Malware Analysis Report

2024-11-30 19:35

Sample ID 240921-nz43va1crr
Target 37626322_1871171556512529_4700140521996156928_n.jpg
SHA256 bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2
Tags
bootkit defense_evasion discovery evasion persistence trojan upx agilenet privilege_escalation adware ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2

Threat Level: Known bad

The file 37626322_1871171556512529_4700140521996156928_n.jpg was found to be: Known bad.

Malicious Activity Summary

bootkit defense_evasion discovery evasion persistence trojan upx agilenet privilege_escalation adware ransomware stealer

UAC bypass

Adds autorun key to be loaded by Explorer.exe on startup

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Event Triggered Execution: AppInit DLLs

Downloads MZ/PE file

Disables Task Manager via registry modification

Event Triggered Execution: Image File Execution Options Injection

Boot or Logon Autostart Execution: Active Setup

Manipulates Digital Signatures

UPX packed file

Modifies file permissions

Checks computer location settings

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Modifies WinLogon

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Maps connected drives based on registry

Writes to the Master Boot Record (MBR)

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

AutoIT Executable

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Access Token Manipulation: Create Process with Token

Event Triggered Execution: Netsh Helper DLL

Modifies Control Panel

Views/modifies file attributes

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Kills process with taskkill

Suspicious use of SetWindowsHookEx

System policy modification

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Gathers network information

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-09-21 11:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 11:51

Reported

2024-09-21 12:10

Platform

win10-20240404-en

Max time kernel

1155s

Max time network

1170s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg

Signatures

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\Ana.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ArcticBomb(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\ArcticBomb(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Ana.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EN.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\ArcticBomb.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Walker.com:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ArcticBomb(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Ana.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1808 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 3796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.0.1194124552\495465691" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab21ac8-b10d-41c2-a554-d24f51656224} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 1824 2922aed7058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.1.1820892807\106588220" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9ef8649-3b38-47f8-873a-822933c08e90} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2180 29218be4158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.2.909716552\1633828768" -childID 1 -isForBrowser -prefsHandle 2740 -prefMapHandle 2692 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecf161eb-aa06-4af6-9e6a-d9d6029768f0} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2828 2922f098858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.3.354299094\979098068" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e49a3d3b-158f-4d6e-a184-367fc841fcaf} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3400 29218b61f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.4.1826464598\874103315" -childID 3 -isForBrowser -prefsHandle 4408 -prefMapHandle 4404 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {258422a3-d2df-4f84-9233-35db0e5a0c75} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 4420 292300ea258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.5.792260466\1533761300" -childID 4 -isForBrowser -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd57bfb6-41e4-44a9-a132-30c653c8b11a} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 4884 2923155bf58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.6.1092433181\331666472" -childID 5 -isForBrowser -prefsHandle 5028 -prefMapHandle 5032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce27744-7097-483b-9040-6bda7f13d5a9} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5020 292316af558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.7.1657614343\1007215010" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f46921d-f9e6-44f2-aec5-19a1bc842911} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5220 292316afe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.8.1020263999\452802352" -childID 7 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b440cfb-6830-47d6-b65a-36cc894e47aa} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5696 2923374f458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.9.188943350\502607874" -childID 8 -isForBrowser -prefsHandle 5988 -prefMapHandle 5640 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1112 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eecffca-116c-4edd-a43f-a40c55d099e9} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 5996 29233f2ee58 tab

C:\Users\Admin\Downloads\ArcticBomb.exe

"C:\Users\Admin\Downloads\ArcticBomb.exe"

C:\Users\Admin\Downloads\ArcticBomb(1).exe

"C:\Users\Admin\Downloads\ArcticBomb(1).exe"

C:\Users\Admin\Downloads\Ana.exe

"C:\Users\Admin\Downloads\Ana.exe"

C:\Users\Admin\AppData\Local\Temp\AV.EXE

"C:\Users\Admin\AppData\Local\Temp\AV.EXE"

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Local\Temp\DB.EXE

"C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Users\Admin\AppData\Local\Temp\EN.EXE

"C:\Users\Admin\AppData\Local\Temp\EN.EXE"

C:\Users\Admin\AppData\Local\Temp\SB.EXE

"C:\Users\Admin\AppData\Local\Temp\SB.EXE"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.0.1438447421\874826262" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1500 -prefsLen 21202 -prefMapSize 233536 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92a45f87-779d-4f4c-a1cd-439a9f4fca96} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 1604 13f09ae5658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.1.87610082\1992105305" -parentBuildID 20221007134813 -prefsHandle 1948 -prefMapHandle 1944 -prefsLen 21247 -prefMapSize 233536 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e105288-8c49-47c0-a2c3-6fce843913e3} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 1968 13f09735a58 socket

C:\Windows\SysWOW64\mycomputz.exe

C:\Windows\SysWOW64\mycomputz.exe

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe" /flushdns

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.2.1412574727\383529057" -childID 1 -isForBrowser -prefsHandle 2628 -prefMapHandle 2624 -prefsLen 21708 -prefMapSize 233536 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ecd29d7-5e6e-4e84-824b-5a83af5e334a} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 2640 13f0e244058 tab

C:\Windows\SysWOW64\cmd.exe

/c C:\Users\Admin\AppData\Local\Temp\~unins9203.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4608.3.1803188251\728282023" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 26100 -prefMapSize 233536 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {069da02b-fafd-42c7-82fa-7ce104515695} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" 3376 13f10074d58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 127.0.0.1:49772 tcp
N/A 127.0.0.1:49778 tcp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 79.70.235.44.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.212.241:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.212.241:443 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com tcp
GB 142.250.187.234:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 241.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.180.14:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.180.14:443 consent.google.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 aeravine.com udp
US 8.8.8.8:53 middlechrist.com udp
US 8.8.8.8:53 bemachin.com udp
US 66.96.162.135:80 middlechrist.com tcp
US 8.8.8.8:53 135.162.96.66.in-addr.arpa udp
US 8.8.8.8:53 imagehut4.cn udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
US 45.196.163.119:80 imagehut4.cn tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\13505344-f1bf-413e-b2ec-11d1e30b0dc4

