f1077e25aa0a1ac746cc99396de4552284002309720769e11ac3df613041ba4d1ac9d4a4f24a04ae9eea2aa84cbead39e6c53bf14eeee9d3bd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 731c0e733fe1e3123d366af7c8e578ae |
| SHA1 | 9756304ea773dd9cd96e5996dc79de2ed6a9ae9c |
| SHA256 | 8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359 |
| SHA512 | d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | bc39fdb2d3244d67833144c54346b71c |
| SHA1 | 830db456161107e8bbbba88902aa3a18f8bf63df |
| SHA256 | a539c3d8482c3e79420a8de8f5ab690efa61b4d09928ceadfd5f926c0f8b1078 |
| SHA512 | cc8b0bd732c58d1bd3b86f780356205d2ee270abce4be66bfd042096b0e6b4652c59a334cd6835fbb7ebacd6e0c03b4ac18722409fd1e3eb3c44a1d622e78595 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3551595fbd550f7c00acfad041fe572e |
| SHA1 | e27dc7c5997e4dbe5bd8247292bcebfc95a607c3 |
| SHA256 | 84e473f42716a608d880af06d84e34e1eed8b4cded5c18381ce864d458898869 |
| SHA512 | 3a5eb980b8725f0cb1ce66152477b7a00e9be89342b53a1f9697a4dd158c1dc8c2976182225e63e27337f74d67725a343000741df1d45657453141ba6e76dbf0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a3d7534b8582bd16a2d4d8dc66683dc4 |
| SHA1 | 9cb2fc1ce875b6fde1e9461dae690174a4eb6b70 |
| SHA256 | bc91953e165ae442823719c6b789a9aab58d0d0f978c2648b8d5fc0321d79801 |
| SHA512 | 435b2d738bd56dccd152b6c53d2064a7b0385ddd44876c68f694639d7c90738916e65570f83dca6683d6971f99cc4097de6888c6c55b2559f3dadafbd83dfa86 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8ff6da972d154ec2f4aced0bddd73c08 |
| SHA1 | 2f133e690606213c470cc93c6d64c789b89ab7ae |
| SHA256 | b27a690680dce6f8ea4fef7afe381b0d191525bac79952a5753d8417a5d0f0fd |
| SHA512 | 001fd91d9a7a62fdf277ceb46f3ae11aebf60c7019d561a83eda96d72e61d4ac9b35e96cee23da27fd8943a0447932ca2416728765dd2df723d1a8aa72b70211 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\18753
| MD5 | 5e7962685f25769dcc60306047052f6f |
| SHA1 | 788ac63c914c6420680ea66cef40102aedd59501 |
| SHA256 | 7d4b549af552bbd649eb1f69799b1a0a7d6c6bb5905a2caeba4bb4153f7db9ec |
| SHA512 | dade87207781a208226c6153d0847f8f937895111f29795498d9200b652e4068ae5c83e30f15ec81175625c09c177a9396b967e071942085a54ea31511e86614 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | cf833c04f0d994014093aa972eb3d964 |
| SHA1 | 439d7ee32696773f41cefe9a9536c358152b370f |
| SHA256 | f9c37f763269dfa246909e0e764a0974277dca626dc81d4f844af09c32220232 |
| SHA512 | eb7ea53dd2e08ef2c28b5ab90fe864ee0fdd6302ab8776af023882f1cea5be90b50e0c280b064dd6ba5a5054a4a0b722f2b955e60b5b7b04af21f1aa22373cc2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 42a5ed09f3baeee09f828ce5e1877c3d |
| SHA1 | 707e55e60bc4b975d8416627072327933ae28d70 |
| SHA256 | 3c6a958b281c53e9738569159b332538cef3c2478303b6173ec4280ce467da0a |
| SHA512 | af939f332c1837d8130ff30d531f8e3e4d2c83e431d0c6643a8c15b273c8d71aa1fbffebb95879a49c9187e6552f68ddba46bb99f7f216f1320b7746ce77af28 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\29080
| MD5 | 20cceee3ad45bed85bce35e1e6656e15 |
| SHA1 | 5b9380e22b130cae01efff37f87b5e27e5f050d7 |
| SHA256 | 33368acf76091171deded0ea45a8e960188bc92f1f58af793ef1342845c24b7d |
| SHA512 | 7da3c294a87ec122f03662740725ec8d553daeede79e267ac294aa7302e751b2139aed586501f487eacf9b67c78412ea7533edb17172804bf2e1517bb805dbdb |
C:\Users\Admin\Downloads\2Np-ow6f.com.part
| MD5 | 93ceffafe7bb69ec3f9b4a90908ece46 |
| SHA1 | 14c85fa8930f8bfbe1f9102a10f4b03d24a16d02 |
| SHA256 | b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07 |
| SHA512 | c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fc1968301b15f394c1e82c91cac028e2 |
| SHA1 | c23df99c00f3892e2fa08d0ddbea2df8e16f4fcd |
| SHA256 | 0f0c27f82924baecf47eb45aade1f8248bb11e43c89da9fc2df1f7115de0c230 |
| SHA512 | 91947fb70395cf301e7dfe1b63bb95b0fb78391be3363e1c19fa361b009dacb48f41f49ad5e48d4a2ef9b87e6cba5bb78239cd88a0e2a3334d570483755a7fa0 |
C:\Users\Admin\Downloads\ArcticBomb.exe
| MD5 | ea534626d73f9eb0e134de9885054892 |
| SHA1 | ab03e674b407aecf29c907b39717dec004843b13 |
| SHA256 | 322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c |
| SHA512 | c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851 |
memory/1256-559-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1256-561-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 86b3958a0d33728dccd0cd99a690f86d |
| SHA1 | 761cbc34a54e80e819fa2d88293f2eed37ca6caf |
| SHA256 | ec01c83b00ed74386258c1c9627382800889e8263f3434bcfd1d9fce2efb7e41 |
| SHA512 | c92cf97335ba1bdb7b7e2fed1db1e9494f252e0a66381089e4203d403579d385a6a7a6d287ef390e82f033253978cc77ec012922574b651c4bfecc870e7b2893 |
C:\Users\Admin\Downloads\ArcticBomb(1).exe:Zone.Identifier
| MD5 | dce5191790621b5e424478ca69c47f55 |
| SHA1 | ae356a67d337afa5933e3e679e84854deeace048 |
| SHA256 | 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8 |
| SHA512 | a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3955ad77b46aac4ae7a18bdb4134d1a7 |
| SHA1 | 0b0a81fd66df7c4b643aaadc8c6946ad48875e9d |
| SHA256 | 8fbdfe85509a729241541c867f74772b733367bbcc008a9fca03087f1d707a58 |
| SHA512 | 147db94645aee9b1b65a6baf2b64aa15315843cb64dc18a92cfb91a872393590f9be4d8f0db3b618d36ea0a2387dce2f1a950895b685a54134c987eff6eb6cf4 |
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
| MD5 | f571faca510bffe809c76c1828d44523 |
| SHA1 | 7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2 |
| SHA256 | 117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb |
| SHA512 | a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51 |
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
| MD5 | 014578edb7da99e5ba8dd84f5d26dfd5 |
| SHA1 | df56d701165a480e925a153856cbc3ab799c5a04 |
| SHA256 | 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529 |
| SHA512 | bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068 |
C:\Users\Admin\AppData\Local\Temp\DB.EXE
| MD5 | c6746a62feafcb4fca301f606f7101fa |
| SHA1 | e09cd1382f9ceec027083b40e35f5f3d184e485f |
| SHA256 | b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6 |
| SHA512 | ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642 |
C:\Users\Admin\AppData\Local\Temp\EN.EXE
| MD5 | 621f2279f69686e8547e476b642b6c46 |
| SHA1 | 66f486cd566f86ab16015fe74f50d4515decce88 |
| SHA256 | c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38 |
| SHA512 | 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e |
memory/780-678-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SB.EXE
| MD5 | 9252e1be9776af202d6ad5c093637022 |
| SHA1 | 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8 |
| SHA256 | ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6 |
| SHA512 | 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea |
memory/3164-677-0x00000000006E0000-0x0000000000773000-memory.dmp
memory/3164-676-0x00000000006E0000-0x0000000000773000-memory.dmp
memory/3164-673-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3164-669-0x00000000006E0000-0x0000000000773000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AV.EXE
| MD5 | f284568010505119f479617a2e7dc189 |
| SHA1 | e23707625cce0035e3c1d2255af1ed326583a1ea |
| SHA256 | 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1 |
| SHA512 | ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
| MD5 | a34805b99f428cb70074d5f2d78c3dfe |
| SHA1 | 444f05b3ddada88b0974fc323d3644a3ceddb7a3 |
| SHA256 | 68413111afa2da4fc0e509ee9862530612e619c6102dbcc618d72383e5a60a8c |
| SHA512 | b0eff042693c404fadc7a01bc86fc4d78cbb8b4155d24b6bf320821525f0fac91dfe3fe912eb99cd6af424190551310f8400197bbffe96509415b568fd84aeda |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
| MD5 | 948a7403e323297c6bb8a5c791b42866 |
| SHA1 | 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0 |
| SHA256 | 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e |
| SHA512 | 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | ceaf25bd8226744d44f9b39e4cca8c8d |
| SHA1 | 995e0f74c3fd6b12cb4496d89338bf75f32fc07d |
| SHA256 | eea5e85c34e36f7c72a2b67dbd0ab004c95d77e7c44f5de50a54a4feccf234d8 |
| SHA512 | ce625bfbb593494a9d9b2f03287a71998a3a0c22bb5280409c9a1b32c8abe8532b15873a5194445c48bde4f952fffacfd6c932b7bd8254cbae04b3f88aab79bc |
memory/292-709-0x0000000000400000-0x0000000000464000-memory.dmp
C:\Users\Admin\Downloads\tsa.crt
| MD5 | 6e630504be525e953debd0ce831b9aa0 |
| SHA1 | edfa47b3edf98af94954b5b0850286a324608503 |
| SHA256 | 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5 |
| SHA512 | bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
| MD5 | 39082ebf2fca5d04e11ba147a0f879a9 |
| SHA1 | 923246af0d1fc4b5deaac58d20069275802a5bf6 |
| SHA256 | 45f380b147da26e14dbcb22f8b887de4932acb1728529361dd6926dd9d8a980b |
| SHA512 | cbf57a2c35368b76cc000b07f21d03930bd845f99abfe61ca0d6d213c5a055bf43cd9102a1ef89569b9bb48e0828918faca5d6726dac71cf2ef6266cb7965b0b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\startupCache\scriptCache.bin
| MD5 | 806c8a3b51f2fe28cbcbd7f52f419bf2 |
| SHA1 | 3435c6656f7af0fe317c8898cc8e8113e913e754 |
| SHA256 | a0a3286de77e77061ca72c2443143deeeb05fafe4b2c8ed71084e89e02efd152 |
| SHA512 | 68f19ed8a238b233ea9d99ac28ead6fa180769e5b4220718fb3291e7e318250dd5f26d6c74b3d0c126ddbe3d6234c71b5d9ae73b475b18ca36515022528ecf8c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\startupCache\urlCache.bin
| MD5 | af90cd617ad3e778e3cd02819b7f627c |
| SHA1 | 5ddd5f72c5ae034cb5cc92afb9711967c162ca46 |
| SHA256 | 0f74ff85ddcc919b98889449f96eb62933a1eff091037f3376826e192d935d14 |
| SHA512 | e1a8880a2975f958aacbadc107932e2c6914f5e1afb2f10f849d829d91f176c88d5ea0012d58cc7f41cd80b0feb693c16e329609f16ba2fa9f050a45a726d542 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\xulstore.json
| MD5 | 58e240288763218d12bf235d34e5aee2 |
| SHA1 | 89135494b57f590011c09668dec3b90d2c5ee9ae |
| SHA256 | 615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176 |
| SHA512 | caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json
| MD5 | 2ad4fe43dc84c6adbdfd90aaba12703f |
| SHA1 | 28a6c7eff625a2da72b932aa00a63c31234f0e7f |
| SHA256 | ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933 |
| SHA512 | 2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage.sqlite
| MD5 | 7acedb7ca4730c78e15b9064970882eb |
| SHA1 | cc505a1dd39244c0a241e8801c9f4c46a6e1ec8c |
| SHA256 | 55f705f9992c910efde16e51777eda32d6bb06647f96300afd9345f54a95b773 |
| SHA512 | ac59804fcb7a2b0a046121e8d91de2fd384522db1028f6c3529c372d5b95bbea4cb959b838bd04ae5ce958e50d3213abb309a4e98aca2389f2b028e4dfdbf1db |
C:\Windows\SysWOW64\mycomputz.exe
| MD5 | 13c1948400ee6438c042b8c2f5111e12 |
| SHA1 | a076c602ad33e1ca9c051d76ecc53c4bb7ee5e2a |
| SHA256 | 074111162067466404adb584a3e237f9465326db237207cf43bddf91ff8d442d |
| SHA512 | b96176cf00f5974ad095fcfd1726ea2282576e276e5479c64d6fe6f0031bb9238203d6e8ac925686f92e098f38ea2026fc4423ee174d2af0c9d3f32f9cb3f6cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\cookies.sqlite
| MD5 | 02d0d56bbef182f3d10b473565d596e0 |
| SHA1 | e564cc33469ce0aa68ba5f92bc98a243d47febdd |
| SHA256 | fad994a46aee94d672fa91a9592dafa5e58c0fb7b6fbea750cbe9bc1ebbfcc74 |
| SHA512 | b52c849eef4bc3bc1c5bcaab746dc50fb020af23d51fba29a32f6338b5c5e849447143785310aa27d356505bab77007d41251d12c510e6c17600a1acb6676be7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\permissions.sqlite
| MD5 | 691b907a9952c04871997d1ffaa368ee |
| SHA1 | 79dbbada7903cfa0f0562adae08702847527531b |
| SHA256 | d010492cc94e3994a1ff513f441714a437d0eaf2ab7e2bf60928c700c6c113d6 |
| SHA512 | 0971da31ae9b5dff1ce02ef4b76833d34ffd2b1e9330b3448607bf064fa3c514d8b5cb109f9b9e110cf3c5332cd672333558549aaf9f7e62a0101e8f2e17b3e9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\SiteSecurityServiceState.txt
| MD5 | 0678a963317f7749fb61b199aea7af00 |
| SHA1 | c4026f5fd1e0a20786937977f971a0fcd39b7f54 |
| SHA256 | b796e486339bfd00be4049fa8e6756bf06ef34a695caa46cf216f7db5cd05444 |
| SHA512 | de4c9ce7f248f9b3d4edff98216b76a5ce5bc2db85ec43e579fa8bfd533cc8b14b089e7077b1388d25c40f734f89a869773f353ef42fc990bd0c975673825672 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\cert9.db
| MD5 | 307f0c89cf26cbe16fbfae57b8fedef3 |
| SHA1 | 380fbbfa77afece139d1def4adf121a7e1b6190a |
| SHA256 | 2c0a63a3978341abc33e0191264efc14d02474e0c4584cd40b9e687f7819020d |
| SHA512 | 564b3ea7e3d87112e07bf7f84b3a59ddd43df79484cb4251a23c83846d68daf5d1c079e2348054d96aeda8209ba22fa83fc073f3d94578423e9d7de3f447ae1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
| MD5 | c4ab2ee59ca41b6d6a6ea911f35bdc00 |
| SHA1 | 5942cd6505fc8a9daba403b082067e1cdefdfbc4 |
| SHA256 | 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2 |
| SHA512 | 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
| MD5 | b98051da1f774676c72dcc23c8eff905 |
| SHA1 | 2de134adeb049bb338b919e6ad9e334fe92cbe6a |
| SHA256 | c39c3d00d2b2d7b85946c110294858ca19cf9cd6f2a0397e389b4dabd7bc0bbf |
| SHA512 | a21ae96bd24f81c0b7a56b22de875911e8eaf6b1cc8c16dae346d2d0a4ce91c6d69bb9d8872611ebefc8364af22f71dc197425190a32c528f10954e922903c3d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\favicons.sqlite
| MD5 | 273ce5a707b1f597317c5485192403dd |
| SHA1 | 073df859f6c0e237d20a7b7aac342dc7872a87a2 |
| SHA256 | d9c40b903e6961fbe193f5a791a838adb994f38f175da82b7b1bb3a65f50cefb |
| SHA512 | 1515beafa7b4e35fbbd53e663c1ffadb9a35abaca7c690feaf9ed1921773463c37e87f6a4191391d445b4eef9be0a8cb11bcf9917b1afa700cfe7ba52903a254 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\places.sqlite
| MD5 | 35c1543efef5d8ecec78bd3718d636b5 |
| SHA1 | cad3dccea7668580bfd93f1f97ff38a6200820e2 |
| SHA256 | fb502ac0884df0f537787e7931da7c5fdbd9efc19f7908222a2af35691e3e98d |
| SHA512 | 979c0d49053177770b7b3e1c311ce64e8aef73feb7783fd99b5723686387bad4273ee135a1e1f02bc761a2f864113e5ffc0d03f7a0a8c418bc02bd0bb8f031d5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
| MD5 | 0681ab661cd5cc91a04b32c1f16d06bc |
| SHA1 | 92356a07339ab085b3863e15da27b616f31a3790 |
| SHA256 | b3b976a8ea567916b00f2a4687163cd586fd83a268c9b35c8b00537cfacdb61b |
| SHA512 | 36bbf5ebf1ea544a25f1c0a44b8cc28250f2d69bed8f2838f0fbf2cc6d8c3194a60760b7e2fe0a77eab4a29ea6bca606f29c1cdb2c5480c240ca56527fe22d4e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\protections.sqlite
| MD5 | 49397db0486dc59d607907a086f40c9b |
| SHA1 | 08742ce9db9569062def08e99eea8470702feb7d |
| SHA256 | 890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4 |
| SHA512 | fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6AC9BD0802E051FCD579CC69A96979DE29682F3D
| MD5 | 27005a4b09fe98e628e816436aeb7145 |
| SHA1 | 5f55f726aecc7f8bc46aa762a851750f78ef23ff |
| SHA256 | dd5ec06980f3b06095e7166da5f47b24e8fce4609689712c56fb9eeec124f6bd |
| SHA512 | c67d07ab0c5fa208db19fe50fb976ccaabffa12373bc6cb3e90830ccfd4aed0d7a3adc88554c25246bdd96917493d0a544e5ce1528e5839a82769475ce3c7de5 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\B2A623C64294A75D2BAE299672048C8DE0717B8B
| MD5 | ba67e2bd5332dfa9f80dfb78bae0ea13 |
| SHA1 | b0c5f6ac1da1a42dad3fab9f69aced576fe7074f |
| SHA256 | 04c7796b840b513e7899dda45bf4375127b8d4cb8e186a58123836a97cf2fd3b |
| SHA512 | aa10e475e108777989435c89354a484063a75b6a00489c7df783bd8562fd305e05f924d001e135585e14ad18375cd34b0b96056186db7717ce19c68869a0800f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\87608448-2d25-40f1-8111-c36ea92eecd3
| MD5 | 25e24f130ed340e7bb0453bcf8c17b21 |
| SHA1 | 8e0f79fcf0f009d11e28ae1329b7d75ef94c93ff |
| SHA256 | 111a917e8cc370824909db63c1dad4cbb635e66f403dfde7d826e51afb8c8151 |