MD5 c00b9f12178a6012c8b56062b6815d9d
SHA1 7ce13adf57007c8d0bd930bd35eb3a34a8240fa7
SHA256 b51588cf34928cf958dc89d658a85ab4991665e777a6f8429f5928d5b9079e98
SHA512 2bdf73323617e85f87bcc669ba049f063d9fa7ad78aee5ddea37639a487d8d019662e4dca55a6726c292d6b15e94b88d03523115daea7261e0b3cf16382c1dfb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\2b7ddf3f-9bc3-433a-a9ed-7e33ee15294d

MD5 ba3528ec498df5a3904eb51f2c90e836
SHA1 7873cae2ff9d061f49afccc0534ef3fb1f2343f0
SHA256 07d296fd805e9326730a1585d68e59a48cf8ac2c81c9399f08384ae2b6668837
SHA512 93e1dd62fde1c8bca5d34cd54c1ad30c85990acd6ff5e4c33c44b9c9485058350b13c96a833c7e046fe3fc20ececa8cb20b302a539d13ea82a3b6e09f7203fd4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

MD5 9d85ac1a29f93eab165f208af618f2e0
SHA1 20902a4797e21c4d95815b78857b47a9cedbd244
SHA256 dd9c1c9f09a95e2807bcaa72af91603e2cfc26555df758e835088551d31800b1
SHA512 376a4bc1993565f1077e25aa0a1ac746cc99396de4552284002309720769e11ac3df613041ba4d1ac9d4a4f24a04ae9eea2aa84cbead39e6c53bf14eeee9d3bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 731c0e733fe1e3123d366af7c8e578ae
SHA1 9756304ea773dd9cd96e5996dc79de2ed6a9ae9c
SHA256 8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359
SHA512 d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 bc39fdb2d3244d67833144c54346b71c
SHA1 830db456161107e8bbbba88902aa3a18f8bf63df
SHA256 a539c3d8482c3e79420a8de8f5ab690efa61b4d09928ceadfd5f926c0f8b1078
SHA512 cc8b0bd732c58d1bd3b86f780356205d2ee270abce4be66bfd042096b0e6b4652c59a334cd6835fbb7ebacd6e0c03b4ac18722409fd1e3eb3c44a1d622e78595

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3551595fbd550f7c00acfad041fe572e
SHA1 e27dc7c5997e4dbe5bd8247292bcebfc95a607c3
SHA256 84e473f42716a608d880af06d84e34e1eed8b4cded5c18381ce864d458898869
SHA512 3a5eb980b8725f0cb1ce66152477b7a00e9be89342b53a1f9697a4dd158c1dc8c2976182225e63e27337f74d67725a343000741df1d45657453141ba6e76dbf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a3d7534b8582bd16a2d4d8dc66683dc4
SHA1 9cb2fc1ce875b6fde1e9461dae690174a4eb6b70
SHA256 bc91953e165ae442823719c6b789a9aab58d0d0f978c2648b8d5fc0321d79801
SHA512 435b2d738bd56dccd152b6c53d2064a7b0385ddd44876c68f694639d7c90738916e65570f83dca6683d6971f99cc4097de6888c6c55b2559f3dadafbd83dfa86

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8ff6da972d154ec2f4aced0bddd73c08
SHA1 2f133e690606213c470cc93c6d64c789b89ab7ae
SHA256 b27a690680dce6f8ea4fef7afe381b0d191525bac79952a5753d8417a5d0f0fd
SHA512 001fd91d9a7a62fdf277ceb46f3ae11aebf60c7019d561a83eda96d72e61d4ac9b35e96cee23da27fd8943a0447932ca2416728765dd2df723d1a8aa72b70211

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\18753

MD5 5e7962685f25769dcc60306047052f6f
SHA1 788ac63c914c6420680ea66cef40102aedd59501
SHA256 7d4b549af552bbd649eb1f69799b1a0a7d6c6bb5905a2caeba4bb4153f7db9ec
SHA512 dade87207781a208226c6153d0847f8f937895111f29795498d9200b652e4068ae5c83e30f15ec81175625c09c177a9396b967e071942085a54ea31511e86614

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 cf833c04f0d994014093aa972eb3d964
SHA1 439d7ee32696773f41cefe9a9536c358152b370f
SHA256 f9c37f763269dfa246909e0e764a0974277dca626dc81d4f844af09c32220232
SHA512 eb7ea53dd2e08ef2c28b5ab90fe864ee0fdd6302ab8776af023882f1cea5be90b50e0c280b064dd6ba5a5054a4a0b722f2b955e60b5b7b04af21f1aa22373cc2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 42a5ed09f3baeee09f828ce5e1877c3d
SHA1 707e55e60bc4b975d8416627072327933ae28d70
SHA256 3c6a958b281c53e9738569159b332538cef3c2478303b6173ec4280ce467da0a
SHA512 af939f332c1837d8130ff30d531f8e3e4d2c83e431d0c6643a8c15b273c8d71aa1fbffebb95879a49c9187e6552f68ddba46bb99f7f216f1320b7746ce77af28

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\29080

MD5 20cceee3ad45bed85bce35e1e6656e15
SHA1 5b9380e22b130cae01efff37f87b5e27e5f050d7
SHA256 33368acf76091171deded0ea45a8e960188bc92f1f58af793ef1342845c24b7d
SHA512 7da3c294a87ec122f03662740725ec8d553daeede79e267ac294aa7302e751b2139aed586501f487eacf9b67c78412ea7533edb17172804bf2e1517bb805dbdb

C:\Users\Admin\Downloads\2Np-ow6f.com.part

MD5 93ceffafe7bb69ec3f9b4a90908ece46
SHA1 14c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256 b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512 c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fc1968301b15f394c1e82c91cac028e2
SHA1 c23df99c00f3892e2fa08d0ddbea2df8e16f4fcd
SHA256 0f0c27f82924baecf47eb45aade1f8248bb11e43c89da9fc2df1f7115de0c230
SHA512 91947fb70395cf301e7dfe1b63bb95b0fb78391be3363e1c19fa361b009dacb48f41f49ad5e48d4a2ef9b87e6cba5bb78239cd88a0e2a3334d570483755a7fa0

C:\Users\Admin\Downloads\ArcticBomb.exe

MD5 ea534626d73f9eb0e134de9885054892
SHA1 ab03e674b407aecf29c907b39717dec004843b13
SHA256 322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c
SHA512 c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

memory/1256-559-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1256-561-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 86b3958a0d33728dccd0cd99a690f86d
SHA1 761cbc34a54e80e819fa2d88293f2eed37ca6caf
SHA256 ec01c83b00ed74386258c1c9627382800889e8263f3434bcfd1d9fce2efb7e41
SHA512 c92cf97335ba1bdb7b7e2fed1db1e9494f252e0a66381089e4203d403579d385a6a7a6d287ef390e82f033253978cc77ec012922574b651c4bfecc870e7b2893

C:\Users\Admin\Downloads\ArcticBomb(1).exe:Zone.Identifier

MD5 dce5191790621b5e424478ca69c47f55
SHA1 ae356a67d337afa5933e3e679e84854deeace048
SHA256 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512 a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3955ad77b46aac4ae7a18bdb4134d1a7
SHA1 0b0a81fd66df7c4b643aaadc8c6946ad48875e9d
SHA256 8fbdfe85509a729241541c867f74772b733367bbcc008a9fca03087f1d707a58
SHA512 147db94645aee9b1b65a6baf2b64aa15315843cb64dc18a92cfb91a872393590f9be4d8f0db3b618d36ea0a2387dce2f1a950895b685a54134c987eff6eb6cf4

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 f571faca510bffe809c76c1828d44523
SHA1 7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2
SHA256 117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb
SHA512 a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 014578edb7da99e5ba8dd84f5d26dfd5
SHA1 df56d701165a480e925a153856cbc3ab799c5a04
SHA256 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512 bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

C:\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 c6746a62feafcb4fca301f606f7101fa
SHA1 e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256 b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512 ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

C:\Users\Admin\AppData\Local\Temp\EN.EXE

MD5 621f2279f69686e8547e476b642b6c46
SHA1 66f486cd566f86ab16015fe74f50d4515decce88
SHA256 c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

memory/780-678-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SB.EXE

MD5 9252e1be9776af202d6ad5c093637022
SHA1 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256 ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA512 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

memory/3164-677-0x00000000006E0000-0x0000000000773000-memory.dmp

memory/3164-676-0x00000000006E0000-0x0000000000773000-memory.dmp

memory/3164-673-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3164-669-0x00000000006E0000-0x0000000000773000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 f284568010505119f479617a2e7dc189
SHA1 e23707625cce0035e3c1d2255af1ed326583a1ea
SHA256 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512 ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4

MD5 a34805b99f428cb70074d5f2d78c3dfe
SHA1 444f05b3ddada88b0974fc323d3644a3ceddb7a3
SHA256 68413111afa2da4fc0e509ee9862530612e619c6102dbcc618d72383e5a60a8c
SHA512 b0eff042693c404fadc7a01bc86fc4d78cbb8b4155d24b6bf320821525f0fac91dfe3fe912eb99cd6af424190551310f8400197bbffe96509415b568fd84aeda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 ceaf25bd8226744d44f9b39e4cca8c8d
SHA1 995e0f74c3fd6b12cb4496d89338bf75f32fc07d
SHA256 eea5e85c34e36f7c72a2b67dbd0ab004c95d77e7c44f5de50a54a4feccf234d8
SHA512 ce625bfbb593494a9d9b2f03287a71998a3a0c22bb5280409c9a1b32c8abe8532b15873a5194445c48bde4f952fffacfd6c932b7bd8254cbae04b3f88aab79bc

memory/292-709-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\Downloads\tsa.crt

MD5 6e630504be525e953debd0ce831b9aa0
SHA1 edfa47b3edf98af94954b5b0850286a324608503
SHA256 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512 bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js

MD5 39082ebf2fca5d04e11ba147a0f879a9
SHA1 923246af0d1fc4b5deaac58d20069275802a5bf6
SHA256 45f380b147da26e14dbcb22f8b887de4932acb1728529361dd6926dd9d8a980b
SHA512 cbf57a2c35368b76cc000b07f21d03930bd845f99abfe61ca0d6d213c5a055bf43cd9102a1ef89569b9bb48e0828918faca5d6726dac71cf2ef6266cb7965b0b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\startupCache\scriptCache.bin

MD5 806c8a3b51f2fe28cbcbd7f52f419bf2
SHA1 3435c6656f7af0fe317c8898cc8e8113e913e754
SHA256 a0a3286de77e77061ca72c2443143deeeb05fafe4b2c8ed71084e89e02efd152
SHA512 68f19ed8a238b233ea9d99ac28ead6fa180769e5b4220718fb3291e7e318250dd5f26d6c74b3d0c126ddbe3d6234c71b5d9ae73b475b18ca36515022528ecf8c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\startupCache\urlCache.bin

MD5 af90cd617ad3e778e3cd02819b7f627c
SHA1 5ddd5f72c5ae034cb5cc92afb9711967c162ca46
SHA256 0f74ff85ddcc919b98889449f96eb62933a1eff091037f3376826e192d935d14
SHA512 e1a8880a2975f958aacbadc107932e2c6914f5e1afb2f10f849d829d91f176c88d5ea0012d58cc7f41cd80b0feb693c16e329609f16ba2fa9f050a45a726d542

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\xulstore.json

MD5 58e240288763218d12bf235d34e5aee2
SHA1 89135494b57f590011c09668dec3b90d2c5ee9ae
SHA256 615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176
SHA512 caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json

MD5 2ad4fe43dc84c6adbdfd90aaba12703f
SHA1 28a6c7eff625a2da72b932aa00a63c31234f0e7f
SHA256 ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933
SHA512 2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage.sqlite