| SHA512 | d075f621676f50c80ac4ab1a0b1c81035a236cd5cea46395b0cc6990929722adf52146ff4b88db15940ac6d9f776ebf1bc5e88a3f505c9a0234d8cb7d457b449 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\258f9413-0820-4339-9ceb-d6016483380a
| MD5 | 3475432f465a00c30a105c6d106f63d5 |
| SHA1 | 22f353771b98154600a2aec2108c4ff02a4678f9 |
| SHA256 | eaff0442a22c5cd83c29745ef55419f0676e39c25426bc127c13bfe41b2a5837 |
| SHA512 | 91aa33f5fb17aff6c28136b4d2e4a7370e8efa43d8f7be4e49d907aff86dd881a52e87f45ddff85b165185e5f7f16b9c75d962f832ae5b06efa6b7b7fea63e8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 2f43649b2dd9272af2881ab9d8394154 |
| SHA1 | ac3ea157f69e7e598e059e47c1841147efed6a20 |
| SHA256 | 17ebb9b85add4307658cd9d354f830179f793d2338af718536b439e0d547ca52 |
| SHA512 | 28fa6ec033a2a93d926910a243363165c81a5ff3f7a37637f68052177002d0033e4887bd18ee284d23046efb4f248e1d4855168a583d9d57bb3fdd4084921451 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\events\events
| MD5 | e61b9282c6a7e42b8a788aa2dccbed32 |
| SHA1 | 51730cfc3aa92b55cae15ab2b496831f8cf73d5e |
| SHA256 | fb14e43d781532b78b4a18b80782702cc731d6a4148b22340e4dbf43dcfcb3ce |
| SHA512 | 52148536c52c5ae2b1215959cd6e0b9ec645acdd56ef9cc14debfd474d1456185f7d6fb0164bb7e9a8dcb00dd8777078e0486724d41bd8ea0b17896ae45b77d8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\AlternateServices.txt
| MD5 | d0eeda32db10751908fb5706b8fefc5f |
| SHA1 | 50d7b02c36e2b772b4b287e21e5289a3bcfaf789 |
| SHA256 | 7cae2eca680dbb4ae1053f17fc575dd12d922353af68038b1ed30b75766d177c |
| SHA512 | 31933363d87e4660ffb1c27efd3135492087d747025bdf6e16af5b04a2a9ae7957790c91646a11a0068e9d74df4e897b1a5118b2a4a6b5ad1686a1a6a1b8a5ed |
C:\Users\Admin\AppData\Local\Temp\~unins9203.bat
| MD5 | 9e0a2f5ab30517809b95a1ff1dd98c53 |
| SHA1 | 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce |
| SHA256 | 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32 |
| SHA512 | e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42 |
memory/2452-877-0x00000000009B0000-0x0000000000A09000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-21 11:51
Reported
2024-09-21 12:06
Platform
win10v2004-20240802-en
Max time kernel
916s
Max time network
917s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\wscript.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" | C:\Windows\System32\wscript.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BossDaMajor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BossDaMajor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\mrsmajor\CPUUsage.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\mrsmajorlauncher.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\MrsMjrGui.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\Doll_patch.xml | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\DreS_X.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\Launcher.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\WinLogon.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\CPUUsage.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\Skullcur.cur | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\f11.mp4 | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\reStart.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\default.txt | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\creepysound.mp3 | C:\Windows\system32\wscript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\BossDaMajor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" | C:\Windows\System32\wscript.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713936722553518" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{3590105E-2F76-474D-8BEE-C0E00BEAD58A} | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system | C:\Windows\System32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\wscript.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaabd2cc40,0x7ffaabd2cc4c,0x7ffaabd2cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2496 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3628,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4816 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4908,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f062283c-b00b-4062-a42c-3d22a8680b92} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {065e3d24-bcd6-494e-b81a-75982da4d545} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2720 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3032 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6174634d-8a89-4736-bfc9-3cebfba8d146} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4352 -childID 2 -isForBrowser -prefsHandle 4344 -prefMapHandle 4340 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8feba7c-ab58-479e-bfa0-b1e8627d324c} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62eca861-4997-4f2d-8725-a903f3747c3a} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a94b172-e999-44d8-b0ab-c4de2cc348d3} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28f0c968-4d57-4640-a7cf-ce15de9f600f} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b1bc8ae-7f65-4e4b-8976-4398afefa615} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6060 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f211386-66f6-4fe7-b905-14c80c0927eb} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3776,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6720 -childID 7 -isForBrowser -prefsHandle 6732 -prefMapHandle 6716 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a9310e-e317-4c7c-9606-f267bb34c9f9} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -childID 8 -isForBrowser -prefsHandle 6808 -prefMapHandle 5032 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82b4148b-7e0e-45f7-89da-27c32f15d06c} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab
C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3881.tmp\3882.tmp\3892.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe"
C:\Users\Admin\Downloads\BossDaMajor.exe
"C:\Users\Admin\Downloads\BossDaMajor.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B949.tmp\B94A.vbs
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x380 0x4f0
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 03
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3927855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | udp |
| US | 8.8.8.8:53 | lens.google.com | udp |
| GB | 142.250.180.14:443 | lens.google.com | tcp |
| N/A | 127.0.0.1:50040 | tcp | |
| N/A | 127.0.0.1:50050 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 120.252.208.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 142.250.178.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.178.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-4g5e6nsd.gvt1.com | udp |
| DE | 173.194.187.41:443 | r4---sn-4g5e6nsd.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-4g5e6nsd.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-4g5e6nsd.gvt1.com | udp |
| DE | 173.194.187.41:443 | r4.sn-4g5e6nsd.gvt1.com | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.187.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | beacons3.gvt2.com | udp |
| GB | 172.217.169.3:443 | beacons3.gvt2.com | tcp |
| GB | 172.217.169.3:443 | beacons3.gvt2.com | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 216.58.212.241:443 | csp.withgoogle.com | tcp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 216.58.212.241:443 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.180.14:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.180.14:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 185.199.108.133:443 | repository-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | repository-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4288_FJLOPTNXYRXDFJON
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 40b8fda87f52874d04b0f5ef40516b14 |
| SHA1 | 398f85bda166bc2d3b9a48c35101705fb3e0f91a |
| SHA256 | 9434e3decf72f30756c9e0b591169043ad87b4441009574afdfbf95ad1efbdf5 |
| SHA512 | 5ea2621a57f8d4cc5e0124cea1434fe4f209f83226a3a9b703d9e90032f5f7181eb71723c64f42c37a2efcb88ec24d13ee10233b66d3713e1a31da1ffffb2863 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3111b10310f40d1ee1b51ebba9223c06 |
| SHA1 | 7619967b52a76f78ace151dc7dd8c30cb6843471 |
| SHA256 | aa90f19dfedd2c5afcdc570f03b78fe40c46f7bf6a5a3942a6047534bb763b27 |
| SHA512 | 5dd6738a4bfccb1c822fee0f6671d5693fe36b339ea5210045f06d4b792a2ba90ea16750a2ed5bdb108289ad4ed43fda3f12d7bcaa59bc3edf2f3a17d461242e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 776d25f64c22bac4228b5f6625903baa |
| SHA1 | 67282932dedd89fcfa42a2c6a110c403a0ea0534 |
| SHA256 | 67dc573bd1d8de98930c95ffc84dfb9076178a8731c4134965c40ce8a206edd1 |
| SHA512 | bd32be66693ce493371473e08755b327dacbfe7d3170edbb138a73a910e48913ac1db1cf5d3d54a831303254862dbb2647a153413c2af60b33c128d1acdbfa38 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 83cebbb6c3f1da9dd0c6ac16a49c3375 |
| SHA1 | d399332394b25c144c5feabbef1c22330bf0acce |
| SHA256 | 3d9707c99b1b38bae6fb1522c3dcd3272694c6b1d5380d955c02cb9d575c9b7a |
| SHA512 | 4dda44e66637534b6d99619ac2c42cc972626178112289086952c998504b8abfeb126139f99c203d7947bf3043305ffde4c26201e6bbb77f44c50ce528ef6ba9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 22c0787a9b33d28c957ddd0909b304ff |
| SHA1 | dbb59931d85ef7ce7b904e6e8b9c99b1eb25a81e |
| SHA256 | d8782a10dcb1b07a58e0f11695b495155714dbaa422bd4450f8cce7f6aa0db95 |
| SHA512 | 20b21a8efb17345d748de9eab552a0b026dcca76331dc6179ba2bd169095168bb72cabd2d2a8e6d67e986537130bae6cfb4a7238f61d85f95f43152b133e60ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 08ec57068db9971e917b9046f90d0e49 |
| SHA1 | 28b80d73a861f88735d89e301fa98f2ae502e94b |
| SHA256 | 7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1 |
| SHA512 | b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 411901b34b57a5edc2108fd2e68e17ed |
| SHA1 | d6ae3152bc276d1feb17fbb35de53a2648b09a1b |
| SHA256 | 6f1510866e4feba918f813a21072d6e2fa71ee97b52d4c9f74d7d36603b7c96c |
| SHA512 | fa7eb06d036d7c78767d8dd7a3f45e1581a9268cc136f2cf198350c73a35cf8f89eeaba96f91de1c187ad5bbb73bb2d34a525378d1b4b3bb27eb5c40b3b0f0c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9db31fa2433bbfc8d2964473a70ef630 |
| SHA1 | 21429b8aeba1e3f5a418df25832117493897bce0 |
| SHA256 | 6b25ac24090a40b2ce5fe1c332d0c3c02e9df4977e22ea825671dd6372884a66 |
| SHA512 | ce393cb56633aa0fa313abb73aadcce6add4072d70cd1e6f29a0c1b345f986b70642c5f12964b1da308b90ece403c3bd7b0965cf323a80d8276dd8e6aa7a85c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bd0ee551c5d34b0daccf1c323e7cb778 |
| SHA1 | 4c76717edbd6ec7d701372ebb4548e36a68ff2ff |
| SHA256 | 76a393d5522ff42c2f821b63596f001ad029a233edb0c60e3b1bc389603c74f9 |
| SHA512 | e88bc4e72e7610761f738eb3b9f2299b6a09302c304e1b21a1bc40b6219f1c82adea0aea38826e2e9373139e8fdc97a3b96f3baae0f89c972ed61adf87d9865b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 552ffaa55d80312d01e446d763c5dc64 |
| SHA1 | 0c6c53a9006b617eca6b728baa994c2e63b70dae |
| SHA256 | c030649b2f536c22f345ee24f93c716ed56ed0a785baeb7476f63d971fc5197b |
| SHA512 | e37387e447a862cf6d985b6364e5934897851aa7c50a712d53f5d73c6ecdf4fae124f40f390061c60ab24bbef367d489c1fe30e69cc8cb4d05ae674fb6d0813c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5650a9744f1483902e114c162e1b9e04 |
| SHA1 | 1e1991a426eb9d0c3f08b82426912fddb12f795d |
| SHA256 | d866d0b9b2fe86781376dc006a446a98be3e66018121b9000f0c393f0a1925be |
| SHA512 | 58fb02790163f51748e6bd2703f03629a60fbcf314ed09ddc8602a40e015af1153633ce212d6328cc482a2adc5dc42285c3972d8e6e73ac50ee6bbd11236e25e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a4431e73816c262800bff5fec0236368 |
| SHA1 | 19c36973d98f790ef481d3102b1d7e901aff779e |
| SHA256 | 022ce24db66afd33d73042499bda9eace0e71cdc3d9321ce1d7c45e430f6a034 |
| SHA512 | 8ef15c5430c5eb1360486bb680da6a040576a3fca4ffc4d02a4e86ccc65db6fad93494abeb9803c5ddbf280d90c94daad1d3d90000e877ecb2112db3bd8abf43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bb4020ea3e487c276276058abd242dd9 |
| SHA1 | 8f53244852857dc05cb72bba9d5130fa3584d208 |
| SHA256 | a4c90c049c5be24ec38fc2277dddda2f07ebe45424d1f85f5b4d773cd23f764f |
| SHA512 | 937e1295288c9eb671874f5ff7547e00d965796ac8a9b71a4ea58caefc3949370cb28dc434c91b895689ae6b9b8ad49124a8441b7e3c79b0f5bdcd0d2158a7ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 1e8234b3102e210ccc9db4ac1784e5e2 |
| SHA1 | 6b7cf47c8c7fa93080b2d258883e1fe00c4e5ba0 |
| SHA256 | d6ee46f5bc75cb7876667284aee5092ca10f485dea28563e61df582fb179578d |
| SHA512 | 71177173891ad58365236be7f5ce72df7a04bccc85942483d8b3681edb810538f390718f851dc65b1882a1d329c6fd5c7898f26924b22ced7f8700d4dca530f5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6abd4b7704db3bdd2a9dcca364d8f64d |
| SHA1 | 2a21c0b3e0cc0646d2e8fd788e166f8e1de8015f |
| SHA256 | b6dbc92d6c5c16dd96cc7a280e25b6586fe90d8f91275497804f960728c3da7e |
| SHA512 | 523479e820b4b525d4998ada43e400b3bdbe19c862c9cfae3b5c70591b97b0e8a83a1f51f9d34de2c7ec29ff98701870526876b728ccfc26540cc87b886186e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b8215e55369a26575d7e457a5d687b2d |
| SHA1 | e1025eef4b0d4322057f274d494cdf898f5be173 |
| SHA256 | c733758ca239ddb3e9ad07a315be969b2692e124345f336f56267ee6dfd4c626 |
| SHA512 | 5476cef128f96a7b5242f6f1e380d6e94321d609d6c0a9663348b6041cdcc31fb877c909ac7cae8eb39486f50581dbcddc446812d045f0fe97554bdba4e225d6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\14239637-1f21-43ba-aa7a-5da3b43bbf77
| MD5 | 1fc9fa2fa2964db01beb448ca6aef794 |
| SHA1 | 83e61b423ac7d4bc1e5d56bc79512957ac597727 |
| SHA256 | b189e228d4d53a0b771016478b63932dc93a88710190861d0410c2d6a88fd8de |
| SHA512 | 9ad32bb28aa27cde33539f09d1195c23b11cf966d629f7c4cc175f660338ec5ab34c7dac8358002ec4e6c0f9d3da91073138bfa73ab195057b85919c27a3b2bd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\f4584d1f-5a32-40bb-9452-744910af64bf
| MD5 | e6b8b7e85d1d780bfdd36295d1460835 |
| SHA1 | 69e0f1bc9203f6daf59fec21a17b86b5d2f5cb95 |
| SHA256 | 140e2ce89411efe7e437f1995aeef4dac4ddc9bf156d9bcfd0612ad0df7f27d7 |
| SHA512 | 87cde2931c167d87effb9536c4d0e2ec8e18a60c1eab9812400ab2bd65e0268fe2e598fd1009e2078bec1baa7c7033437a7d90241c406c840af1caae6793322d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\0316815d-8a50-4d12-9c00-6552ceca64f8
| MD5 | d712994a7f084135e4623ce7893da448 |
| SHA1 | 320305ea5e6cad9816e1d87ea0a3647573bd8006 |
| SHA256 | 7396f701ff762d489518f3b98180ac538149fe2f0e54e3f5f84b31f223e129d4 |
| SHA512 | 50737e1976b1168589424151cfdc298adc34599e68c773e2d3ba071d2374ba9fd9de7d339c4f6d51485f79bf87af633f2536c1d1029c1e9da924f2e9ea70320f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 223b544c97f3a49f009dbce82d0e72b5 |
| SHA1 | 052dce73370e5f79f238516485888f680055d47e |
| SHA256 | 0408bdb9cc19bdc578891b06f7a7c5349eab2bec48644b9f4c3972081ef98b27 |
| SHA512 | 0ea31487af88e427720bee195243bb597e76f2279efaba94e94291cde1bb3e781d0995334d0a1ebb8fc1b4bcaf9be47e28c6cbc0a44ebf8d05cf94750672e63a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js
| MD5 | 323474489e4ca2c9fd48f03322851135 |
| SHA1 | c34f91393e20016a348913a9c1723e79d83ed319 |
| SHA256 | 1c3b16c25cc7cff27b128fe7de75b3232ff7303251a694354dc36840b4244687 |
| SHA512 | e1b633215ed4e1372ef8e19d9f4d65dc15d622074e47b7a9ddc80ca48ccf4afa658791b37c3863efa669adea836437e8a7ed9f6d465231034219a62b81ded251 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js
| MD5 | 9726eeed14469ce7b7bf5a9e3a501654 |
| SHA1 | ddbb2d97fe399e4cbc12b86d648c055e67e9f7eb |