MD5 7acedb7ca4730c78e15b9064970882eb
SHA1 cc505a1dd39244c0a241e8801c9f4c46a6e1ec8c
SHA256 55f705f9992c910efde16e51777eda32d6bb06647f96300afd9345f54a95b773
SHA512 ac59804fcb7a2b0a046121e8d91de2fd384522db1028f6c3529c372d5b95bbea4cb959b838bd04ae5ce958e50d3213abb309a4e98aca2389f2b028e4dfdbf1db

C:\Windows\SysWOW64\mycomputz.exe

MD5 13c1948400ee6438c042b8c2f5111e12
SHA1 a076c602ad33e1ca9c051d76ecc53c4bb7ee5e2a
SHA256 074111162067466404adb584a3e237f9465326db237207cf43bddf91ff8d442d
SHA512 b96176cf00f5974ad095fcfd1726ea2282576e276e5479c64d6fe6f0031bb9238203d6e8ac925686f92e098f38ea2026fc4423ee174d2af0c9d3f32f9cb3f6cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\cookies.sqlite

MD5 02d0d56bbef182f3d10b473565d596e0
SHA1 e564cc33469ce0aa68ba5f92bc98a243d47febdd
SHA256 fad994a46aee94d672fa91a9592dafa5e58c0fb7b6fbea750cbe9bc1ebbfcc74
SHA512 b52c849eef4bc3bc1c5bcaab746dc50fb020af23d51fba29a32f6338b5c5e849447143785310aa27d356505bab77007d41251d12c510e6c17600a1acb6676be7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\permissions.sqlite

MD5 691b907a9952c04871997d1ffaa368ee
SHA1 79dbbada7903cfa0f0562adae08702847527531b
SHA256 d010492cc94e3994a1ff513f441714a437d0eaf2ab7e2bf60928c700c6c113d6
SHA512 0971da31ae9b5dff1ce02ef4b76833d34ffd2b1e9330b3448607bf064fa3c514d8b5cb109f9b9e110cf3c5332cd672333558549aaf9f7e62a0101e8f2e17b3e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\SiteSecurityServiceState.txt

MD5 0678a963317f7749fb61b199aea7af00
SHA1 c4026f5fd1e0a20786937977f971a0fcd39b7f54
SHA256 b796e486339bfd00be4049fa8e6756bf06ef34a695caa46cf216f7db5cd05444
SHA512 de4c9ce7f248f9b3d4edff98216b76a5ce5bc2db85ec43e579fa8bfd533cc8b14b089e7077b1388d25c40f734f89a869773f353ef42fc990bd0c975673825672

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\cert9.db

MD5 307f0c89cf26cbe16fbfae57b8fedef3
SHA1 380fbbfa77afece139d1def4adf121a7e1b6190a
SHA256 2c0a63a3978341abc33e0191264efc14d02474e0c4584cd40b9e687f7819020d
SHA512 564b3ea7e3d87112e07bf7f84b3a59ddd43df79484cb4251a23c83846d68daf5d1c079e2348054d96aeda8209ba22fa83fc073f3d94578423e9d7de3f447ae1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

MD5 b98051da1f774676c72dcc23c8eff905
SHA1 2de134adeb049bb338b919e6ad9e334fe92cbe6a
SHA256 c39c3d00d2b2d7b85946c110294858ca19cf9cd6f2a0397e389b4dabd7bc0bbf
SHA512 a21ae96bd24f81c0b7a56b22de875911e8eaf6b1cc8c16dae346d2d0a4ce91c6d69bb9d8872611ebefc8364af22f71dc197425190a32c528f10954e922903c3d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\favicons.sqlite

MD5 273ce5a707b1f597317c5485192403dd
SHA1 073df859f6c0e237d20a7b7aac342dc7872a87a2
SHA256 d9c40b903e6961fbe193f5a791a838adb994f38f175da82b7b1bb3a65f50cefb
SHA512 1515beafa7b4e35fbbd53e663c1ffadb9a35abaca7c690feaf9ed1921773463c37e87f6a4191391d445b4eef9be0a8cb11bcf9917b1afa700cfe7ba52903a254

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\places.sqlite

MD5 35c1543efef5d8ecec78bd3718d636b5
SHA1 cad3dccea7668580bfd93f1f97ff38a6200820e2
SHA256 fb502ac0884df0f537787e7931da7c5fdbd9efc19f7908222a2af35691e3e98d
SHA512 979c0d49053177770b7b3e1c311ce64e8aef73feb7783fd99b5723686387bad4273ee135a1e1f02bc761a2f864113e5ffc0d03f7a0a8c418bc02bd0bb8f031d5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 0681ab661cd5cc91a04b32c1f16d06bc
SHA1 92356a07339ab085b3863e15da27b616f31a3790
SHA256 b3b976a8ea567916b00f2a4687163cd586fd83a268c9b35c8b00537cfacdb61b
SHA512 36bbf5ebf1ea544a25f1c0a44b8cc28250f2d69bed8f2838f0fbf2cc6d8c3194a60760b7e2fe0a77eab4a29ea6bca606f29c1cdb2c5480c240ca56527fe22d4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\protections.sqlite

MD5 49397db0486dc59d607907a086f40c9b
SHA1 08742ce9db9569062def08e99eea8470702feb7d
SHA256 890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4
SHA512 fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6AC9BD0802E051FCD579CC69A96979DE29682F3D

MD5 27005a4b09fe98e628e816436aeb7145
SHA1 5f55f726aecc7f8bc46aa762a851750f78ef23ff
SHA256 dd5ec06980f3b06095e7166da5f47b24e8fce4609689712c56fb9eeec124f6bd
SHA512 c67d07ab0c5fa208db19fe50fb976ccaabffa12373bc6cb3e90830ccfd4aed0d7a3adc88554c25246bdd96917493d0a544e5ce1528e5839a82769475ce3c7de5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\B2A623C64294A75D2BAE299672048C8DE0717B8B

MD5 ba67e2bd5332dfa9f80dfb78bae0ea13
SHA1 b0c5f6ac1da1a42dad3fab9f69aced576fe7074f
SHA256 04c7796b840b513e7899dda45bf4375127b8d4cb8e186a58123836a97cf2fd3b
SHA512 aa10e475e108777989435c89354a484063a75b6a00489c7df783bd8562fd305e05f924d001e135585e14ad18375cd34b0b96056186db7717ce19c68869a0800f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\87608448-2d25-40f1-8111-c36ea92eecd3

MD5 25e24f130ed340e7bb0453bcf8c17b21
SHA1 8e0f79fcf0f009d11e28ae1329b7d75ef94c93ff
SHA256 111a917e8cc370824909db63c1dad4cbb635e66f403dfde7d826e51afb8c8151
SHA512 d075f621676f50c80ac4ab1a0b1c81035a236cd5cea46395b0cc6990929722adf52146ff4b88db15940ac6d9f776ebf1bc5e88a3f505c9a0234d8cb7d457b449

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\258f9413-0820-4339-9ceb-d6016483380a

MD5 3475432f465a00c30a105c6d106f63d5
SHA1 22f353771b98154600a2aec2108c4ff02a4678f9
SHA256 eaff0442a22c5cd83c29745ef55419f0676e39c25426bc127c13bfe41b2a5837
SHA512 91aa33f5fb17aff6c28136b4d2e4a7370e8efa43d8f7be4e49d907aff86dd881a52e87f45ddff85b165185e5f7f16b9c75d962f832ae5b06efa6b7b7fea63e8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

MD5 2f43649b2dd9272af2881ab9d8394154
SHA1 ac3ea157f69e7e598e059e47c1841147efed6a20
SHA256 17ebb9b85add4307658cd9d354f830179f793d2338af718536b439e0d547ca52
SHA512 28fa6ec033a2a93d926910a243363165c81a5ff3f7a37637f68052177002d0033e4887bd18ee284d23046efb4f248e1d4855168a583d9d57bb3fdd4084921451

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\events\events

MD5 e61b9282c6a7e42b8a788aa2dccbed32
SHA1 51730cfc3aa92b55cae15ab2b496831f8cf73d5e
SHA256 fb14e43d781532b78b4a18b80782702cc731d6a4148b22340e4dbf43dcfcb3ce
SHA512 52148536c52c5ae2b1215959cd6e0b9ec645acdd56ef9cc14debfd474d1456185f7d6fb0164bb7e9a8dcb00dd8777078e0486724d41bd8ea0b17896ae45b77d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\AlternateServices.txt

MD5 d0eeda32db10751908fb5706b8fefc5f
SHA1 50d7b02c36e2b772b4b287e21e5289a3bcfaf789
SHA256 7cae2eca680dbb4ae1053f17fc575dd12d922353af68038b1ed30b75766d177c
SHA512 31933363d87e4660ffb1c27efd3135492087d747025bdf6e16af5b04a2a9ae7957790c91646a11a0068e9d74df4e897b1a5118b2a4a6b5ad1686a1a6a1b8a5ed

C:\Users\Admin\AppData\Local\Temp\~unins9203.bat

MD5 9e0a2f5ab30517809b95a1ff1dd98c53
SHA1 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA256 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512 e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

memory/2452-877-0x00000000009B0000-0x0000000000A09000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 11:51

Reported

2024-09-21 12:06

Platform

win10v2004-20240802-en

Max time kernel

916s

Max time network

917s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" C:\Windows\System32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\System32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\MrsMajor3.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\BossDaMajor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGui.exe C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Doll_patch.xml C:\Windows\System32\wscript.exe N/A
File created C:\Program Files\mrsmajor\DreS_X.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Launcher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\WinLogon.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\f11.mp4 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\reStart.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\default.txt C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 C:\Windows\system32\wscript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\BossDaMajor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713936722553518" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{3590105E-2F76-474D-8BEE-C0E00BEAD58A} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 1036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 1036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 1956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 1956 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4288 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\System32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaabd2cc40,0x7ffaabd2cc4c,0x7ffaabd2cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2496 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3628,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4816 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4908,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f062283c-b00b-4062-a42c-3d22a8680b92} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {065e3d24-bcd6-494e-b81a-75982da4d545} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2720 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3032 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6174634d-8a89-4736-bfc9-3cebfba8d146} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4352 -childID 2 -isForBrowser -prefsHandle 4344 -prefMapHandle 4340 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8feba7c-ab58-479e-bfa0-b1e8627d324c} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62eca861-4997-4f2d-8725-a903f3747c3a} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a94b172-e999-44d8-b0ab-c4de2cc348d3} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28f0c968-4d57-4640-a7cf-ce15de9f600f} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b1bc8ae-7f65-4e4b-8976-4398afefa615} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6060 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f211386-66f6-4fe7-b905-14c80c0927eb} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3776,i,5804432608221272407,10153197593662508355,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6720 -childID 7 -isForBrowser -prefsHandle 6732 -prefMapHandle 6716 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a9310e-e317-4c7c-9606-f267bb34c9f9} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -childID 8 -isForBrowser -prefsHandle 6808 -prefMapHandle 5032 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82b4148b-7e0e-45f7-89da-27c32f15d06c} 3168 "\\.\pipe\gecko-crash-server-pipe.3168" tab

C:\Users\Admin\Downloads\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3881.tmp\3882.tmp\3892.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe"

C:\Users\Admin\Downloads\BossDaMajor.exe

"C:\Users\Admin\Downloads\BossDaMajor.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B949.tmp\B94A.vbs

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x380 0x4f0

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 03

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3927855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.180.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.187.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 142.250.180.14:443 clients2.google.com udp
US 8.8.8.8:53 lens.google.com udp
GB 142.250.180.14:443 lens.google.com tcp
N/A 127.0.0.1:50040 tcp
N/A 127.0.0.1:50050 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 120.252.208.34.in-addr.arpa udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.178.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.178.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 beacons3.gvt2.com udp
GB 172.217.169.3:443 beacons3.gvt2.com tcp
GB 172.217.169.3:443 beacons3.gvt2.com udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.212.241:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.212.241:443 csp.withgoogle.com udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 241.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.180.14:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.180.14:443 consent.google.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 repository-images.githubusercontent.com udp
US 185.199.108.133:443 repository-images.githubusercontent.com tcp
US 8.8.8.8:53 repository-images.githubusercontent.com udp
US 8.8.8.8:53 repository-images.githubusercontent.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