| SHA256 | 3b5f362e098e1159ac40fe33acac1d93a137b8ba946ad70d74e909513b0265db |
| SHA512 | 396ce51ab5b531021382a0df3f264f46fd9dfbb84569b356ca5892ea16121151ac1122508bd01a89cf5bd43e031d11195c2205576a9a7242275b33a88f4dd22f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4a9c8b7b3f08793a9b0985e120828c85 |
| SHA1 | bbadd034434b35e1f9a90a4156f17d93bec46546 |
| SHA256 | 2a01fce6847c784c6ddf9f92843f97f45dd2caaa6d090e0f22caa78f5b5df7a0 |
| SHA512 | 2adf544ae7406804886efd07867602cb603cc7489f095db743ed1f9d6a938f2db006a4023516fc388024bb176b8f898a079307e6068094992302c72afc224b7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b5ab81a8f51840f02078e2d1df43a2af |
| SHA1 | 092c3b1e43d309c2d20368c25b28b03a8ab94a8f |
| SHA256 | 8c2d31c71f27706b9a9029a451936e86c13792c20b99db4b84f9ea3b64c1df2d |
| SHA512 | 14e09958cb5ebb162046ff4f096cd49c851df7e20d23ce4d2a28493e8233b7365f425d7baa55f84bfe31b5e99d8a141024d1dc84fc9bdc60cbf7fd8d14032af7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | b986038f6cca4fe01133845cf69a5c1d |
| SHA1 | c0028058b5388246b29d9979c17c6a508e21f8ae |
| SHA256 | 31a632d28b1b793a7f023c10f545e148c05145bb422a9b2cc04b30ffb17bbf36 |
| SHA512 | a99295093d8257b56e519703f62d3e53115ac7fd4991123a98a71c2355cba2d0d011256e0f97658aa3a043891846e2b002374fec6b514e72cb9c6bdc248fbe6f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
| MD5 | 6e737fd974ddc96c5dab0b2f371cd6c5 |
| SHA1 | 8131af5cecd65d857807c7c21f470397317faa3b |
| SHA256 | 5c6b66f11874740a7af39201a2bbd8a712ad6e492fa7294289c2709c49578421 |
| SHA512 | b91a82818bfbbac5f432828d6a0068a20c6ecda0ed4719be4c0e4c29613286ae4e285c24efaddb765544ad265db1953dce4982685a2c7432e9d170932812834d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\10A0222AFA26BA84074326BA5AAF691B1EB56EDC
| MD5 | def88fb71b10226aa92de9011458756e |
| SHA1 | 26d9f072e97906aa23b3b90e48f3c58bdbd8710d |
| SHA256 | 9768e9914083960f38b5fab373af72564ba39b2b4deffc780a75147120f7a4ab |
| SHA512 | 81aa6c19bc07bdad8eb5d64337b423793130431f53d7a5804d6250d3547019f8281320618c4fef9693afdeb972331f948c76c01e015a76a3682c506b132a5806 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0dc60ce27f73616544c931c6e6c5b3ab |
| SHA1 | dc50b723e3cc533b53c8e0b573728fe46b7daa1a |
| SHA256 | e2a78d5bd6026892b4c3df504c70d90b00625dfa4eb0925d18d35c5f597bab6f |
| SHA512 | 38e8f0af46f34955073e74f4f383bea6078663ee5a5a754f504432e9fd05f7c524d7dfca949d644ccf806a513b0d63a5f0e523d3f0616a22be01e18b73ba513b |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d1007a087921c73646787d85b5f4978b |
| SHA1 | 0849cab8403a0ac1cb79e19d47a7597f953148c9 |
| SHA256 | 70fcf6e4fc711c16e097901defbda0a1127b08df7bb9716db826be59a2229daf |
| SHA512 | 06bf429b7b6a2ad7d47bb60ed984be1b81c8586f931850b3b1b03c4cbe9571be022c4763bc60ae288f413dfe52dfe1646b1b49a6ecfa1e11d4709853bbbc8df1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js
| MD5 | b2be0bac578ce1f250a2b084a380f1d0 |
| SHA1 | 9f23f2cb6593f0ded0e2746361f589ebb15af82b |
| SHA256 | 05a52943ba5dfb7fecbd326096964a780391a1fab8be622f8518d233834fe4b0 |
| SHA512 | 76676a09c6c89105056e83658ea2ab0a7a7d3dcc705465f8196bca7cb0411e9a14ae303c7b259b825df9f0745d0eef4dae28e050b69893a7a99ed23671bd7f2e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
| MD5 | 04dc2aebf58d717bca13a16250dd601a |
| SHA1 | 168e458e42b294f14041a5660a5cd08948bff49a |
| SHA256 | 05f9236998e34e3243da92a9bb24a02c8a0420699014d2b1dfae3d34b6b7843e |
| SHA512 | 94239f11d462f4ccd74462f327c5ac9624c299d95449845db25912aed18db8e3e8928e5cc234195297a9ab38cb2fb68bd4cf4630f43850bd5d5ef0392b4546fb |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 13b334949c03ba89b5b4e1d0e32f1477 |
| SHA1 | 486096cf9c234ee3b6161a2cadf9956c8736dd09 |
| SHA256 | 93444bc82b173332e527024f48eabf9871804654a4400de9630452308592c1aa |
| SHA512 | f2891c3ef5b1cf1f4a49bc50f8b792371e855628619cb606c46bd03e263fc128338fcadcc673c41adfd3d10a4d7070ade65bb44420de1248b7fd9dee055daf7d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3eb5fe2690f0e00284005d878a00e5e1 |
| SHA1 | c154794ff9676a3a76126e9d6cb2afeaf46475d7 |
| SHA256 | 3bd9106cd809f935bf7a9f1cdf6a2282943ae570e0e0d21891db2f2a22aa2db6 |
| SHA512 | e6c2f2948b9a60b2d41238b2b38a002387bca65332688182799d1921095b5542de03028706f97f8f37426a3aec3fe9792171f7c8c3a0d469d64097d1333b40e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c3d343395cfa3592189670d6397d8940 |
| SHA1 | 8e9dfea05f3fe57c444b11779beaf11166da2204 |
| SHA256 | fac8c186ba3c5a420138643d8d7ad357b57dc6c1167a7f7d04dd3d11eaa971a7 |
| SHA512 | 77559a49bc3e7ded614091830b5bbdab821dcebd11be99d1fd0f6d26b395a36d9390e4f4f0cf3a579ac2c2d2777c22ddafb517c88faf9e5253ee6d582a035947 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 593f0eb91380edb349e3e01c60ded7dc |
| SHA1 | 9f9bebd2739a53590c5735541c81857a68d1104c |
| SHA256 | 9a94e0b32c1b6d98788008a9c2723a2236f20d3642522ca7b90ad45d294ccd41 |
| SHA512 | c7b76b93760596743aae2282981895c65477940147f574aea7e9bda64d032a5b06d04ed5c2b2573e972b54898bfa4371a4d4241b5ab7655afff87b2703cf0919 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fbec4c63bf922e235ea9309f1044d849 |
| SHA1 | 9e6baa30c008fe05cb427040ce973d10f7d90f68 |
| SHA256 | 32f702c61a9c4bff5025050336d919d07fee7cfeb2cfe0b950ece144cc92fe4c |
| SHA512 | ab8d5ebc674b92526ed261b310cc34b93a9b7a8fc272751cc487ae58095a3cb84d86abd0d5941b2e481253bb4a8f79fd5792873f51c715213eff747958b685a5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 23504c3f5c3980cf3eaa5385ddaf4e04 |
| SHA1 | 88983633a71c77e2f9451a4e7e5386dcc3bca865 |
| SHA256 | 36b4891b79581fc84ad36b905150dd1de685f8183cc3c0f4235098bb5b5f9489 |
| SHA512 | 7c8ccd9360dae8e857f6df97171d82ed30fa04814b090928e7b8d37f91532451735e3f7ad670abb24e12344ab9efa9eddd25adf5622f31582f5742f3f00e886d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\006D3DFABB7DD236CF8A44AA7E9CD9CA8F2EB2CA
| MD5 | 7521c5012953edd817c3e0ed3fbe0705 |
| SHA1 | 81bf4ad9b79d9da7f0d969070dc445335d42c7a3 |
| SHA256 | b1090f8aee76c305c0167f585dcd7f56cdf7f3baedb45381c74389a14c00aa57 |
| SHA512 | 3d8af7b619e88ea38dfa7f39569dd62f8b0bde5e4be71fc5e6db48441f011be66a61bef602e5170d703d7d2757687773a82af9237fdf73ab385ea436ac8fff6b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0870d4263414ecd22a621b0326ab02e8 |
| SHA1 | 7fe58b592a3deebfc39e51d470ebe7d4e694779e |
| SHA256 | 9350f9c729b0b9eaee520dfbdd6e6df355882ff03e032a3adda2c0e134f0f1ee |
| SHA512 | 6a23bcb0aceb1572e19a05a7e512f246db870b5478257a1d2ff0de64ff35a3e56f82ac1b252d8ce09313dea36297b942aee516c817a22e13a25aa5c1f7b689ec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 6352c3c36ccddddccae3caae5029bf58 |
| SHA1 | b03b12ce7981d9b83a5fbc7407ebb9ea4bff0b58 |
| SHA256 | 672875eb1e8bc10d4e0f17a63ca47de291a4470e5f905bfd9cb89d96d51e86e2 |
| SHA512 | 36509f8e630a2ed11033fdb76c66e5caf9492f742257eb5ee1bf6b6588e854850764e4c1c482a1b53e579a18edf2640167cc4e6b8fd4214e6ca6b3101dd9aa43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a26338b15758d555c64fd30d03422d91 |
| SHA1 | 20e2491404dfb1ddcb3913b1bfad177f62d7e803 |
| SHA256 | 146ce436f096bdd568e5c5d96d1df346fa156472734d4b26634b5a8a5b3be22a |
| SHA512 | e6b7d7184f53b49123ce104ad1026718824fec28f07c3a558c73cc084132a2c0b227c78f84dd37179414aab2b87a8b5ea2b4e1b09a1d660665a0448b448363c2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 9cc4bc29726bf11971caac6174dfa443 |
| SHA1 | 7405b9e2358b1cf928dd1573e84dbe107629cfcc |
| SHA256 | 8e2fd9611a549578dab44b3c0edb5a9cb0597af9b6d7d0d3a436ae5225193067 |
| SHA512 | 8ac6fcca4522cdd4278f3e5245afb48a1bec658411f9410828d557a516cef555a8009ff393f9f081f8ee69e75d45014a258e346227bcb427fcf161436b75434e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2f22ea6b585c3ae2a93b8e1e94d2dae6 |
| SHA1 | 07e558a2d6a5ce8349accc4635237a38d05a6216 |
| SHA256 | 8de1db0f34ee8ce14548ca308f2c1783c00d9aeb993e3769f4aad30d2eccd2c0 |
| SHA512 | 20eef8ebab34a8b8a08d1c1fd4867cf8f07b341a4d7d984b995322e9e86e8728d0f6e7becb8a93a9f27438c37b17f4cadc137f2327caa155c326a12d2153daf1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 359f531e618b022ded4dffe5a3ebd64f |
| SHA1 | 81f7bbb085b420b89ec70c8ccf34134cb6e55c0c |
| SHA256 | ff6c3ce7ab4fd1f782a8fd2317445639eb66fba11711e2dd6eeadbbb1daa82f3 |
| SHA512 | 67cd1070c935e72ea30221cc7d4bc09cc877e07b18a77b0bce22909532cc204cf785b8886a1753b1ade654106753bd7825608502b7e793bb44ff009e31fbda29 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a101ccdfed3252ad0731786d84700680 |
| SHA1 | 64d3d641621b120c46be0b4c68263aa27123feb6 |
| SHA256 | 8779900db2be1160c61bea8fee0cbf23914ce039db9f3924ef18ce03fa9e51c0 |
| SHA512 | f51634efb82a9cb5f2ef22f4394594e144fc2c67040faa32df4801266d011c0ff8519ebf29dfb68f9bf04f66e6e3606de7a4b74f4132e45df68bdd2bf578128e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ac6703c3b0e2397f115d87dbf1312b86 |
| SHA1 | e3012d38e58a59918970fa4cc97360d8a082700a |
| SHA256 | 8d486ccf16265e640177ac4548a7901a12844ba9f5b636712208e6a5a13d6bb8 |
| SHA512 | d3b7c00473ebb4ee4effd1984e5e46b32405d1abb5a7e73fad786aee841447b82de86571bd92a59af64371264fde30d4bf0e87e9cda74fe2620f08ed6685881d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0
| MD5 | cc1d3d38a76aa2052249b12aa88cc3fd |
| SHA1 | dd09c41518305f61a74ad6c1b513aef5e1eb6978 |
| SHA256 | 593ac91ba735685909846f7b6755f3fcd4cac97a724fe049300a4507e09cbf01 |
| SHA512 | 223c9d1b3dfaac635fcd60fde92389c56c4ef4db5d89100b5932a46df21ec3c224805ca2a3522f9dec1449639401dad2d4cb74b9e0a0512a1621f44749190898 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\519BCA8D3AE219A5B894AD416EF90CFE45AEE07B
| MD5 | 527700d691117ae987142bc6710a3385 |
| SHA1 | 45b79fa1c3d2db09c74144a580c8874d2b8e0ba2 |
| SHA256 | 081441e5d23b6986d04a0b7165dafbdbeecadbc45add7c12ea3aada493f8fd4c |
| SHA512 | 7e6eba5c573a9f9bb96fe8f8ff37f8eb2228621ea3e51f861017c24b5cad86b50a261850ee98ca2faa460c5e229aad3c345e37200ad6275d3968927d57d321d9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\71A5877A224793604405C071054D003E804BDD71
| MD5 | ad441688dafa6ac2dea1d52622c54a5c |
| SHA1 | 0d9cd08d61f1fdb578dfb1a33d07c66bdbb626f3 |
| SHA256 | c149138d37260ecab9ed0b2c9382fa1c5de458b83bfe91faf04927ba8afd9697 |
| SHA512 | 71edf0bbd60bea071cb1bf8406181ae13f5865c13333c76ba97cbae28e72b6587c39090feee9bb610dfea8f12b7cfb898d8471c7c4c86527dd834f8c949aa301 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D
| MD5 | d9ee21e0938e23b4b9edbe859d6983ca |
| SHA1 | 64b786037ee4ae2a5d83365809c27fe8e0c22a8b |
| SHA256 | f55a995ef43aefced8e46593d73dcd1856873cb6cdea2d73006965b082c4ae2d |
| SHA512 | 9d7b75c1c17b40983f28ed06d6fab122d55522beed193f9e683417f3feb2948f64c303654fea1082d8b91cadd8f0f4b67a67c95fe2d81bdb59474d37dfec53de |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\5EAD13BBB5CBE47846E6C546F28FE2F53142499D
| MD5 | be86f4de5ace838764a8f7d73dcb83b4 |
| SHA1 | 412fe87836406486b36b96f627d5bb5aa09a9dce |
| SHA256 | 7dca813a576ed7f028c49859384dc78385fa54fa6cb1366fbfc7899bbf935c0d |
| SHA512 | 60e82db8837bd1b2c155eb9a0f67892503267285ca66fbc4c42708e9f1b4a96f12ea37223f913df6e3075d285eb1dc584f630d96269020f7e161f8e69e4a4297 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\8D9D13D2F1E22A996B4AB1AB746108030CA8BFA4
| MD5 | 76462b56d26824ac460aa9e41db7529e |
| SHA1 | 8952c2a27e131fa0889ff1a3c3de92a6342dee97 |
| SHA256 | 25d65208b9578f0de755e07c19236f66af57419ba7f843bc1836d2c5b671e658 |
| SHA512 | 974dfb07f4a5ae8510e10b3a1c0e0f774fff78682ccc8e1d37badb40c1acafcd0eb93b503f9e55085b24859929bd753422aab3c506e9fa098832316f3e7c78eb |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\CDB21C981CC9D3BF2B4FAF854D59E2DFEA293406
| MD5 | 804875094aef082a9e1fb1094680d8d2 |
| SHA1 | 2a01fd26baca20cbc2a9f827aa871352ce727f2c |
| SHA256 | 8dfa5d97e384c8395568e263ab21fedf8e0c3af54ef84c0582e33e19df7325bf |
| SHA512 | 38dd048b114fede0a8613d091f7a4614c01c8d0d53ff0dd760b7ddc070ce4d9e2dfc03ebc51492bbd9f4c6e10e111980dfcb382b659fc2135e2c156e505ccfbb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 001c0740cea26abcf32a5b1cbbf86015 |
| SHA1 | 9bcfe0ead761a86b0fd76e625960cbdf24504b8b |
| SHA256 | 7fbd2ef9dd76916850c0b7bf90e31487d652d2b3bd09c83ba37d792fc26b1f0b |
| SHA512 | 493189701005881ca2e3495ef011f998940d5073d58f729e667430c552a2b75b468e1e830b2a6b0bcedc5aee2000571ae2bdfc03e55916105ff475c4f5d9e8fc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e4d8f173b7037a7139555019d331258c |
| SHA1 | da9b48f9097201e79336e997fec71fe217f8df1e |
| SHA256 | e348fdc9ef7924c0f40054c9eb7d906315ca29aca54826313f4c03d971724d97 |
| SHA512 | 24e7a51767ea752239ccf5ee56a71c6b4551ffeaf454575ac0a9332affca9ebd799a4ee181cec29028ce883811fed8e9e0290451d59784b455d02a051bf361c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 4f46e806826ae1ae6b404ec7c09a3419 |
| SHA1 | 389a4453c52c96f426ddd568f6f0910461a3e577 |
| SHA256 | 634719446ce2b4a40812378e42dde76f04fccedb8036af5ea74b1bc789b82553 |
| SHA512 | f1c3a10ba698249560ef6c09e7c04ab351df9f3688fe3f825ff0f60535cbc749521b9dc42f1d59d41c412e68dbe7d4b5ed360be9a2c5814dc4f0ad9553dd0df9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a729661fafb052b626ea7a00378c4130 |
| SHA1 | 35db62e0f937e65911a8f97daaa3ef1fdd18f520 |
| SHA256 | e7d9ab169175abed37d03ed68f0a9c7b447edabd0373508d4dacfb94c7460bb0 |
| SHA512 | 8799be52e57829b3d95f144eca92906e9ed2bc31bafa452432ae8c8d523d7bec563860e8daf4ac474d3089443c87035dbdeaafed0d1ff284fd6cc43ad4f00418 |
C:\Users\Admin\Downloads\MrsMajor3.0.exe
| MD5 | 35a27d088cd5be278629fae37d464182 |
| SHA1 | d5a291fadead1f2a0cf35082012fe6f4bf22a3ab |
| SHA256 | 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69 |
| SHA512 | eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5 |
C:\Users\Admin\AppData\Local\Temp\3881.tmp\3882.tmp\3892.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/3912-1368-0x0000000000E00000-0x0000000000E2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/3912-1375-0x00007FFAA67A0000-0x00007FFAA68EE000-memory.dmp
memory/3912-1376-0x000000001DD60000-0x000000001DF22000-memory.dmp
memory/3912-1377-0x000000001E460000-0x000000001E988000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 7b894110a618730756d924ec7ab5ed9a |
| SHA1 | 267e076ba1034ab4eb1746030d4de3aa4e53f04e |
| SHA256 | 1ea9af961512002bd96043f8157e6b18b765318a93053ce7359d6226086707aa |
| SHA512 | 83d9ee4b1b5d100371c4fd7d45b086f945fcac82210271956c46e790b1ce10614167020b3f8c4310b19ce146bd5d0f7ec2463822b91966e3e6dc670f43e98fdb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7b23ca40bbe4d78c4f6a043c84a1fd09 |
| SHA1 | e4d2ebd47750f1484c405b60d597a7e99e6f53cf |
| SHA256 | 2573f717fbb44af48ae0f0d8305cab310f70e33334bd2057731236bd4131de77 |
| SHA512 | 4d525e39feb4ad2331a757a573df356d031ca0e7bb07840b8d87eedf32888645185ddd93f942745b4415c97a5b3fd9bb7279ed4b415455fd3edd4b9377c797f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c93c0446ee3bf0c8bec230e313fbc8d0 |
| SHA1 | 44ac8b3b4a0ae7e237150883988ed26d2f681d56 |
| SHA256 | 53922e5351974a5baabc99afe098b16e9cad0af274b05a7a7c910b8f2d02d1f9 |
| SHA512 | 4bb05a6ffaada9962d2f8f26b18541aef6ad1c050d905a73b1925eada708a36276a090088427971f5a2de741fc79741674273958140f5abca92956c73a3ec728 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 232ccbe386703391cac96a62b4f2bf6a |
| SHA1 | 2e5366926e4da686eccb0d781e26a1439d620578 |
| SHA256 | 585c5512ec707a604a546eab55e195d79ceb321fa08d04f7d6295709fb93072b |
| SHA512 | 40dcea7792fc59b9422f53685bcc59f23ef29cbaaa94f1e53efe389bd76abaaaa946c5ffdb805e5504b96b1fddb87e92f8ec290a99a611181b673fe13826e368 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1d51fa28aa6251475c6323cddd2c675b |