\??\pipe\crashpad_4288_FJLOPTNXYRXDFJON

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 40b8fda87f52874d04b0f5ef40516b14
SHA1 398f85bda166bc2d3b9a48c35101705fb3e0f91a
SHA256 9434e3decf72f30756c9e0b591169043ad87b4441009574afdfbf95ad1efbdf5
SHA512 5ea2621a57f8d4cc5e0124cea1434fe4f209f83226a3a9b703d9e90032f5f7181eb71723c64f42c37a2efcb88ec24d13ee10233b66d3713e1a31da1ffffb2863

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 3111b10310f40d1ee1b51ebba9223c06
SHA1 7619967b52a76f78ace151dc7dd8c30cb6843471
SHA256 aa90f19dfedd2c5afcdc570f03b78fe40c46f7bf6a5a3942a6047534bb763b27
SHA512 5dd6738a4bfccb1c822fee0f6671d5693fe36b339ea5210045f06d4b792a2ba90ea16750a2ed5bdb108289ad4ed43fda3f12d7bcaa59bc3edf2f3a17d461242e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 776d25f64c22bac4228b5f6625903baa
SHA1 67282932dedd89fcfa42a2c6a110c403a0ea0534
SHA256 67dc573bd1d8de98930c95ffc84dfb9076178a8731c4134965c40ce8a206edd1
SHA512 bd32be66693ce493371473e08755b327dacbfe7d3170edbb138a73a910e48913ac1db1cf5d3d54a831303254862dbb2647a153413c2af60b33c128d1acdbfa38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 83cebbb6c3f1da9dd0c6ac16a49c3375
SHA1 d399332394b25c144c5feabbef1c22330bf0acce
SHA256 3d9707c99b1b38bae6fb1522c3dcd3272694c6b1d5380d955c02cb9d575c9b7a
SHA512 4dda44e66637534b6d99619ac2c42cc972626178112289086952c998504b8abfeb126139f99c203d7947bf3043305ffde4c26201e6bbb77f44c50ce528ef6ba9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 22c0787a9b33d28c957ddd0909b304ff
SHA1 dbb59931d85ef7ce7b904e6e8b9c99b1eb25a81e
SHA256 d8782a10dcb1b07a58e0f11695b495155714dbaa422bd4450f8cce7f6aa0db95
SHA512 20b21a8efb17345d748de9eab552a0b026dcca76331dc6179ba2bd169095168bb72cabd2d2a8e6d67e986537130bae6cfb4a7238f61d85f95f43152b133e60ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 08ec57068db9971e917b9046f90d0e49
SHA1 28b80d73a861f88735d89e301fa98f2ae502e94b
SHA256 7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1
SHA512 b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 411901b34b57a5edc2108fd2e68e17ed
SHA1 d6ae3152bc276d1feb17fbb35de53a2648b09a1b
SHA256 6f1510866e4feba918f813a21072d6e2fa71ee97b52d4c9f74d7d36603b7c96c
SHA512 fa7eb06d036d7c78767d8dd7a3f45e1581a9268cc136f2cf198350c73a35cf8f89eeaba96f91de1c187ad5bbb73bb2d34a525378d1b4b3bb27eb5c40b3b0f0c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9db31fa2433bbfc8d2964473a70ef630
SHA1 21429b8aeba1e3f5a418df25832117493897bce0
SHA256 6b25ac24090a40b2ce5fe1c332d0c3c02e9df4977e22ea825671dd6372884a66
SHA512 ce393cb56633aa0fa313abb73aadcce6add4072d70cd1e6f29a0c1b345f986b70642c5f12964b1da308b90ece403c3bd7b0965cf323a80d8276dd8e6aa7a85c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 bd0ee551c5d34b0daccf1c323e7cb778
SHA1 4c76717edbd6ec7d701372ebb4548e36a68ff2ff
SHA256 76a393d5522ff42c2f821b63596f001ad029a233edb0c60e3b1bc389603c74f9
SHA512 e88bc4e72e7610761f738eb3b9f2299b6a09302c304e1b21a1bc40b6219f1c82adea0aea38826e2e9373139e8fdc97a3b96f3baae0f89c972ed61adf87d9865b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 552ffaa55d80312d01e446d763c5dc64
SHA1 0c6c53a9006b617eca6b728baa994c2e63b70dae
SHA256 c030649b2f536c22f345ee24f93c716ed56ed0a785baeb7476f63d971fc5197b
SHA512 e37387e447a862cf6d985b6364e5934897851aa7c50a712d53f5d73c6ecdf4fae124f40f390061c60ab24bbef367d489c1fe30e69cc8cb4d05ae674fb6d0813c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5650a9744f1483902e114c162e1b9e04
SHA1 1e1991a426eb9d0c3f08b82426912fddb12f795d
SHA256 d866d0b9b2fe86781376dc006a446a98be3e66018121b9000f0c393f0a1925be
SHA512 58fb02790163f51748e6bd2703f03629a60fbcf314ed09ddc8602a40e015af1153633ce212d6328cc482a2adc5dc42285c3972d8e6e73ac50ee6bbd11236e25e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a4431e73816c262800bff5fec0236368
SHA1 19c36973d98f790ef481d3102b1d7e901aff779e
SHA256 022ce24db66afd33d73042499bda9eace0e71cdc3d9321ce1d7c45e430f6a034
SHA512 8ef15c5430c5eb1360486bb680da6a040576a3fca4ffc4d02a4e86ccc65db6fad93494abeb9803c5ddbf280d90c94daad1d3d90000e877ecb2112db3bd8abf43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bb4020ea3e487c276276058abd242dd9
SHA1 8f53244852857dc05cb72bba9d5130fa3584d208
SHA256 a4c90c049c5be24ec38fc2277dddda2f07ebe45424d1f85f5b4d773cd23f764f
SHA512 937e1295288c9eb671874f5ff7547e00d965796ac8a9b71a4ea58caefc3949370cb28dc434c91b895689ae6b9b8ad49124a8441b7e3c79b0f5bdcd0d2158a7ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1e8234b3102e210ccc9db4ac1784e5e2
SHA1 6b7cf47c8c7fa93080b2d258883e1fe00c4e5ba0
SHA256 d6ee46f5bc75cb7876667284aee5092ca10f485dea28563e61df582fb179578d
SHA512 71177173891ad58365236be7f5ce72df7a04bccc85942483d8b3681edb810538f390718f851dc65b1882a1d329c6fd5c7898f26924b22ced7f8700d4dca530f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6abd4b7704db3bdd2a9dcca364d8f64d
SHA1 2a21c0b3e0cc0646d2e8fd788e166f8e1de8015f
SHA256 b6dbc92d6c5c16dd96cc7a280e25b6586fe90d8f91275497804f960728c3da7e
SHA512 523479e820b4b525d4998ada43e400b3bdbe19c862c9cfae3b5c70591b97b0e8a83a1f51f9d34de2c7ec29ff98701870526876b728ccfc26540cc87b886186e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b8215e55369a26575d7e457a5d687b2d
SHA1 e1025eef4b0d4322057f274d494cdf898f5be173
SHA256 c733758ca239ddb3e9ad07a315be969b2692e124345f336f56267ee6dfd4c626
SHA512 5476cef128f96a7b5242f6f1e380d6e94321d609d6c0a9663348b6041cdcc31fb877c909ac7cae8eb39486f50581dbcddc446812d045f0fe97554bdba4e225d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\14239637-1f21-43ba-aa7a-5da3b43bbf77

MD5 1fc9fa2fa2964db01beb448ca6aef794
SHA1 83e61b423ac7d4bc1e5d56bc79512957ac597727
SHA256 b189e228d4d53a0b771016478b63932dc93a88710190861d0410c2d6a88fd8de
SHA512 9ad32bb28aa27cde33539f09d1195c23b11cf966d629f7c4cc175f660338ec5ab34c7dac8358002ec4e6c0f9d3da91073138bfa73ab195057b85919c27a3b2bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\f4584d1f-5a32-40bb-9452-744910af64bf

MD5 e6b8b7e85d1d780bfdd36295d1460835
SHA1 69e0f1bc9203f6daf59fec21a17b86b5d2f5cb95
SHA256 140e2ce89411efe7e437f1995aeef4dac4ddc9bf156d9bcfd0612ad0df7f27d7
SHA512 87cde2931c167d87effb9536c4d0e2ec8e18a60c1eab9812400ab2bd65e0268fe2e598fd1009e2078bec1baa7c7033437a7d90241c406c840af1caae6793322d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\0316815d-8a50-4d12-9c00-6552ceca64f8

MD5 d712994a7f084135e4623ce7893da448
SHA1 320305ea5e6cad9816e1d87ea0a3647573bd8006
SHA256 7396f701ff762d489518f3b98180ac538149fe2f0e54e3f5f84b31f223e129d4
SHA512 50737e1976b1168589424151cfdc298adc34599e68c773e2d3ba071d2374ba9fd9de7d339c4f6d51485f79bf87af633f2536c1d1029c1e9da924f2e9ea70320f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 223b544c97f3a49f009dbce82d0e72b5
SHA1 052dce73370e5f79f238516485888f680055d47e
SHA256 0408bdb9cc19bdc578891b06f7a7c5349eab2bec48644b9f4c3972081ef98b27
SHA512 0ea31487af88e427720bee195243bb597e76f2279efaba94e94291cde1bb3e781d0995334d0a1ebb8fc1b4bcaf9be47e28c6cbc0a44ebf8d05cf94750672e63a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 323474489e4ca2c9fd48f03322851135
SHA1 c34f91393e20016a348913a9c1723e79d83ed319
SHA256 1c3b16c25cc7cff27b128fe7de75b3232ff7303251a694354dc36840b4244687
SHA512 e1b633215ed4e1372ef8e19d9f4d65dc15d622074e47b7a9ddc80ca48ccf4afa658791b37c3863efa669adea836437e8a7ed9f6d465231034219a62b81ded251

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 9726eeed14469ce7b7bf5a9e3a501654
SHA1 ddbb2d97fe399e4cbc12b86d648c055e67e9f7eb
SHA256 3b5f362e098e1159ac40fe33acac1d93a137b8ba946ad70d74e909513b0265db
SHA512 396ce51ab5b531021382a0df3f264f46fd9dfbb84569b356ca5892ea16121151ac1122508bd01a89cf5bd43e031d11195c2205576a9a7242275b33a88f4dd22f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4a9c8b7b3f08793a9b0985e120828c85
SHA1 bbadd034434b35e1f9a90a4156f17d93bec46546
SHA256 2a01fce6847c784c6ddf9f92843f97f45dd2caaa6d090e0f22caa78f5b5df7a0
SHA512 2adf544ae7406804886efd07867602cb603cc7489f095db743ed1f9d6a938f2db006a4023516fc388024bb176b8f898a079307e6068094992302c72afc224b7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b5ab81a8f51840f02078e2d1df43a2af
SHA1 092c3b1e43d309c2d20368c25b28b03a8ab94a8f
SHA256 8c2d31c71f27706b9a9029a451936e86c13792c20b99db4b84f9ea3b64c1df2d
SHA512 14e09958cb5ebb162046ff4f096cd49c851df7e20d23ce4d2a28493e8233b7365f425d7baa55f84bfe31b5e99d8a141024d1dc84fc9bdc60cbf7fd8d14032af7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b986038f6cca4fe01133845cf69a5c1d
SHA1 c0028058b5388246b29d9979c17c6a508e21f8ae
SHA256 31a632d28b1b793a7f023c10f545e148c05145bb422a9b2cc04b30ffb17bbf36
SHA512 a99295093d8257b56e519703f62d3e53115ac7fd4991123a98a71c2355cba2d0d011256e0f97658aa3a043891846e2b002374fec6b514e72cb9c6bdc248fbe6f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 6e737fd974ddc96c5dab0b2f371cd6c5
SHA1 8131af5cecd65d857807c7c21f470397317faa3b
SHA256 5c6b66f11874740a7af39201a2bbd8a712ad6e492fa7294289c2709c49578421
SHA512 b91a82818bfbbac5f432828d6a0068a20c6ecda0ed4719be4c0e4c29613286ae4e285c24efaddb765544ad265db1953dce4982685a2c7432e9d170932812834d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\10A0222AFA26BA84074326BA5AAF691B1EB56EDC