| SHA1 | c6ad2ffb9c9bc1213bf1b6eb9a379ae2ac6a7e65 |
| SHA256 | f11e2ff383024c40a00a63e72a5bf06a58f05d90a026680484f1546e7e35fb8b |
| SHA512 | 60af5c408f822c9d9222d6c669f15d4459293cce21a59844ee40241f35f42a5082e6c6fdd660a25b6b9c459fdc54ad345b9a25dcc393f3e10906448f531e743f |
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
| MD5 | 38ff71c1dee2a9add67f1edb1a30ff8c |
| SHA1 | 10f0defd98d4e5096fbeb321b28d6559e44d66db |
| SHA256 | 730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a |
| SHA512 | 8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9 |
C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier
| MD5 | dce5191790621b5e424478ca69c47f55 |
| SHA1 | ae356a67d337afa5933e3e679e84854deeace048 |
| SHA256 | 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8 |
| SHA512 | a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\B94A.vbs
| MD5 | 5706bc5d518069a3b2be5e6fac51b12f |
| SHA1 | d7361f3623ecf05e63bb97cc9da8d5c50401575c |
| SHA256 | 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad |
| SHA512 | fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\CPUUsage.vbs
| MD5 | 0e4c01bf30b13c953f8f76db4a7e857d |
| SHA1 | b8ddbc05adcf890b55d82a9f00922376c1a22696 |
| SHA256 | 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738 |
| SHA512 | 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\f11.mp4
| MD5 | 17042b9e5fc04a571311cd484f17b9eb |
| SHA1 | 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb |
| SHA256 | a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424 |
| SHA512 | 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\DreS_X.bat
| MD5 | ba81d7fa0662e8ee3780c5becc355a14 |
| SHA1 | 0bd3d86116f431a43d02894337af084caf2b4de1 |
| SHA256 | 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816 |
| SHA512 | 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\mrsmajorlauncher.vbs
| MD5 | e3fdf285b14fb588f674ebfc2134200c |
| SHA1 | 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811 |
| SHA256 | 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92 |
| SHA512 | 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\WinLogon.bat
| MD5 | 870bce376c1b71365390a9e9aefb9a33 |
| SHA1 | 176fdbdb8e5795fb5fddc81b2b4e1d9677779786 |
| SHA256 | 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc |
| SHA512 | f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\reStart.vbs
| MD5 | 0851e8d791f618daa5b72d40e0c8e32b |
| SHA1 | 80bea0443dc4cc508e846fefdb9de6c44ad8ff91 |
| SHA256 | 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722 |
| SHA512 | 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\MrsMjrGuiLauncher.bat
| MD5 | c7146f88f4184c6ee5dcf7a62846aa23 |
| SHA1 | 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3 |
| SHA256 | 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963 |
| SHA512 | 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\MrsMjrGui.exe
| MD5 | 450f49426b4519ecaac8cd04814c03a4 |
| SHA1 | 063ee81f46d56544a5c217ffab69ee949eaa6f45 |
| SHA256 | 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d |
| SHA512 | 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\Launcher.vbs
| MD5 | b5a1c9ae4c2ae863ac3f6a019f556a22 |
| SHA1 | 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6 |
| SHA256 | 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529 |
| SHA512 | a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\Icon_resource\SkullIco.ico
| MD5 | c7bf05d7cb3535f7485606cf5b5987fe |
| SHA1 | 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5 |
| SHA256 | 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311 |
| SHA512 | d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\Skullcur.cur
| MD5 | cea57c3a54a04118f1db9db8b38ea17a |
| SHA1 | 112d0f8913ff205776b975f54639c5c34ce43987 |
| SHA256 | d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b |
| SHA512 | 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\creepysound.mp3
| MD5 | 4a9b1d8a8fe8a75c81ddba3e411ddc5d |
| SHA1 | e40cb1ee4490f6d7520902e12222446a8efbf9a8 |
| SHA256 | 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac |
| SHA512 | e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\@Tile@@.jpg
| MD5 | 3e21bcf0d1e7f39d8b8ec2c940489ca2 |
| SHA1 | fa6879a984d70241557bb0abb849f175ace2fd78 |
| SHA256 | 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5 |
| SHA512 | 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922 |
C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\default.txt
| MD5 | 30cfd8bb946a7e889090fb148ea6f501 |
| SHA1 | c49dbc93f0f17ff65faf3b313562c655ef3f9753 |
| SHA256 | e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210 |
| SHA512 | 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2 |
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt
| MD5 | e20f623b1d5a781f86b51347260d68a5 |
| SHA1 | 7e06a43ba81d27b017eb1d5dcc62124a9579f96e |
| SHA256 | afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179 |
| SHA512 | 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | bcc753a29a8538ac69c883f0369eb2ab |
| SHA1 | be4aaa1a34aa58f6130ba9c51a35428ed3c44d27 |
| SHA256 | 1625b6b37f4f17a5814271a241e63d8324f7e9b2f92a67255a5a81dcfea5f88d |
| SHA512 | 7cbba0b30a5e189b05b4480641b2b49cb7921b102c5bac7b1aed8018824cc47b120aedf6c6fc66ded0f9cd82fb7749595c6ac783be47e0962b922b7eb05c7d61 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 5433eab10c6b5c6d55b7cbd302426a39 |
| SHA1 | c5b1604b3350dab290d081eecd5389a895c58de5 |
| SHA256 | 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131 |
| SHA512 | 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | dfa090a2dd8cee86000f7a41e2f49a81 |
| SHA1 | 1fab5c43d8fdf0cded03e9eec3bd28f9fcfe5571 |
| SHA256 | 076693bb901e3fab5d921d08c9e5c04efa8e31f1ec55fa6cf62ddc4fb3e81588 |
| SHA512 | 29bd91a77f187cbcecec104abd0cfa81b10e1c9ea529ded6b44fd08a036a05d56edf394ccde918348093aaee046f73239d446bf98a2b027cef792cb699d0f22b |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | babe93fcc8141448018bd1805bf315cc |
| SHA1 | 38b6752b6c7fac74bc429d33c83be332e8aca994 |
| SHA256 | b4f31f28c0d93634ebd3396ebd74665c79b67eb0b3b39893adc1443da473af83 |
| SHA512 | 3f92e5082c43a2d264137c8110b5114cd16792d5bb4dd69b1fb5b808520a0c542ae4da3b6a6d13224a20c14878cbd2f7d198804c8911a37ae461d283241d441b |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/5044-1643-0x0000000006F80000-0x0000000006F90000-memory.dmp
memory/5044-1645-0x0000000006F80000-0x0000000006F90000-memory.dmp
memory/5044-1644-0x0000000006F80000-0x0000000006F90000-memory.dmp
memory/5044-1642-0x0000000006F80000-0x0000000006F90000-memory.dmp
memory/5044-1646-0x0000000009B00000-0x0000000009B10000-memory.dmp
memory/5044-1648-0x0000000006F80000-0x0000000006F90000-memory.dmp
memory/5044-1647-0x0000000006F80000-0x0000000006F90000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 08a412bd6c069a74dede1dad8753bc6e |
| SHA1 | 6ccfe0176b11ea7de6d740a719971179545ca0df |
| SHA256 | 8fc753a5bdbc57a9771353ae7f17a85a4bc34f08737eab6db2c4319994c279b3 |
| SHA512 | 6947b31dba3f871f0e6047c139b533d119e3e184cb42ef34432c62521ee54c79b716829528254d9c9426018ec22df222ec819970f7ac04dce7a2fa5d4df44d48 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 58172aaba5ae83c5d6522655aaa1ddec |
| SHA1 | be7edcdeea7a333df92e8877b80c0d740e0acd3a |
| SHA256 | ea5dfe74bd90e02d1e4bcd3f272f4269d0e3b918cb746c7abf29a683c3b21875 |
| SHA512 | a811f42084159eee5fff2eef0475a2fd4049512c15297947096560b27d79dce17e449df9372afb0e660e733536e32799f33d4812be5decb0425aa4d9c7317e9b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 99cdacebf597ea7d1d2aa6328a1717b0 |
| SHA1 | c2193fab04c4112671426fa996eb38b7207628e9 |
| SHA256 | 0f81db310a5022cef89ecb5b176f636256d380907f9f9d7d4cb1b1b8631cb165 |
| SHA512 | be2969d60aa12af5358294a3bd1bbcbb167e28cb6848002047f72001cc4ede5f3e3b2f36daa0205a53f2a575d23dbe0775c1b2df846ac85c2b4cb2e265e728af |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | a4d389cb3fe396088a4dd3b806964760 |
| SHA1 | a4f5bf197808563cee5dffbb762501a77f3d9a98 |
| SHA256 | 20574005f8e7b6c6f0a0e67cc9ae99f579c9ac8c69c8804773f7aa960df21823 |
| SHA512 | 453c21e33591180bb6e01e5d129df5843a40fb4f4122460ce0d2f88f2952622145a55487c77f65ca7a134fef382219a722fc3cae49684caf74b844bb7a9da795 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\e9093109-a517-4dee-a2ed-fa3575ffa88a
| MD5 | 3bb50f98c08642ca8266d95ea59729f9 |
| SHA1 | aacc379edfe76badba34669412f7e7529ec0e89c |
| SHA256 | fbd9a12075c8a93a7457bbe8272dfcdcd99b28bf2d192c22062f35155760b58b |
| SHA512 | 7833d2384b26c40c3f4d11d546991f71bc5acbd89cd143be91cba4aa681d2e41cea436b570f8b73b7799436d5fe7f6b6beb6b65a7f201962183b30fb5cb87064 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\9c79d23f-4785-488d-ac9f-4d9af4f0f1f4
| MD5 | f32999359f58492c3e61a7df72b19d09 |
| SHA1 | 899c5345fdb8de1ee9cbb1d6599ce871498546ca |
| SHA256 | b81dd12afbae28bc9df8c91692d355c76e22923152a4ab4d74e4a4f463b4ab67 |
| SHA512 | 8cc774a3b1227b3c70cfdce38a53bfbd769b96d926f0a5f7de2e754c35e4dc022272ec4504b03176b956757929f6c7ac2ca6eef6b1c536cae28778cac2597ce4 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | d05fe2d53198c9730546f67ff1e5440d |
| SHA1 | 6671112a168659e0293e017d78a3993c9109d612 |
| SHA256 | 94facb65a5239994f7a65bb75fc36e5d985b01ec25186ecc7962c7950a6bdeca |
| SHA512 | 44a786edab124b05e452fde8b050d4df478294cae96e7e1e4daf5528970b1dda741c34dc36921a083ab799ffdf608de62f606d95b13177f95f53cec799811c1b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bcf77dedc24a99bad3562cb7b3d5748c |
| SHA1 | 7495bd3826e6f7b0cf4c7a2cacd9ed0985a3f5fc |
| SHA256 | ababf656cdc5d5ea5021fd52c76785851bfed1df32c75b674d09b5443986760d |
| SHA512 | ad60ceba003314d6d63b3489b09107508355eca3b42cdf7a23da749ae6703cc658056e7c375a67dbcccb854d926e2cdd3cf4c29901c505de41d646e415fa8128 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 692cd9a7f4e2fb954bc588eebadcbbc3 |
| SHA1 | 7c83014809023e365e4293f248551a4e95c19a37 |
| SHA256 | 130dce6293b726caabec097c31686991606b7a1506f6c0c2aa72ffac64c85541 |
| SHA512 | ec6c8c9a836a68f9fa561578d1e44196de074a6a6485fa4db27f45a142e556e413e599d47c41ed9221ab55b07edfd52606017d889d889688d69709ada3a058ed |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\a9e19926-83b5-4da5-b09e-c231c37f67d7
| MD5 | f95866402736fc7193e4edcf603283ad |
| SHA1 | 74106d6a9b5d5aa8e510cc67af1874ddad4350e3 |
| SHA256 | 510c61974070ebcf78a3b52552559f3c41f09f91626dc2c97b3e12f376466fb6 |
| SHA512 | 4aeeefefbb9aec02ea298fe4199b8f425b3a823f8e2b8e26d4f173239534c0233302e9990c09eaff0c72e3eca7bb63ebfc14dcf2313ee336ab02e4c2ea8c0d28 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js
| MD5 | e8460c90130be04fd42afc01cf04589d |
| SHA1 | 1f2f8c417ba1694b72cf3601b3c4c436122228a7 |
| SHA256 | f2972f5dff67aebd0cf9d2eae73cead558040e933285d00533464f5cba58485c |
| SHA512 | c2f443eb3934ee044a86fd6685e0bf61a6a97bf1a569e39e3ffe8d7d44fc1c86b24c0b3b69c911366d4ff365f6e6beac4b713c0ddbf0b5763289e4e1ff117acc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js
| MD5 | d679abc81843912e2cc42e57f2d0a65a |
| SHA1 | 34a2ce1329a1889000c47c096cb4bad583442583 |
| SHA256 | 254caacca0c5d50b404f88da47d0f0f0bc9eb7c74faa07091c35a6f2ab495559 |
| SHA512 | 13d7826bf91cade5770bb9fffe95a38989493c6363c7c47f9809af3a21d5097be2b563d1ef751c41e736c7ca2d06da2f72e5b4e62f969d46f4ef3a474ec2f897 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-21 11:51
Reported
2024-09-21 12:01
Platform
win11-20240802-en
Max time kernel
402s
Max time network
572s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "ª\"Þ\vêÄ:¢nu_#ä\nX\x1b\n\x12ŽÈ¿›ô%÷Ü b" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\r[¨ì£¯õË\x0e\x16Àû/J\x13lí\x1cÞ\x1c\x16ùw[jÈŒy" | C:\Windows\SysWOW64\cmd.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "hßíp\x7f.\u009dˆ«óù1Ó\x04Íì(ƒ(· (i8¸<©á" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "¦‹Zö²\x02 7Óæ?¸%¦íœ›Ù\x03¶\x10?æmQ¥×Ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = "<\x19\x0f\x19qˆë\x1bŠÚgœ«\bOòü &±\x0f¨mô\x03\x1fæþ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "À²8kFsi*\u0081»»\x1b\u009d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "<—\x19\x01«é\x19\u009d\x04ò\x16V§\x05Ð7\x0ePÌc\x1cô•»I¡C|" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "y\nº.\x11v²\u00a0—\u009d\x12ƒm\x19ƒvüS(\x1e\aÿÃ:šni>" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "Þ7¿•{6yî\t×¾>µ\x13*\bÕQ§3ŽÍÁWfÔa‰" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ØœœÔE\x06¼ö0ŠˆŒT=ÅŒ£”¯*\x1eÙMvâæ2Y" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "x\x01=ÄpŸ‘\u00815#ïgÑ]¨¥K™\fñ4]E×\u0090¯.ì" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "\u0081‚;\x19~š=.\x0ej^Œa\u0081¬Ô©sñSˆeŠ\x1e[lŠ7" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "ˆ£x\rw\x0f¬\x7f0í~\x12›ð7„ö\n´§‡;Œ”;µ˜Ñ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "è\x1a¯\b\t8ßaƒU\rÕ8\x19X?\x0exŒDÜ•\x16ˆÞA\x04\x7f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ = "bű\x1fE¬~\n\x1dßjë\b\u008fAf€\x17j\\¦5g\x1deð#\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "Åì/æØH°S`\x012\aÑ8\x1cõ8\x1e\x0f\x06†ÎˆÕ\x12B–T" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "Áî‰\x16'U$Ƭž{Š-$,ïîœ\x7fxE±ã\x15C’¯p" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "Šÿ\v”ªðõcAí7²÷AË\fÁW!¡hKRÃ\x1d®J´" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "x[\amâLÑúê‚Ò>z\x11Óý‘Ôˆ¢‚ Ì+$†Ôß" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "\u008fó\x13ëÖŸÁC6%èJ´Z¬8\"‰c.°oÆÃ•È¥c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\x03Ý•>èÈ˺\x1e丂ˆWÊê\x125\u008fC\x1cj¼¼\b\\üh" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "\aždö«¹ñ”O͇#{)Ì7‰ã;c7¯bªñ]Çd" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "š§·=€9~\x1e•" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "æ1(‹\u008d“8µ\x05\x01nÚù£c+—-\x14/ášÖ}T\x10$q" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "8‹\x1b\fz»êr\x10c}“g?\x11®dý§ÛØ–V-¬E\x1an" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "¥\u008dç•f!¬N-ó2\fiˆsÒX\x06±\x14°Ñ°¹R½˜|" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "ñŠª:¾bîåøç*y\b\tEÚ7\u00a0Š\x03–\x1f–nó¬\u0090g" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "8b;˜òI\u008f¯\x11³EÏ\x1e÷\a]Ž\x1açØ8\u0081ÇS\"=gï" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "\n1FKc¤\r7\x1c˜¨M툿È;A\tÆÎ¾\x13²P\x13x" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "ì¯âsþe)/”>¬’I?\u008d¾Ó(\x17BY\x10èŒzà\x1dó" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "P\x14©\u008f$\tf\x11š‰ÚA·AI\x18ïžð\x1ežq\x19;¢N\x0fh" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "Ã\v\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "R®Ù1•uOb¸GdöòÜK\x14äˆÁ\x19\u0090S6óëп\u008d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "G~ê" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "½ÖŒ\x18I\x19_÷\x14~¾bz\x0eSX%s_Ê•\x0f\x18¨'‚^{" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "ü«Æ{\x12ô\u0081W»Ÿ·,ñ\aÓµs0*]ƒš~º\a(\x12\"" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = ".½S\x13Œ\x0f«U^jqŸ3*œÌ4*‚ªþغa8z_\x1a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "šµÀ´÷1Q\x19D½bF¾çÓtÛYiA°òA4-¥¥Î" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "]n{4\x0fí" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "ØCm;&ðTЧ“å¡âãŸfÝ\x7f'k_%ï\x15+ý*D" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "dý+f«iŸQ¨¿/‹&‰PŒ£L[\r\x11pˆà\x04·W\x18" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "$-#›_\x18š&4\nW÷ïZš¯/Ä_þªv’Ü?I¥]" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ComponentID = "2Ã\x0fÜ]Žð\ru\x1e\x7f¯‡7£ï\u0081é\x7fɵ<š×o‡2†" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = "ÿ\x17ïtm<ÂI«QO6J]±µàf}\tŒ`¨Â.‡¤\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "¶}y¶wí:\x01>^”XøQGp\x17Ñ\x0f5¤f%\vð««\u009d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "šõ“þ~\x14cÙ\r¾\x10©þ³ÀÛ‡aˆ1’\x1f\x18Z¯.Œ\x1a" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "“ܺ×+f7â\x10ن܄½ÔPçeù\x05\x13\x10~ã'\rs-" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "ãïá û |é¨g·êa\aI[Lq&\\²€)D\u00a0\u008dC¡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "to\x0f©¯R²TnÕ:\x12Æî7©SÿÕ¸xæo®FBq\x1c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "i4“\x0f\x19BSÃá)£\x01s\x17z’ïQ\x16¢}\x1bD•ÎÆzº" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "69òªØ\u008fÒî—‹C\x16m)f\u00a0:?\x04\u008dª·”\bÜ%œÅ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} | C:\Windows\SysWOW64\cmd.exe | N/A |
Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "\x06˜Û\u0090Q¡üÌJšq5GV‹÷ÊÄì.\x0e'Å…P½ÿ>" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "KjZ\x12¯\t®U,¦JïÕ%£Ù¬õž\và**\x02§\x18.\x17" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "çÿÜ;WK”9" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "\u00ad£q.a/¨•D„”\u008f\u0081Õ>íö\r°–G‰ÔÇ\t|¼Ë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "p\vjŒ´·\x01\x1e=¬\x1bóU8ôݾ7Î.XN\x02;,ØAâ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = ";H™ö«ÿÍ×#שÒ\f$¦\x10éG\x1c0¸‡K\"ƒ\u008fS\a" | C:\Windows\SysWOW64\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "àBÀ=Œ\x01[ïò-h€Ò®eHí\t,\au‚[øe&:Ó" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "q=\u00a0aF¤]¨ï\x0eú÷™C8ÿ`©1¹ý•¢r§³áU" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT\Dll = 5900ad006100d5003b0025007900a50045002700fd00150041003e0072007b003a00a100f6005a00b0007b006b00ba00b1002220dd00460000000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "LÈ;Ì÷%å¾í¥æ(\u008f>@$\vI#þ÷m.a\f•\x18Ã" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "\x1dLiþÛMþë\x05ïpF“ñ3çSJöv\x14\x13ܦ\x1eÿËL" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "*¾ÇTÄLˆÖø \x18»ã\u0090ç—„Sî?mÅe\x14æ\bN\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "]¿Çø\x102:¦æOÑ&þÂ^˜ºÑáƒKñ+¿$\u009d\x1dZ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "\x03\x15‚Î\x12ÿ1JÎCXàè¡9\b‘F\b0Ìd.3:˜\x1d\x01" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "v‹/”\x16”œK=·±\x16iÛ\x06Ä‘ù\u008f\u0090\x0f'Õ®Ñçd^" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "…\x7f\x7f\v˜Þ;õïÉ{þ\x06fVð•ÃÛÉ^\x06A\fñå\x06+" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "]Ø\x19\f\x016\x1câá\u009d\x1fn²o\x05öšz£\x17ÞôVÖ]\u00a0‘5" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "<pR°l!¢ø^\x01Žiš\\ZÅõÙMB\x1c⨒\u0081Ë&\x15" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "®¿êÒ\x18Rм2\x19.í\x7f½\r\b(\x03âì$;Ñì}\x14Ķ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "—fp‘\vúq¦Éb»\x1e°•\x16–°tZ=¹Üg'³×¤×" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "›\x0f°0\u008dÃZ´bèÊxa?YÌ\u00a0B~b”ï©•²oñº" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = ",\b\x19îk¿Lù8e¬Ä|ömÏ&E®VÍrÍ\x02>\nÕ\x18" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "iîùa@\x02ñþh“ä\nV’ÖY\x04Œ\f‹\x1cÅv\u00ad°A´Æ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "\"2Bóé\x05O·“_ûç‡jîo+êæ\x0e‘qp\tÞE¥\x11" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = ">quo#Ýþµe°1zÿõ9Ý—K€ƒV\x17ã4¢…}\u00ad" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "î#dÃ3KÐtä«fi©¿³ß÷\x019\\\u009d`\x0e,™\u008d9—" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "ºù͸ñÐ\v½\x1a\x15Pº\x03c'i§¥}*Nw¾%ƒþã\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "ƒy²ëg\u009d\n5|0-å\x04þÙ\bt^N\x12Æm\x11F~Ж™" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "m\x0eÏçtôr\u009d)CÜ\u00adÄ”˜('ö\u009dVÉß\x1a6\x1345ù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\FuncName = "\x12åÊ\f•ìÅ\x7fƒ5_ô¥²š›\x13Nˆï1¿ºÐ-~€\x06" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "—y›üõ³h;®%%\x02)ʽüÍ?8äÃÕÌÁ.¦Xå" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "GW\x03dÚŸR\x10P&½\a\u008f\u00a0yv¿`ä\x15yFÁ(\f FD" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "ûwiA›uªäO\x19š\x12\x11\x04ã\u008dU’\v‘rƒZùñ:üƒ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "\x10=\u009d|¼=y\x02Ü0\x10ÉãqZ Ãzz\x06ߦ+bÜ\b<" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "å'‡õ‰«¼ÃÇé#q\aæÆ¯\bh\nºã²«-ÒÚ¦Ë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "Nâ3<uâÀê\x0f\x06–ÖAû$ûÈ…\u009dz68Ô©\x1e¶{" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "ô‹½šür\x04å‚\x115pÊ”b;&¨Ó,é¸þ¸\x13&Ó¦" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "ýŽd~þ\x06…x\u0090y}—-\x1dûXݱøA_‚<R×]aÅ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\FuncName = "“Õ°CŠBhþcÛªgìЄ!Lr¨u\x7fô\fíÑCV…" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "æ\a\u008d`\t^ 6´dšâk\x1bxW\x13Üt@$ldŸ\f|™\r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "/×?\x18ŽÁñ¡e÷Ë\x0e\u008d\a7€\x1d²Ñ܈ó\x1cK®-\x136" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "ƒA\\ƒm>î©\x03?¥µ\u0081Zh`b*\"ž\x1f\x1a\x14å\x1c\u00a0ÝS" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "³NùžõhþS«\x1aáli°\x06ÖÓß–ž\x1djË”åŒ\x17ô" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "\x05‹\fHkco\"93ŠCΕ¸¸ÂFŸÓË¢¬b\x02Iön" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "5\\§‰Jt\x02\x11Θ¥’*F\x11|Þ@}\x01\x03>ëE’zïü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "…µ!³Ò\u0090h¥ªz+=¥ÊÑ¥ü·Ð§ÇJmÂÀã³å" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "Yªdyl$Ä ~ãi\r\rC¬j\x040ç\u0090t\x17\x14\f\x1b鯧" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "\na`÷sÝ\x0e\x1cÐzž\x03”Y\x1fÿs?\u008fí/ó^ƘÅí»" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "N¤Þ±\u0090p¼õ«þòªAáи±š}\x1d\"/CŸg\x01Ò/" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "\x14ES‘s¯µ-¶õ\x13èò\x0e½Ð'2N2ÓûÛ¢,û\x15^" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "$àÅ–i£\x18á\b8ì\x0f¶m(\x05Û\x1c6Òá¸ñð†üû\x1c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "…" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "O&\\gâ‡\u008d,\u008f!£\x12uNñ\v\"\x7f‘ö\x15…!ÿ?ΰy" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "\x16Z#£OίÀrt,áª\u009d%¬\x1f\x02s‹Ÿn0\aˆ³Ï\x1c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = ",\u008fr\x04#v:¾üÕ\x17ä{JgžþÿÜ\x13XVË\u008f\v\n”Œ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "ÙÄÏï«r¼XÃ;Cz\x18{e\u0081öi·âÚ–\x15\x12º\x03\x0eÖ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "\x11G”g`x\u009d3óP\u008fˤ•(\u008fR’°CŽ\x18LDµ¹\x18û" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "x>{ߨ¨\x1e%™f\x0ftW°lkë\x0e5V,Î\f‡\x04Sñü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "–°\x11]‡„C™ 1w\x1cçL)E\x14ç\x11Þ¿®[:ÝEðÞ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "\n-¿;\\Wo®Å\"—‰+Þýæ±ä–42CšW÷,i>" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "£\x18+ä£\x1eA·kÓ[\x03Qà|8]ëî`\u00adƒÞ‡Õ^:m" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16\FuncName = "f+àBOh\x03äÚÆ³WÒ“\x1e\t\u00a0±ó>Ðm\u008d^\x12ü3‚" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "7Ø\u008dS\tLkklPjÄ\x11" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "\x19åøÚÑÃöîzÄ^òÚŽÌ€20é´\u009dŸ¯¸ö\x11<?" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "¢9'mèI›…N?5ÿ·ë\x02ß\x17yÍWUóG\n°CÀc" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "[_¤—s‘\x065\x18ÑjÍb'Ë¥_äzõòÄr\u00ad\x1dò{É" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "\u009d×ZùÚ`\x02â]ã¯\\ª^ì :ê<ØR2Äû\x1dCH\x14" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "øýìß™ÜZ¨ñŒ¯ƒÔ\x1ddv<Eᎌ,\x19Õx±\u008d¦" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = ")€åùÃÅDè¼Õ^u\x7f7,’ßæ<C,\x0f%“—Ì©:" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "PMÞÆb5X\x13I=–gO:!˳bYà‘\\/í¨[\bû" | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo\Nation = "Ù\x11w&Õ©ðßž™š˜Ì>¯\x7f\x06jbª¤©@Ž8Éãˆ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\WinNuke.98(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LoveYou.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\VeryFun.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "p§®\u008d}>*À@ÈŒÓyÈ/!±í{,ì=4š°\rdO" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "\x15_YЖêR¯R‹o#õ|@f&¨ŽÃ£\bçÀÉ@<§" | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "ÿi\x1b]¹Ÿ{ZC\n?ý^\x05˜PLªÙÒ{¬ßC9\x18|–" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "”ì{\x1a\u0090²=ü¶¢ˆk¥êV%j£ç\u008f`nz\x1c&:T\u00a0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "Ì\x04®KEæ¸ÎÁܵÐí5˜¿eÇ4[}dïc}'ñ\x7f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "!l)‘\x1c\x15Ùæ5åæîN†”bÞ!®¿±" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "\v8í(ÐÈ\x18ô~-ÖO×\b\x1d¬\x01\u008d\x18ÖžèqšÖ23[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "h\x18I\n==f‚" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ProcessGroupPolicyEx = "\t]›j©ƒô&¢\x04\aД‡ÂžÌ¸¸…PNDƒ[—Äë" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "Ö/º}J&/ÕîUÂ97\u0081\x14¨.ºþ–ŒÊ!=ÊׄÃ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "ê¼dÑíÐØ{¡ä–ˆ\niJ\x02ñ‚÷*ßš•ˆ\u00a0ÐÚ4" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "!üh÷g\x01Ü!Ô$T\b\x1d8t\aÐb•Š\x1a—Í¥\x1fT\x06[" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "~(Ýk{\\€\x11ÜSFú\x14cï\u008fW\x15\x1e1bdhCŸ0M." | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "ý\b˜™€eõUÈxO\u008d\x17¯LÖNÊ0½ïÈ$û+ãÓÞ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "s¹\tá!¨rs;@\vI\u009d‘v\u0081vl·ÔpPû\x17þé\x14‡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "ûÕ\"Pæ3g\u009d\u00adf3ˆÙ\x14-¤£\x1a0Êöü\x05 Q\x10\x16" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "Š0*j–Ýøü–\x17Wpm¢×\x11\u0090võÊ\u009dû\"\x11®\u00901©" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "Z\x16\tæl±¿mjî‘)-¨™\vUÇ!ñ]\u00ad°ÉÇEóÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "\rÀKѶ!;׆¹AÃé\x1c‹³û]çQ\x1cà" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "c-\x15\fÁ¡ñOwfÂØâYô݉àØàGo)âD+L\u0081" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "ȺPô”›‡&…\x1e¯R/·\a¢ËÏ§äŠ 7BÞ<=\x18" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "Õò¸¥ŒŠ¸$¹Ê™ü§Ó¥^9\\Ç\x10JMê̸PUõ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "\x15°\x14PSêIÌçïý|ÿtBa»\b¶\x14ì+¾\"ƒ²\x0f}" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "\b'\x16„ú\x05R~ýOöÏ\x0f”S¡R›ƒFsmeþ\b\"\u0090Ï" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "v¥PG\x19ÆõB\b„à" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "8†¼k`I¦3Š8;£9]\x0e—ôÁ\n1¹€MëîÒàÎ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicyEx = "¸?(Þ*–ù™7\x12Û©ág4:ù@R¿L\u0081ƒêæ•t^" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "2j±\x02ñѺÍÑ/:FŒ1l䨣\u00a0³\x1d¯\x1bUΩòã" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "^1Òd+DüExs„\a\x1dÐ\x12äËñs" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "®\x19\x14˜l™\x0f–" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "Ñu\x1c\x12êö\x04öK8“@kÕ»3y2qO{ñ\x17'\x15°6ü" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "ØÄ@ÑëK™»bè©uFÛKþ´Ãz\u0090›u¯hÝÚ\x1dM" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ = "-8\x01èmH}ž¾ø›ù¤eÎŒrVûµ}h\u009d|¶ƒæ>" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4B7C3B0F-E993-4E06-A241-3FBE06943684} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "mC¶hО#éEÉ¿òãX,×\x1a±À4ü{x”RøÅU" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "<ˆeE\x12V~ì\x04øõ]/B\x1a;xí¢@®œ^šò{¢Ð" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 18200800bd00ed00c1004d00bf00bd001820de006600d5000c00b700e9007200a80068007d007c0028004700cd005a006400ac207600020000000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} | C:\Windows\SysWOW64\cmd.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallPaper = "޵Iô\x02àzž»)vo)ß\u008dôªþí?ÜÛ\x10r°\b\x06ó" | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5500 set thread context of 5544 | N/A | C:\Users\Admin\Downloads\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5500 set thread context of 4084 | N/A | C:\Users\Admin\Downloads\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5500 set thread context of 3560 | N/A | C:\Users\Admin\Downloads\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5500 set thread context of 1236 | N/A | C:\Users\Admin\Downloads\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5500 set thread context of 3136 | N/A | C:\Users\Admin\Downloads\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5500 set thread context of 6056 | N/A | C:\Users\Admin\Downloads\VeryFun.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System.ini | C:\Users\Admin\Downloads\VeryFun.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\WinNuke.98(1).exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\cmd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WinNuke.98(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\LoveYou.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\VeryFun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\Blind Access | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "{m\x06dòæÛ\x10ÇÛã*Åjíå\x06\x15æ>OòÆùc÷(©" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\MenuHilight = "E\x0e™Éö²\"=Ì?dt¢Ø\x06ø\x0eÿ%¼\x19àa¹\u00a0tíÙ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "æ\x03Hqœ¥µÊäK" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sMonGrouping = ":\u00a0Ë«ÖßJ9qm\x02\x02µ©¥\x04UPI%\\DlïÁÇ3E" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iFirstDayOfWeek = "‡ŽôGÂîž¶\x01–tTY‹ËÁÓÝEmÑdYe&\u008dÜv" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\PowerCfg | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\HighContrast\Flags = "6¡Îw“ 3·\x12Š`\x1bûã2Â.\x05¹N×QRêÉü@”" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\ButtonText = "¨Õ\x1cwÎ\x1b\x1e×\u008fèÜ\x17\x15æí®’Ù£€’ô¨ÊRè\x025" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\HilightText = "=¹V¾" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\AudioDescription\Locale = "§qcúùï_2öúαêÿEš©èÝÕ*þŽ“9íñ«" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = ":\x7fÔJþ¹f:oºu1‡\x03\x18íî¶\u0090\u009dNä‰ú¶\x17l—" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\Hilight = "Úɉ\x1b¬ç¿\x1a‘,ù0q™¨rqIî^\x12“\x03\b^qÞk" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\Keyboard Preference | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SlateLaunch | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\InactiveTitleText = "e¾6IÓ×åFÄr“1•–ÛE\x16.o\x11'\u00811Þ¨l\x15Â" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iTLZero = "Ôb\x02\nÖ\"p¯‹—ׇ‰)úÚ\n\x04Ë\x044ýc€©\x026¢" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Mouse\MouseSpeed = "úuŒÉ{‰ƒ\x0f[Ç\b±CÔ8˜°ß\x1b Ÿt\u0090:;*÷š" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "/ÑSù–Ñ\x0f?š9Ìü»xÒÇg$\nÚè†{ð®Ö\x11" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "é_í\n:\x1bõk\x16\az\u0081W!îo`-Ð|Så" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sMonDecimalSep = "]\x16šŠ«\u008fØÏóm2£ƒ\x1bŽ\f¿OÀcNHmàTÜâi" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\GradientActiveTitle = "Ô\\G\u0081\x04>V\x01VfÁ\\)~öecôêÑæ\x10\x04\\¾üŠº" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\ScrollHeight = "\x05Ÿ¶ÙçowÍGNã×1¹Q‚Ŷ\x0e\x1b]0éëé¾—+" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\GradientActiveTitle = "\u009dš”|õ5Ú\x11Љ\x14\x1bÓžM´”€™Ò¤‹ó)r-»ú" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\Window = "³\x1a™¼+³\x10d\x15TƒØú/ÒKH}\x1aà£Â´Óµ1φ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonFace = ",!\x03pŸ³™7\x03ÍÍÅ$û¤¼¦1Ø<(¦WÄ8„}Ú" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\CoolSwitchColumns = "d§\nFA¬éº‰m’”n?€NAmñ²!¢\u0081ê\f`¸õ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\InactiveTitle = "\x7fÚ¹F\u008f\x13ÖJl)1\x17x‡X0¸\x13€\x11‹%x…+\x17\x1cq" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iCalendarType = "#è\x0fÐ’ŒûUpÄlS\fD‰X5\x1b«Õ¢ð‰½×Jª‰" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Mouse\MouseHoverWidth = "¨\x10¿¶ÖËYIêÙ¤\u0090g‘;v´\u008d4¯òæ\\#7–=\x10" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\PowerCfg\PowerPolicies\1 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\TileWallpaper = "^\x15/´\x15™S\\\rx\x14\x15\t.z\aÎ#Êd\u009d\u009d¿ÍÒy<=" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\GrayText = "‹#Æ‹7ôOv\x7fˆÁí'ê\fs´" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\Scrollbar = "ZþF•\\sÒÏa¬9Ù\x13\u0081\vf3t\x06xš*\b…?\t\b<" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sDate = "Œ\x0e_<\x03\u00ad©ÝkÇŠ6@§&…XÞø¯k¤kåe¤ýÓ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sThousand = "ýp÷CˆVKZ.§˜Ir‚¢%ÃöÒð\x1cMÌŸ±Ûc`" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sShortTime = "IÌ;Q|r\x12R\x02Ÿì3‹}2è`Ô€Ysv^ÿ½ëí\x0e" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sNativeDigits = "1=±åËËT(Þ\u008f\bù’ÅùÖw¢\u008dÕ¡|ç±Yx5Ð" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SoundSentry | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Appearance\NewCurrent = "\x05îýwÜÇ¿·žˆÝœÉ\x1daÇù‹N.D“-\x1eì/t\u0090" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\s1159 = "˜o\x1a§ó¯‚(Œax7ÒHæü\x1e\"\u0081ÈQG”v~\x14ó" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\DragWidth = "Cø´\\'êœ[±\u0090<o\bµu‚\x0f\x7f§´q§íÊR¤\fÙ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowArrangementActive = "JÁ\x127=ö}\x7ftøˆÈ›u\x15_Æ4x³9rOríÄ}Ê" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sCurrency = "¯0:U\u009d]@—ïvpú`=¨d\u009dŒÐä&{ŠD%7]\u009d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iTimePrefix = ".&LÀÙ׸˜r,)(Å3ÉÞ9\n\u00adk棿ÂV¨µ\x15" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallpaperStyle = "ÿÃÅ)¢w¬\u009dן̈õ²ÒÞ3ÑȲØÇ_Ì\x03ÖÖ\f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\PaddedBorderWidth = "B»bE¾E]w–\x19l\x11Á\a„Y;Vr¨4Õr\u00a07\x06LÔ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonAlternateFace = "š¼d÷¬ö\x0f_1U\x1d<rÍ60دþßúÚÐZÝ£|Í" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iFirstWeekOfYear = "wÒÙT/‹V9\x1aqªÅ`lf\x1d'ÒÌi\u0090\x03\x1dC\x17bp\v" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\TimeOut | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\TimeOut\Flags = "dÿ.Aí9 ~\x12‹Ò‰®¤\u00a0`q–;€Â’Å\b=ê;-" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\HotTrackingColor = "Ž\x14\"A4}æ²sr1\x1aÇOÿŒyEé$\x16@\u008f'L ”¾" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Keyboard\KeyboardDelay = "l§ÒX\x12@_röö\x1cV´•v*{Ú/Áù\\°ç&\x01\x03r" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\IBeam = "Ùr3\u0090E)¯ñìG]°\u008dfÒ0¾òð~Ý!pBø1\x16Ê" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = "êêzê®Ñ(Ç\x1e‚.¦é\x12O<ê½$'„\x16\x1d\u00adϼ“Q" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iCurrDigits = "~îÁ·…Ó4\a\u008fnsœ7§¾&Ó\x0f¯³Õî`µù8³I" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\PowerCfg\PowerPolicies\3\Name = "“eºn:_û‹¶ÍJþCÙŸí5#®5aÏkºƒõú<" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\No = "=U¶rÂ\u0090\x03—©9‚g\u0081\t\x15CS4ö[\u008dªŽ;¾S0S" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\User Profile | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Keyboard | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\RightOverlapChars = ",ã¦H®øM\x04ΪIV\x05Üî¬qHë¡’‡É:R_·´" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonHiLight = "©æ*ôv?‹Y>\x12Úo\x7f\x0eÕ„µ¡\x1fˆJg´Z\u0081" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\Text = "ç~;a»È\x19áð\bz~c\x1bõ¡" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HelpID = "2h‚ºði’)\x06ŠTúüÜÔܼ\x01k®>˜Ë¡#5¨" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\PlugUIText = "ëo¨ä-—'6«¸ãÈ™®õ£ºÚÖBðÓ\x14Ǽ[Þ\x7f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ANIMAT\UncheckedValue = "{#Üc\x15\x1aÌ>ÏÏ1¥Î6âó\x1a6ü\x14'4Œºî¦Œv" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV\ValueName = "¬ŸjMã¦\x04ø¸äÀãÔ>ð\u008f•Aù?n\x1ek\x7fºw¥Ø" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LMZ_LOCKDOWN\Text = "IÛ¸]ÇæÉ\x11ë/¢\u00a0&æ\x04×\x12ñ**\x18-ÄìãíÈF" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\Text = "\"Weëkx\x11pG@ÃÂW€¦œº]\rÆäí†P‘\x1a\x1a¶" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TrackingProtectionLists | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{69ABB8E4-3A44-461C-93BC-C3BB6BDF2DF3}\Version = "šn)çö;Õ¦)¬ã\x06•Û^U³7Ô¨õ»W\u008fhóÙd" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\UrlTemplate\2 = "´žÅHÝ&\u00a0«*v4¼…t\"İ\x17¨9³¼wè©h¸¤" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\RegPoliciesPath = "\x04’[-\u008d'Ç}DÇO¿—K—6`6«r\x13}¢\b•̪\x1c" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR\PlugUIText = "©" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Type = "Úimؽ¾\x02ÔŽ°úµ0Ò]°Ü\rž\x1a•ЏZ\vÝ¡Œ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPoliciesPath = "ªœ(×ât1GÖ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}\BlockType = "‹°\fÀÙ$hßJp•çî\x1dvè\x03?\x1b\\\x19\x1fqÓu\raä" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE\Text = "+\x16rù\u0081Œ\x10äûI…²,x*H€ª†Xš„ú\x1a\x0fvø«" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ANIMAT\DefaultValue = "áDØS’wˆfßÕs\x1f9•‰2OëÜÏ¿æ}a¢öÏ\x05" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "¨›\x03Üïç˜\u00ad.\x1e2Ô÷„hÓu\u0090œÛcÑWI\x14¦0ç" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "àÔŸÚ€Þu<ð\b’§\x12\u00a0\u008f%NHs\r…Jª\u00a0š\x1fmä" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ZOOMLEVEL\RegPath = "\x15°RÙ_\x1e’}Š\x10©xªbž;z\by±»\u00adVÁq£.«" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV\PlugUIText = "ô‚ŒÇôºÍFb=\x195ø\x01æ\n9ÏÔê7\bwŠYc\x1d¿" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1\HelpID = "“Yý{Ìyæhß\x05Å»5VóÃ\x03Š×ðs7ã&\x16ÀÏš" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\DllName = "3\"ž¦ý\u00ad‰\u008d\x10µ<Jþðá8Å^ƒˆ ª\u009dÅÈ›=·" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\RegPoliciesPath = "x!‚–\bÁ\u00adƒÔiÝCV]ئÔï¶\x12žkÎ|‰\x1déX" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}\Version = "‰ÚQa\x7f(ÞTåBcý¥uÌá²Ö\x04Ýô6aŒ•¿8\x16" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBFWLink = "ŠlcJºT¼>y)´¹p¸ïAl5\x10À*K,]Rù>¢" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE\PlugUIText = "UNôÇð]O™\a5ûÜï\u00a0×'ûÎ*ßü`aØ7y\u009d™" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS\ValueName = "Õê\a\u009d˜DI\x1eË,ÿ6°5±„m·\x1eãG[×Ql»‰m" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\Type = "íÄ0zhõ.ˆ\f§MÅ\u00902Üö\x1c|uÍ{|Kh'ƒ«¶" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00021a14-0000-0000-c000-000000000046}\BlockType = "?y6\u0090tiuï\x03̉>Ù\u0081Ýßíe €ÉgºŸ¦ÒHz" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}\CompatibilityFlags = "xG\x04ù.:ù‰{°þ®-Íb-œÞE\"L@ ITÛ`\t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{69ABB8E4-3A44-461C-93BC-C3BB6BDF2DF3}\CompatibilityFlags = "B¨›I(¡®åEmÓ\aº" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939}\FWLink = "\t=ƒ\u00a0°|!‡O\x18\x14ïC\x19DíG¢XÚø³ÅÝ\\åw\x12" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PopupBlockerAllowList | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62}\AlternateCLSID = "PÊêy*¤ºq\n,7‰±;7œ«ž›ßdÇzõõ—´|" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\RegPoliciesPath = "\bAwÁ¶›t=\x05<£ÁªW\x01\x02¥w°n\v\x0fãÅ¥¸½" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES\RegPoliciesPath = "$õ>Õ\x1a¦…\u0090¬I„Z ¤›o‹/';'\fl¥\x10j—\n" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\RegPath = "œWÞ\b‘\nÝ\x19úÆãj\fÒ\x12°¸oé\u0090" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\FileAssociations\.website = "åÅ]‘{\x16ù\x02¢4ê^µ°oÒŠ(W\u008d܂Ϣà}Lù" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\DomainSuggestion | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "\x19¹EH\u009d;¢¨p(¬ð\x13ª™Þ§ÖZYaœ£Æ^±ß\u00ad" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI\PlugUIText = "«&éS<¦âÀî9°c&.\x0eE©\x7fwÆÌEv\x10ÏRÆ+" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\ValueName = "©Y%Ý\f\f]e#ÂN ŒŽôÏ\u008dîu\a,\x15eú\x1cªöG" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A}\Version = "§ºò½\x04po9m÷wã•í\x0e,¼yBçø€\x12îR\t\u008d\t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USE_THEMES\Type = "\x0f÷ËÕ\\ÄtþÒÅ8-K\x01£Ü\u009dÛ=ù2Ö@\u00ad1*3»" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f7bd411-f034-4ac0-9424-224bd7ab4e4e} | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\TEXTSIZE\ValueName = "×\u0081v\x0f<iu×\x03{™ØŒ¬ñ߆@\bš\x10\x10\u009d3wϳT" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\DllName = "àÊA3ÃhWò*Ý›9`‘WÉ”\x15\u008dÎ\b¿©.÷Çß©" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08f24d68-9087-4b24-81ad-7b34af3e3ed5}\AppName = ".4\u009dTßš8ÆúO\x04\x1f0Qæ\"¢:4%Tb±yÀêÄŸ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "\x14\u009d5XÚè¦î\x13š\x12€¿4Ójàv9Xåçž2\u008d’À¯" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\RegPoliciesPath = "8lØ\x0f\x1a\u00adŽ\u008f" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\DllName = "E¯\x16fȾ·Ð'ÞÊ%IRW¸°U¼ÑØ}üjÒšËU" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE}\BlockType = "¬…8ªÖ¢ER:Ôù©¨\x12MN¢ÌÜ\x1di!‡›ù\u00a0G\x01" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\Text = "‡²Ê>åi‚wg«=\x7f¡©ž1°\x7f–0Û\u008fßU\x7fÝì€" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\DllName = "„©¹ü.ù´[/‘LÀT}¶¶)[ƒÏÌ™à\t<\x06t~" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "$ÝP¤û\x1eOéfv§eùÙ\x06\tã\x01#y2¾7ó@8W\x19" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "Ñ\x184ŸC\u00adWO\x19Ðöµž\t™ÏlRg³)\"¤º \x04ýÞ" | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\WinNuke.98(1).exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\VeryFun.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "bÄ$qÂ\"]´R’˜wÀÕ\x13'k^\x1cq¾]K\x11çX!\t" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "\x18Ìðºù¥ãÎ\"¸¤k®d©¦¼žpëì\\Q5i¤{Û" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "…)Í\x14KÜ6B=µævQ\x03€ã\x10¯UÖÚ\"ߟ|\u008d¥\u008d" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "¨Cö,e°¹²ZÇÞð\x05•\x04ÅŒ\x1a\r:l\x06Ž\u00a0G\u0090)Œ" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing | C:\Windows\SysWOW64\cmd.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1556 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d40f177f-60fc-4f92-9c6d-e54dcb0327ac} 728 "\\.\pipe\gecko-crash-server-pipe.728" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b833977-d0eb-46bf-a603-c4c4fbfcae35} 728 "\\.\pipe\gecko-crash-server-pipe.728" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2684 -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2944 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b646909-9f5b-44bc-a502-7bde670bfea2} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3388 -prefMapHandle 3472 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbd505dc-0a3c-4b01-bbe4-4b294f8f751c} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4208 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4204 -prefMapHandle 4084 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {576534c7-0d9a-4f26-a11c-baecdc42329d} 728 "\\.\pipe\gecko-crash-server-pipe.728" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5340 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9e0c76-8c04-4024-8004-770432964e9a} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5564 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bb97e44-0be7-4ab2-9029-b8e4dd4b21af} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a37829c-ab60-4fa4-b2a5-41cd2359ee05} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 6 -isForBrowser -prefsHandle 5840 -prefMapHandle 6020 -prefsLen 27132 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744f4a7c-27da-48dc-846f-932b84b8da9d} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3604 -parentBuildID 20240401114208 -prefsHandle 3460 -prefMapHandle 2760 -prefsLen 30451 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {006accc9-5a62-4eac-bb31-81d1e4b67096} 728 "\\.\pipe\gecko-crash-server-pipe.728" rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3440 -childID 7 -isForBrowser -prefsHandle 6672 -prefMapHandle 6664 -prefsLen 27919 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0be25cc4-5f70-479a-a6a1-38382af11388} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 8 -isForBrowser -prefsHandle 5868 -prefMapHandle 6344 -prefsLen 27998 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {687c2baa-06c9-498e-87fd-01dbfb0ff7ae} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Users\Admin\Downloads\WinNuke.98(1).exe
"C:\Users\Admin\Downloads\WinNuke.98(1).exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7252 -childID 9 -isForBrowser -prefsHandle 7216 -prefMapHandle 7220 -prefsLen 28038 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c5cd8a-b634-472f-a577-6842a73470c1} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab
C:\Users\Admin\Downloads\LoveYou.exe
"C:\Users\Admin\Downloads\LoveYou.exe"
C:\Users\Admin\Downloads\VeryFun.exe
"C:\Users\Admin\Downloads\VeryFun.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004B4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\D3CE.tmp\D3CF.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\eulascr.exe"
C:\Users\Admin\Downloads\PCToaster.exe
"C:\Users\Admin\Downloads\PCToaster.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +h C:\Users\Admin\Downloads\scr.txt
C:\Windows\SYSTEM32\diskpart.exe
diskpart /s C:\Users\Admin\Downloads\scr.txt
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Boot /r
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Recovery /r
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f0303cb8,0x7ff8f0303cc8,0x7ff8f0303cd8
C:\Windows\SYSTEM32\taskkill.exe
taskkill /im lsass.exe /f
C:\Windows\SYSTEM32\mountvol.exe
mountvol A: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol B: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol D: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol E: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol F: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol G: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol H: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol I: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol J: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol K: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol L: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol M: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol N: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol O: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol P: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Q: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol R: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol S: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol T: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol U: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol V: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol W: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol X: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Y: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Z: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol C: /d
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49761 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:49769 | tcp | |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| GB | 142.250.178.14:443 | redirector.gvt1.com | tcp |
| GB | 142.250.178.14:443 | redirector.gvt1.com | udp |
| DE | 74.125.111.136:443 | r3---sn-4g5edn6k.gvt1.com | tcp |
| DE | 74.125.111.136:443 | r3---sn-4g5edn6k.gvt1.com | udp |
| US | 52.111.229.43:443 | tcp | |
| GB | 216.58.212.241:443 | csp.withgoogle.com | tcp |
| GB | 216.58.212.241:443 | csp.withgoogle.com | udp |
| GB | 216.58.212.202:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.212.202:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.212.202:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.238:443 | play.google.com | tcp |
| GB | 142.250.187.238:443 | play.google.com | udp |
| GB | 142.250.180.14:443 | consent.google.com | tcp |
| GB | 142.250.180.14:443 | consent.google.com | udp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 216.58.213.14:443 | encrypted-vtbn0.gstatic.com | tcp |
| GB | 142.250.200.14:443 | encrypted-tbn0.gstatic.com | udp |
| GB | 216.58.213.14:443 | encrypted-vtbn0.gstatic.com | udp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| GB | 143.204.72.186:443 | www.mozilla.org | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| GB | 216.58.204.67:443 | id.google.com | tcp |
| GB | 216.58.212.241:443 | csp.withgoogle.com | udp |
| GB | 216.58.212.202:443 | ogads-pa.googleapis.com | udp |
| GB | 216.58.204.67:443 | id.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | udp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| FR | 151.106.4.82:443 | bonzi.link | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 140.82.113.21:443 | glb-db52c2cf8be544.github.com | tcp |
| US | 140.82.113.21:443 | glb-db52c2cf8be544.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| GB | 2.18.27.146:443 | metadata.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| GB | 184.50.113.73:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 73.113.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| US | 8.8.8.8:53 | www.mediafire.com | udp |
| US | 8.8.8.8:53 | 117.151.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | static.mediafire.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| GB | 142.250.180.10:443 | ajax.googleapis.com | tcp |
| US | 104.17.150.117:443 | static.mediafire.com | tcp |
| US | 104.17.150.117:443 | static.mediafire.com | tcp |
| US | 104.17.150.117:443 | static.mediafire.com | tcp |
| US | 104.17.150.117:443 | static.mediafire.com | tcp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| GB | 142.250.180.10:443 | ajax.googleapis.com | udp |
| GB | 142.250.178.14:443 | translate.google.com | tcp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.150.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.16.104.in-addr.arpa | udp |
| GB | 142.250.178.14:443 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| GB | 172.217.16.234:443 | translate.googleapis.com | tcp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| GB | 172.217.16.234:443 | translate.googleapis.com | udp |
| US | 8.8.8.8:53 | translate-pa.googleapis.com | udp |
| GB | 172.217.16.234:443 | translate-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | translate-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | translate-pa.googleapis.com | udp |
| GB | 172.217.16.234:443 | translate-pa.googleapis.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.180.14:443 | drive.google.com | tcp |
| GB | 142.250.200.1:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 27152171537c47796aa7194ac41383bc |
| SHA1 | 430c380ea885fce765a771cc40cbfe6358b4d04c |
| SHA256 | 28276ad4adb3f540918a28a722f10a63406037b96a14e05565e31ec90c605c22 |
| SHA512 | 044ded8d45d2249f69ae617768398a33cf060618f1cb583aa9d9a34171de10bf3e23f6e49b3c0b8ca872f5ecbe98e841168fb3e94fdef2efbb299a3cbc01f616 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | f8f606a032719f0447a78d9b50fb672f |
| SHA1 | 45d741cb2185064eb8c06a91d79c928fcb657abe |
| SHA256 | d5e5bb3e87ef84f4e352d277fbe38a57f65ed50c0f8309dbff43d57af778b3ca |
| SHA512 | 96169b9bcfce9f671452010340d707e2dd3a60a1ba2847cccbf1fff2dd11d0f74dfdc74cb9c20015bdbe95479f52501f9ee30ac634f547006104fba349472b65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\e04c748c-0e16-492e-b151-5fb86294b2b6
| MD5 | 603a91526deddfb1677fcb1b224b21fe |
| SHA1 | afe494fb80c749dda26a76b8eac844c15037c561 |
| SHA256 | d80a52ee91b36600fecc15a5ed0c3fff81891bf8491d269a9c483497fa872110 |
| SHA512 | 92f1b7e9295aeadd8ed642772372fbb9f64c99be9fb3fd91a4d0d1f6cba07160ba6122db3a46eb39432f8914cf0d991967f61023dd9a0f9d16bb7e2b62db8391 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\657d5a42-2cba-42e1-a0e4-6c6c3b6d38e1
| MD5 | 04496489d4e0e53ea3a01c3e43eac8cc |
| SHA1 | 793a9aa2f7110465ac1ed520cfd02aa0d8f169d1 |
| SHA256 | d40ec77ff0d9e0b9b11fd15af555bb15189efdd562dd117ccc16f76cce3e5f46 |
| SHA512 | 623e225dbc6e0a9a800f25f6e10297797da4fe35904bd877ddaa9c0281ed4d4deedb373f5e536ef3f5c3cd3827d8a62d7eef9ebfbb5704a3484657e9728be742 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\de9fa218-1bf5-47c6-b836-a24afc232771
| MD5 | f271b6f80fcf33e6b155d3cf472b9ffa |
| SHA1 | 1062ae0ff7ca223745fe20522fb7fc1e48a3b749 |
| SHA256 | 71ae02f36a44b9e5c9dc46f69aa70ec57f229fda125b321717dad713bbf961ad |
| SHA512 | 4f9f6d2ddf252e4de7f0bc842be249e945a8277b870f70916bcfdbf94fe24b36d06b9405c96539060a2b87fd738661f912d22d77d38b742f56ad6e77731104c9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | ebed5934036d29db8455fe6ee327237b |
| SHA1 | 32611db6c6fdb97ba65e9d7b5d1e9e7d6d554e2d |
| SHA256 | 49f51bfa867d7db900fff0a7d726cb7484732bdc1d544cc23feebe7e4f0d98c3 |
| SHA512 | ee6afdc5a7a1e9de3d93aabd17b9bf6c0e7fd46951593bca52dd91df843b975d1386df37642ad66fff5f3b810e67fd5b17ba013e425cdc48691d0966d914a427 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | eba9f0ef5357572817b016811965b797 |
| SHA1 | 6920a8271292831bf1b31bbf0c2ae1f218be4af1 |
| SHA256 | 6f0a4c75a19282276cbef131804f7269b3b515df8f282b1241bfb08e4c15fe7b |
| SHA512 | 4d4c21edcc2998b6ca04f6a996dc8fbd79ab66d99434550c72cae3f17698500934d2b0a736de0ca9f03dfa8d9992f2c6e1d583f2d90825f3df26726f2cf99c8d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
| MD5 | 3dc631567716eb1c874e91573aae7d5b |
| SHA1 | d82fdb8b26f2583688ed02d6838b98cdec9034b6 |
| SHA256 | 53b717bd069c7f70b38b7146b3bed97b93625c34bde7da80730d5d5a98526ab3 |
| SHA512 | 76f7f9159032063b23422dac6996855a152caaf0f5dbeb1770288fa2a0937e5499155c19d233315878c6d5c4a355a235e68431c581bf43b7f20798155efc8294 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js
| MD5 | 6fdbf85ed922a668d8d583d39d30602d |
| SHA1 | 01dc9c0683375bcaa01db00e4389d29d8736b5e4 |
| SHA256 | efd6a361bb754ad80e446117c42b1003ddca21b5f3a4ebf6e2b4e92a7ce6ed0b |
| SHA512 | 69216e97fd265b30fa51ed746dc4477eaadfa4ae2b846d6bbd7bf28b82e7f022b32833c9ea58f3864056e679d4a6cf17449bac02fd4acb65439501d8173ae0f3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js
| MD5 | 1dc085f4e38b4490564812f42ec37c31 |
| SHA1 | 7046e7f07cf36ee241c592e74972bb5483f40a35 |
| SHA256 | 5c385deb2946ab9788d74f57172df1895274f6bbc11b34cbb38ca7665b121b55 |
| SHA512 | 8392b127b8c09a9ca6d8777883505ff3df726aa7d374eb4fec24ee7ed01433c27b4d2ede7eedd87cd7ab8416fb4b86663a390d5b46e2123ab5b541a51db69659 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 9514237c10ef9e6dcc1c0826bc6f2ca7 |
| SHA1 | 82cba885af6f80de0ad3c3d736e4376d1cf7d5c1 |
| SHA256 | a225d9a312e86f5a02b149e5e02a5b9583b3df9a1dde49cd690670e6db6b2677 |
| SHA512 | fbf7e612a0f86bca961832c274de682259617775d7641c96ddc51b646eba87a233a2522c54bdf291bcbeeb85ee83bddcdb3a170adadeaf9bf94b2c87e4cdc4aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | f2d04b893fd5994ed03688d2fa3bd085 |
| SHA1 | 8daa4edb56ae9ec83e7eb055bf8ec39564088f31 |
| SHA256 | 9b98341d82ec6d8fa20073d7606cf5777724abeb080fe90f21e7cf36b2bce4ca |
| SHA512 | f4ced469973e5e683bcb27c2f4c9b3be915991ef8f9ca16548635fe484f4b61acfc4b9d065aa2e87acfdd84039f54f6c6cae336e843ed14c17edd736c475d002 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 6578bcec197112f3cf5e82fb1d521bda |
| SHA1 | 425ae8c2fe382ef6894a6d0e03405e183bf2af93 |
| SHA256 | 2ceeafa4f305b968985ce9b0893675e76db91ef26be6f05ea3fbeb7e2592bb61 |
| SHA512 | 67045ae73fec53507280a57f50aec62ba9bd7d75c51df11ac20ed538c666e403c60dda420570d37fbe330ff9c58ea6c3e15d5a9eefb45e083f62778f73db9518 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 0526a6c68430736b64446693ca363159 |
| SHA1 | 6f557ba52f462eaf2a77ae38931e05c8302960ce |
| SHA256 | f99751e058f818273bf6540cda6797bf61bec67a070ff79a8d00dcd0c7c9851d |
| SHA512 | 89ecce09d892f7bee8404e0f9f0363a10d969dc38443cb55e077aba4f3cec0ca85d5b3500d6a19e9b98e91b046faaa1b00686bfe6c3336e9086ed2ff305c5073 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js
| MD5 | e42fe018db58469a407e3bc00c92b0a9 |
| SHA1 | 7e39dc73e6af69e72b4b0e8cd5b5aac14be22a01 |
| SHA256 | ac1fd08280403406806d7b2300bd3bdcaab81104de13b62d4b0d4092770aa244 |
| SHA512 | b61630d5eecf624ea8fd1999882f59ddf9a58a80a7af8733a7d84960ad9a6f92208d7ba89185908320135b1ec05bad53ff5ec11b2b043fc1af0a5d2cc0a24bf2 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | 28842a897b136e64af95e44d3533dd39 |
| SHA1 | d81e08ad97004b9ed364fd608c7467c3b6f3b067 |
| SHA256 | 045cf0f167738bd90ae0cb724b4bbd2a8c4279a47e02acda03291a64ed839e53 |
| SHA512 | 01091e57a8b8f052fe072b3e837813e6f0166a75f73364987dc6ffacf1c399b73377911cd9945c003eec7a7d0f83e14e526079d3d87c8caf7b0331bf5c8f19a8 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 916bc59ae2c381875ad024ee2e8d0653 |
| SHA1 | 09fa4fdbae55626771fdd8231d4245b35fbf625e |
| SHA256 | 957b7805be3c31e89ed47e1ab8913419855a2a6ab4cea8f9aab60de55cf8df4d |
| SHA512 | d44d41d588c58f5b452f4cd57e163ce194970c4ab87458c653d870d796b262208b68b501e2ec67ab110403d751cf27cf1ad4199076dc86b17e1a970692485d64 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 42e15d93b2ca885a0b20f8399701cd6b |
| SHA1 | 2fb5193af00f4ebff3ae7a30a4b1840b00c41787 |
| SHA256 | f1cbd16f93b5caa72e2e1cbf99855f2264486b1f3f320a165cc7a6efbbe5e27f |
| SHA512 | 4dbbe256f8250378d09ef73bf5f1b589ffe9ba025a7ee184895e5c79fc5b5b47aa211f9a77388558d79372354b0d678dfa3a839a3827ea468f31d8f3f87dbbb8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\F8D2E540484662F96C508D774D38A9CC0519306D
| MD5 | 3bcccfb8e4843b8177490a74eacba9f7 |
| SHA1 | 9343d7a91479b357fcbcfa42c58c444500460b3f |
| SHA256 | 1d5f9ccda003fc66eefb553824fc7ceea4cc425024266aea5a0e6cee56ce2f16 |
| SHA512 | 61a0bfc51bff77bd0e0ee64c9354123fbe75f41de01ef669d57150de784f4a419944dda6864de36510d477402d70cbbef040a757a44fc367563200605ed7184a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 5c7ee9d6baf0f034c99ff979e7bd4d0a |
| SHA1 | e4c85d53f6a74b211c5d5cdf56c7de6609b51619 |
| SHA256 | 51f4710ecdc9bd61a78376e53279e3d7a50ecbea5a13aa2c89642ca79e38b5e5 |
| SHA512 | a54f3365a62686ea3321f4416d0364fa32fa741b27dc6bf5784f570038cde627dc21cd637e667d778a7e2d1f9828f88362ce629d8633393526d9f2f0f3cd9e4d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 0c078c4f34107f38bf63e1f087ebd6f3 |
| SHA1 | 383ff0c9ea59695f93acc11f50bcae96a5f92a55 |
| SHA256 | 60f13f7c6937867014f50a431aa4c3dedc1f05e303d96ed9d3fef69348de7fda |
| SHA512 | 467e4eb5b7e61d6a6e09345a426e069202bf162c2e713090c324e7f797cc921e88151c3184b072465b3e78193006b244fe5a7d16fe78f0e9bd1da7c820191afa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d094d4745ac0ab63acf286af613e697e |
| SHA1 | 55896ae3a7b74cf8b59ca4cbd27ee9b16f7ffd2c |
| SHA256 | ab186e8377d9350187a2e1e70ce4d609827c472d9e88bd62328140826524a89e |
| SHA512 | b6e9cfa4bf596b4ebde84a2975fb94cfa274ab75143c19db0c7e97e9d7ace04471acb251e341f08813801d043b171872c27c60caf44f3c12d3cbf698d8db2f10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 8fb6abf2ecac12a89bc57c5d8111d129 |
| SHA1 | d779db232abd97910c79c950d4dd0c5f28319bb5 |
| SHA256 | de6b577b99fd93356ee6d420b73214de4ca482af0e0f6b5c0887ecb7d451946b |
| SHA512 | 1fd928a82838a53d6f4c075fb56712d6b70e5b9ebe00c138ab9b7f867107ce15e1f396f458fe0fba268b7fb5b8ed1fe83c6d21b514038228dbf3436a0abf5bde |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | b35200a5f0a2c190662dd2abcebd39a8 |
| SHA1 | df250398451daa5a550293f256474fdfffb6b057 |
| SHA256 | 538c18143bde1691aab84e8ff947f67efcc9ff43045cc9f24a9378a426777130 |
| SHA512 | eecf256832873466acb1d43e41af505e29986f0ea878cef5e80d8977164279d5ebf200cadf4eadd5bf416585fbd3e3d0cd2e15ac7bf401edb83dcd74732b16bd |
C:\Users\Admin\Downloads\WinNuke.98.exe
| MD5 | eb9324121994e5e41f1738b5af8944b1 |
| SHA1 | aa63c521b64602fa9c3a73dadd412fdaf181b690 |
| SHA256 | 2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a |
| SHA512 | 7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2 |
C:\Users\Admin\Downloads\WinNuke.98(1).exe:Zone.Identifier
| MD5 | dce5191790621b5e424478ca69c47f55 |
| SHA1 | ae356a67d337afa5933e3e679e84854deeace048 |
| SHA256 | 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8 |
| SHA512 | a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a899b05438a3916a65f6c46c00551988 |
| SHA1 | 455d2dd8d2314591abd847cf888af8bfc6daf0f7 |
| SHA256 | f4f0563444bc2709fa6f0dba3dee66edc3aa152afc14b024e415bd120f5821de |
| SHA512 | 5f23446bfb5aff69e0b393913adaf7d55b1417eb98ab13bef502beaceda7a3545c72fe7103cb89998db18d7c664dfd78b509a536d0b429b17837047b5b86262e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 51a66a4e30c65585fc776a75188a170d |
| SHA1 | f88de13e6cdb7f911f46616f92688c6e5897467c |
| SHA256 | ed67984e61360f292fcdb7f941cf666f1aa2052565aa8b487ec331cb0fbb9c0f |
| SHA512 | 1d34b978a2889d6f093eaac0c91c5b2e5ff5c0ffa525ef2c4160e34e17ad95434f60f7571ef373a2450a3245ea0487c125f3bf1dd76d392e3ad29a2ff7b58a89 |
C:\Users\Admin\Downloads\AodAW_3X.exe.part
| MD5 | a56d479405b23976f162f3a4a74e48aa |
| SHA1 | f4f433b3f56315e1d469148bdfd835469526262f |
| SHA256 | 17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23 |
| SHA512 | f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 498307323f0dd1dab703b81ca2be3cb3 |
| SHA1 | 9ba924f6b32ef34732a5fbd86ad87f7f13564078 |
| SHA256 | 0dc47f7b85346225bff01505e8ba30d26f29931de6c6fe2ef34db90c2563f51f |
| SHA512 | e5fc0a1b7cd0b25a4ae73bad9a988b60944354bcb8940e035e8e85d58c389566425f64c841d537343f6aa15954496121d60b882471bf053dfacb6cfe11533359 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | f01751888d91f1dcbf6d27978df04832 |
| SHA1 | c760a9aeea95b897ed101449650f5ae91a592599 |
| SHA256 | 375367faa708ed80a2307e1dfa423d38fa9f3397f54098bc4de778f955a93221 |
| SHA512 | 835dbe954b2ca5623075770c799b07182d9d8b8d82c5b0c8445fc973a1ff34f3d3f2bc8b3fbd13dcdee452038e96278e8264be658d3bfa506b1d2a6de40ad3ee |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\jumpListCache\rsC0IwZXNWMY3JWIAVeJrs66EWZbCk_wv_Wsi0dOIQ0=.ico
| MD5 | 6b120367fa9e50d6f91f30601ee58bb3 |
| SHA1 | 9a32726e2496f78ef54f91954836b31b9a0faa50 |
| SHA256 | 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0 |
| SHA512 | c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a6951ef44f404bfa1761addd61f2e694 |
| SHA1 | d2269f2ffe619d5166479a767fee2e4293a319ca |
| SHA256 | 8b61301df7061443f58a180313d02a1c6d5ae01b75f7d63b2a8d3859ad908710 |
| SHA512 | f134c1a4bc8a876cf9f284d6d2a2d52fdadedd22438b6de0d827714f6875f50ea8824d25be1d898c5ae096b7e70547cea048e4f2179f7cc1b9aeb355b429e130 |
C:\Users\Admin\Downloads\MEpO3OQj.doc.part
| MD5 | 4b68fdec8e89b3983ceb5190a2924003 |
| SHA1 | 45588547dc335d87ea5768512b9f3fc72ffd84a3 |
| SHA256 | 554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca |
| SHA512 | b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f |
memory/5088-1348-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1347-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1346-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1349-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1345-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1350-0x00007FF8CE090000-0x00007FF8CE0A0000-memory.dmp
memory/5088-1351-0x00007FF8CE090000-0x00007FF8CE0A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 7c285b091ecccf99fccab19200e1dbe5 |
| SHA1 | ed636a48296db5d4adaadd7f45518fe613480547 |
| SHA256 | 51d077ff6592f283757472dbf8b00077e39d5b70c53fbcba852ed666499cad3e |
| SHA512 | ac00dfee264996a59cf7ebc3738e2cb2284549e31ea7a66268858dcdf27c048a4a583d24dc909fa7a4937bf57510e71f666686f1211b3e3feed6d6d13c4196a9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | d69cadbba68a1cd436e25a2d02c1286e |
| SHA1 | 5cf58761b9cf5f4993fdee7e0f2ad0d961b12761 |
| SHA256 | 07e1c9a4656d425beb711501338afebb77a7196005e17a4544bd11d265ca0237 |
| SHA512 | ae0323bdb900babc4ea4c09382e263bbdfeebea672072593ce6198ede95d008f6cb1b33bbc441c790287d0dcf6d09498837a7a0d9b77875d96d465640399c46f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\1cf27709-3daa-48f8-818a-a6240444cd7b
| MD5 | dd249452ec438f977ced6ce0216201f8 |
| SHA1 | a2c98e84907f777957d3438223c96f9501bbff0c |
| SHA256 | 1b36241e6dacebb25d433e361877fa99e2a1f76d2c3d8d7860fb4a96d3471ae6 |
| SHA512 | 111a9f2d99aeb95ab95e58cf205a04a320682d42c950eb41e1aff3a51aacf046da1ccaaa2345637a365e6270d9559e9db065312646eb6355891a46dce70fd442 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\8fe67401-6ae4-40a2-91e8-8971861683d3
| MD5 | b2c95233bf3bdb0ae0478e9f7b4a570e |
| SHA1 | c7b848c3e71e69d714f338de7a57ad7d7d600a41 |
| SHA256 | 81ee1943b86df63a65711d8cfff35d82718fc8af721a0bc79119ae001264f4e8 |
| SHA512 | 525c8211ad2cf11b36267573d04628557819210a73150f5636ece46e1cdfa38a70e1b1996b5c180a8984de8bf8dd25cb07271d2433a6da6cc4da32dcbdbb0427 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | df482959db89b2d5a096578667e27242 |
| SHA1 | 34acafbb14fabe7cc4cf391fb38819db6ff1837f |
| SHA256 | 1468d8ddd5c41870393b7c418068b66e53a69f8d0cf230e1f91aae7e14039800 |
| SHA512 | 960286a77fd47ae9f9e76bb8855cdaa88615f5b613d42b0f162440111b4b1821a479defe48b0646cfd6aedbb1e9e7fcded310076fac934e644d6f5df9189a66a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | f6ce3cac487560b3696e7bf1e065f096 |
| SHA1 | 71a1b4c7d9fa0ac1080d38b98d6ba70c551311cc |
| SHA256 | ef96daa49b2dcb1b5b4d0c0868af5347dd3d2e723a4517bcfc7b2157e593358e |
| SHA512 | c3e1b495dbdfa421b0abb09f4fd951d9f3668d4e67f1617f213c5e4637ea19cd10317d77b2f600bfaa0bcfaf2fa02c5f180e1c49efa8cd41529b5d899700af6f |
C:\Users\Admin\AppData\Local\Temp\TCDEB39.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
| MD5 | 9ec017d4923e3c345510015c8db85717 |
| SHA1 | f18c07f317ab1376459502aa4543ee5de3a301bc |
| SHA256 | d35660b87120575d12dedb06bc1823567dcdee14c350d7caddfccb1a501b1be1 |
| SHA512 | 7488e27cfdd7f9a7c57b1948ed74560bda7044d5747912ca450eb84ab3723de8db74d14e2830b31f763a319105f552800df72865d4cae7ddcb805fa408a16c0c |
memory/5088-1988-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1987-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1986-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
memory/5088-1985-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | d38ff13a9ab6eb2aea33b877580e5637 |
| SHA1 | 495f167946b62875e8081f82f2d924aa6329dcb5 |
| SHA256 | d767430184930d287a48e48e3a326f1b617a7439f87263817235ad8bd96140f8 |
| SHA512 | 4e5f6941e16514e3c8b8bbdea92f575217c312eecec8cdeee84c14265942223b12613df71e1ca04ff0f18ab0ae84e8356759bc1e81e0d8a04790367fb2381985 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js
| MD5 | 6f8b4f532968d31b3929955dd6c5aabb |
| SHA1 | 4b91dd70734f8a9f55584b115f7e7af6a657bb3f |
| SHA256 | 992d115dfddf117a206f4cf9a932445fd42d48414ee54d04bd07f36a97495c14 |
| SHA512 | f46110b6baa2417f54d3fc70701469c27155ca0a0b60d7926f8791562dbb21dd059f245774908420460ae7dec5321e92971156f65eccc6b64fffb30050460b8b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | e8354d610699daf6a898ac01f48f7523 |
| SHA1 | a4b2b8427e1d7b82cb2e10cb6ad5f80b33a47ad6 |
| SHA256 | 1e0f64dc7a85cbbcec7330c13623def6482afe236f3192479828e750b9509380 |
| SHA512 | 7e1bdc81f7ab916246065dcbfa2bf46dfa5e36be0c43b57314d6c5c7665677ed104da8acba2a4c4b0cbb05fd5324e41055c00e1f0d704b50c2a2f84e2f36e3c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a2a919a56967d50f174f18368c5d7fa8 |
| SHA1 | 418b93e0fa69753dcd03d303bdac4e584a4367dc |
| SHA256 | 811b26859d0347759ce75d761937595b77cbbddcb55addb5e6e582f89e618ec2 |
| SHA512 | 8a69c1ce35e480753b397bf666776e8de4bc05099cc5e869e7035523636c7d99e51cf5a6c5e324f057d4883805839fed13a442cfa72be1220ca9799d165a8245 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 2955195213bbbe574f61e00fdde51d17 |
| SHA1 | 93c763547c5523c670a8f82caf4c1fbb6ac5b03d |
| SHA256 | b65d558983d9731327cca0d97283308d86a6b8ccd66ee542d3cbdbc04ba8d019 |
| SHA512 | a47da0a9a34ed6709062009a25b6dde730fa2b181a7ac8a34d9dec723ff1762cd32a262a64802ee285b262d8be2cf9bea2fff015cce12b5b91a132aa74a0038e |
C:\Users\Admin\Downloads\LoveYou.exe
| MD5 | 31420227141ade98a5a5228bf8e6a97d |
| SHA1 | 19329845635ebbc5c4026e111650d3ef42ab05ac |
| SHA256 | 1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71 |
| SHA512 | cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d45cd055d7878cae5acc7e91cc0ddcbb |
| SHA1 | 82fbf5d87bb09127be7507dc6d2501df0fe1f33d |
| SHA256 | fb832cf3931eddb47a6306f6f192269845efc311dc19f1f9c683d497e9038cb9 |
| SHA512 | 93c043427c3b8c0e1e0b2042d7d9624cd0c762ab5d5604033f926d001a233583652766c8a551b998b8df519f3d8dae1612441c001cde39fc53f780ea31bb7ce3 |
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
| MD5 | ef7b3c31bc127e64627edd8b89b2ae54 |
| SHA1 | 310d606ec2f130013cc9d2f38a9cc13a2a34794a |
| SHA256 | 8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387 |
| SHA512 | a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5 |
memory/5500-2197-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/5544-2198-0x0000000000A00000-0x0000000000B9C000-memory.dmp
memory/5544-2200-0x0000000000A00000-0x0000000000B9C000-memory.dmp
memory/5544-2199-0x0000000000A00000-0x0000000000B9C000-memory.dmp
memory/4084-2201-0x0000000000CC0000-0x0000000000DB4000-memory.dmp
memory/5544-2209-0x0000000010000000-0x0000000010013000-memory.dmp
memory/5544-2208-0x0000000010000000-0x0000000010013000-memory.dmp
memory/5544-2206-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4084-2205-0x0000000000CC0000-0x0000000000DB4000-memory.dmp
memory/4084-2204-0x0000000000CC0000-0x0000000000DB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 1ef257226c5c59671528367274605322 |
| SHA1 | 0c169c76f806579c3f204d1e6eb7c1c35d84074d |
| SHA256 | 8a38f9007b0c7d5731cc89a4a66efb3a517eb77f1dbd48940017bbd2f84320c9 |
| SHA512 | 19b9d2350bec709a37275eab12fa10509ade7bcc39b92d7ddb62abfc6c8906dbdb01b2d1ec1bf3d8c3a26351ac3812f9fb4e2053f610bf3b30bfc28a8b3676e3 |
memory/3560-2230-0x0000000000DC0000-0x0000000000ECC000-memory.dmp
memory/3560-2231-0x0000000000DC0000-0x0000000000ECC000-memory.dmp
memory/3560-2232-0x0000000000DC0000-0x0000000000ECC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 27febe232ab0215d28f34770ab3cf433 |
| SHA1 | ad91b41d6eef61a808d8dc2575caad08823ebe83 |
| SHA256 | a259f8475cc1421e49ab5d50707c5becceb20318bdec06477ce7ae92e0e2568b |
| SHA512 | c7c324a3ef0bc7b52b13da09a33a1c461dfb1e4b03a1b04770f33881179d8b73532636168dee5c103a0f06e423dd716c7484e589fc3cf662680fa98ad7ce0491 |
memory/5500-2240-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/5500-2239-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/1236-2241-0x0000000000E10000-0x0000000000F1C000-memory.dmp
memory/1236-2242-0x0000000000E10000-0x0000000000F1C000-memory.dmp
memory/1236-2243-0x0000000000E10000-0x0000000000F1C000-memory.dmp
memory/3136-2244-0x0000000000CC0000-0x0000000000DCC000-memory.dmp
memory/3136-2245-0x0000000000CC0000-0x0000000000DCC000-memory.dmp
memory/3136-2246-0x0000000000CC0000-0x0000000000DCC000-memory.dmp
memory/5500-2247-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/6056-2254-0x0000000001110000-0x000000000121C000-memory.dmp
memory/6056-2255-0x0000000001110000-0x000000000121C000-memory.dmp
memory/6056-2256-0x0000000001110000-0x000000000121C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 8f912c44dd373882444170aeabbcc40b |
| SHA1 | f088c54a97a2fdd2f42e27f4941aec5c30ec03b6 |
| SHA256 | 40d75dab05db0459612ebaac0ecb238dfabf828214e42281230b11b499627c96 |
| SHA512 | 9dc5050e95fea0fbf130422585e5f9c5e8ef84b37888d64ec2d2599a1568835dd67b3a10cdd825be3da86e17dadd50e7195b51a47e78bd06f41cd4ff1dd9cfed |
memory/2884-2274-0x0000000000DF0000-0x0000000000EFC000-memory.dmp
memory/2884-2275-0x0000000000DF0000-0x0000000000EFC000-memory.dmp
memory/2884-2276-0x0000000000DF0000-0x0000000000EFC000-memory.dmp
memory/5500-2278-0x00000000003B0000-0x00000000009ED000-memory.dmp
C:\Users\Admin\Downloads\MrsMajor3.0.exe
| MD5 | 35a27d088cd5be278629fae37d464182 |
| SHA1 | d5a291fadead1f2a0cf35082012fe6f4bf22a3ab |
| SHA256 | 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69 |
| SHA512 | eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5 |
C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\D3CE.tmp\D3CF.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/4744-2317-0x0000000000640000-0x000000000066A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/4744-2324-0x00007FF8EA720000-0x00007FF8EA86F000-memory.dmp
memory/5500-2325-0x00000000003B0000-0x00000000009ED000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a0fd472db7b7e1c9a0ca2746156074a6 |
| SHA1 | 312e1badd37f3cfcc27120a77de3de7cbe0dd32c |
| SHA256 | cb98c977722e57d9bcb7c5a8443a254e5c70bc8fdad4efc48f2bd104b1c62746 |
| SHA512 | d0994da1a29b2a3cc300a37090d9e8d70ffe7c356ea4456ec8f391f1cfa6bd0897b4b0182e3f02c65ceaaf07bf2fa51ad301f8c5a52aa32c7e86f1093a466c1b |
memory/4744-2332-0x000000001B770000-0x000000001B923000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | fd54b9cddec0c128ed03287c008da677 |
| SHA1 | 99bba22d95eb1f91f35837fb968d541ed02f6816 |
| SHA256 | 397f23dd96094d3ce29141670503573be316aac8eac96a2a8f411ee887766504 |
| SHA512 | b65ad356fdf0e8afc07247d017abf69bce13e9c2436e4f09dd3853a039aa642647653721b4d1b8012d17a43b8575285ccde01be29dd4e990e611d056b9ef8521 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\0c4c577f-bcf4-4184-8078-2650c457a54a
| MD5 | 61f9947640ee5e679df2e318214f659d |
| SHA1 | c7779b3727609b422deeff2e39c55125cecd7023 |
| SHA256 | ea277b7c293a0bdb35582fc463247cf7d66642029183b686ad70f49c51696ba5 |
| SHA512 | 500e7f408a66189903537c8177d72b2d8863bbca23c2a727345f5c30e15b8d083a7579a8ec68fff2750a976e51e4d41f2a388a56fb70712dc841f2dc456f1da6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\3f8846be-e6c1-421f-851a-b6abc222a3fc
| MD5 | 4065c6bd6127e0135979b8fca9460d9c |
| SHA1 | 1a5247ace261332998b8deb773a53d09b9bb75fa |
| SHA256 | a726f79700e82d6d8af9f19393940a8136e1b08ff508e92d4e682328d803abde |
| SHA512 | 1e36057d1d5a77f34fdeeb996ce061b1c1b028376d4a52b74e39a47d0b96bac1338b59c24ae89850c56058e678cc4f02ddb00f10a13f5908ed81d48c424f2375 |
memory/5500-2364-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/4744-2368-0x000000001B770000-0x000000001B923000-memory.dmp
memory/5500-2378-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/4744-2386-0x000000001B770000-0x000000001B923000-memory.dmp
C:\Users\Admin\Downloads\PCToaster.exe
| MD5 | 04251a49a240dbf60975ac262fc6aeb7 |
| SHA1 | e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0 |
| SHA256 | 85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3 |
| SHA512 | 3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2 |
memory/4744-2397-0x000000001B770000-0x000000001B923000-memory.dmp
memory/5500-2408-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/5356-2415-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\Downloads\scr.txt
| MD5 | ad1869d6f0b2b809394605d3e73eeb74 |
| SHA1 | 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6 |
| SHA256 | 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394 |
| SHA512 | 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136 |
memory/5368-2440-0x0000025454560000-0x0000025454561000-memory.dmp
memory/5368-2444-0x0000025454560000-0x0000025454561000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 4e2680b46baa7b8a715e586bc2945fe9 |
| SHA1 | 2f97d860d38f973e682bd3b7d578549bc6245261 |
| SHA256 | ea714bde197c585ab2c088228706faaadf26d0249716d6e603d963021ffb255e |
| SHA512 | 2b9938eacb110e331d9cd2d9aa7742b010225e657113f02dcb5ceaf373517a6a5b1f72a0ebf3747124bd19214c5170bb8eeede0a1c75c27c95755643df316929 |
C:\Users\Admin\Downloads\4fiz8jz_.apk.part
| MD5 | 45be5a7857a4fa1c5eadd519e9402e8a |
| SHA1 | 36feb0809c1853f9a1f6d587302691abd7ce90e9 |
| SHA256 | 7d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5 |
| SHA512 | 46c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73 |
memory/5500-2475-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/5500-2477-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/5500-2481-0x00000000003B0000-0x00000000009ED000-memory.dmp
memory/5368-2484-0x0000025454560000-0x0000025454561000-memory.dmp
memory/5500-2485-0x00000000003B0000-0x00000000009ED000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f081a02d8bbd5d800828ed8c769f5d9 |
| SHA1 | 978d807096b7e7a4962a001b7bba6b2e77ce419a |
| SHA256 | a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e |
| SHA512 | 7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 70627da577bc88f7c8da106344dd8e42 |
| SHA1 | ce343397b73cb30afa8a8a809e940b40e08ef6c7 |
| SHA256 | d62c7c4ca89179c373164e7271a9beb32ad62cf55ae215619905fbf8c1ff5011 |
| SHA512 | 988d0a27ec6a7e95ffa4c4ea54e5a826da94a8034a8ddb04dd039c3c59a05fbad251a574efd2f46116f9a790b5967196f82e3fbd685780a56f3a22b5d6efb99a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b13693dc-63fe-4e33-b462-411fe8af6746.dmp
| MD5 | 644b41c2ec711afd31136b4443dcec33 |
| SHA1 | 4ff54f527b2c7ddd6713887067f53a77ab30e21b |
| SHA256 | 31f6323e40207c8c607a2f41484b36b9e5e160d24a5b9cd4cb1925ea08daaa61 |
| SHA512 | b9d498ea9fb1025f9d826e8e560a425c26f7fec657b4a557490cb74e0f5ab2ad66d7bf3a572f86dc2af3920c059e1f0a222ccc1f39bae4508ccfb9f6777afd3a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4
| MD5 | c0bc6fac593b2b60e1fa2039d32109c6 |
| SHA1 | 3e9ead4cba0f198ea57273a3ebefee404b62c82c |
| SHA256 | 929a04ccfbbce67db102f52f70e28e27c75aab81598a7673230f94d2aeceba68 |
| SHA512 | 3b413d496f53d94b2b8e61e2829df6da738315192aa5eb99763d13621c2c0d8df4c2cc70d80c4d036a366e9fe6dc2b43e7bddb0d2d3ed5c6bcb4f68a518fbe93 |
memory/5500-2572-0x00000000003B0000-0x00000000009ED000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | f2c7409f2cc4e52eaddc9c71eedab9a6 |
| SHA1 | fd2a26634bbad2bade1c9615376f583f39b6c449 |
| SHA256 | ca23928679b33334ab13abf2437166d8e4de618b4afd5a9d08c512bbe13dae8e |
| SHA512 | 79823d5c95e9a53914ea2cc66f712279b2570f88136e3fb4fbc3f3a4cf67bc0812172272db982ebae3ec7f6dfdb86c94ab32847673e8b13a36c9b226c92c8f6b |
memory/5368-2624-0x0000025454560000-0x0000025454561000-memory.dmp