MD5 def88fb71b10226aa92de9011458756e
SHA1 26d9f072e97906aa23b3b90e48f3c58bdbd8710d
SHA256 9768e9914083960f38b5fab373af72564ba39b2b4deffc780a75147120f7a4ab
SHA512 81aa6c19bc07bdad8eb5d64337b423793130431f53d7a5804d6250d3547019f8281320618c4fef9693afdeb972331f948c76c01e015a76a3682c506b132a5806

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0dc60ce27f73616544c931c6e6c5b3ab
SHA1 dc50b723e3cc533b53c8e0b573728fe46b7daa1a
SHA256 e2a78d5bd6026892b4c3df504c70d90b00625dfa4eb0925d18d35c5f597bab6f
SHA512 38e8f0af46f34955073e74f4f383bea6078663ee5a5a754f504432e9fd05f7c524d7dfca949d644ccf806a513b0d63a5f0e523d3f0616a22be01e18b73ba513b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 d1007a087921c73646787d85b5f4978b
SHA1 0849cab8403a0ac1cb79e19d47a7597f953148c9
SHA256 70fcf6e4fc711c16e097901defbda0a1127b08df7bb9716db826be59a2229daf
SHA512 06bf429b7b6a2ad7d47bb60ed984be1b81c8586f931850b3b1b03c4cbe9571be022c4763bc60ae288f413dfe52dfe1646b1b49a6ecfa1e11d4709853bbbc8df1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 b2be0bac578ce1f250a2b084a380f1d0
SHA1 9f23f2cb6593f0ded0e2746361f589ebb15af82b
SHA256 05a52943ba5dfb7fecbd326096964a780391a1fab8be622f8518d233834fe4b0
SHA512 76676a09c6c89105056e83658ea2ab0a7a7d3dcc705465f8196bca7cb0411e9a14ae303c7b259b825df9f0745d0eef4dae28e050b69893a7a99ed23671bd7f2e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 04dc2aebf58d717bca13a16250dd601a
SHA1 168e458e42b294f14041a5660a5cd08948bff49a
SHA256 05f9236998e34e3243da92a9bb24a02c8a0420699014d2b1dfae3d34b6b7843e
SHA512 94239f11d462f4ccd74462f327c5ac9624c299d95449845db25912aed18db8e3e8928e5cc234195297a9ab38cb2fb68bd4cf4630f43850bd5d5ef0392b4546fb

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 13b334949c03ba89b5b4e1d0e32f1477
SHA1 486096cf9c234ee3b6161a2cadf9956c8736dd09
SHA256 93444bc82b173332e527024f48eabf9871804654a4400de9630452308592c1aa
SHA512 f2891c3ef5b1cf1f4a49bc50f8b792371e855628619cb606c46bd03e263fc128338fcadcc673c41adfd3d10a4d7070ade65bb44420de1248b7fd9dee055daf7d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3eb5fe2690f0e00284005d878a00e5e1
SHA1 c154794ff9676a3a76126e9d6cb2afeaf46475d7
SHA256 3bd9106cd809f935bf7a9f1cdf6a2282943ae570e0e0d21891db2f2a22aa2db6
SHA512 e6c2f2948b9a60b2d41238b2b38a002387bca65332688182799d1921095b5542de03028706f97f8f37426a3aec3fe9792171f7c8c3a0d469d64097d1333b40e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c3d343395cfa3592189670d6397d8940
SHA1 8e9dfea05f3fe57c444b11779beaf11166da2204
SHA256 fac8c186ba3c5a420138643d8d7ad357b57dc6c1167a7f7d04dd3d11eaa971a7
SHA512 77559a49bc3e7ded614091830b5bbdab821dcebd11be99d1fd0f6d26b395a36d9390e4f4f0cf3a579ac2c2d2777c22ddafb517c88faf9e5253ee6d582a035947

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 593f0eb91380edb349e3e01c60ded7dc
SHA1 9f9bebd2739a53590c5735541c81857a68d1104c
SHA256 9a94e0b32c1b6d98788008a9c2723a2236f20d3642522ca7b90ad45d294ccd41
SHA512 c7b76b93760596743aae2282981895c65477940147f574aea7e9bda64d032a5b06d04ed5c2b2573e972b54898bfa4371a4d4241b5ab7655afff87b2703cf0919

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fbec4c63bf922e235ea9309f1044d849
SHA1 9e6baa30c008fe05cb427040ce973d10f7d90f68
SHA256 32f702c61a9c4bff5025050336d919d07fee7cfeb2cfe0b950ece144cc92fe4c
SHA512 ab8d5ebc674b92526ed261b310cc34b93a9b7a8fc272751cc487ae58095a3cb84d86abd0d5941b2e481253bb4a8f79fd5792873f51c715213eff747958b685a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 23504c3f5c3980cf3eaa5385ddaf4e04
SHA1 88983633a71c77e2f9451a4e7e5386dcc3bca865
SHA256 36b4891b79581fc84ad36b905150dd1de685f8183cc3c0f4235098bb5b5f9489
SHA512 7c8ccd9360dae8e857f6df97171d82ed30fa04814b090928e7b8d37f91532451735e3f7ad670abb24e12344ab9efa9eddd25adf5622f31582f5742f3f00e886d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\006D3DFABB7DD236CF8A44AA7E9CD9CA8F2EB2CA

MD5 7521c5012953edd817c3e0ed3fbe0705
SHA1 81bf4ad9b79d9da7f0d969070dc445335d42c7a3
SHA256 b1090f8aee76c305c0167f585dcd7f56cdf7f3baedb45381c74389a14c00aa57
SHA512 3d8af7b619e88ea38dfa7f39569dd62f8b0bde5e4be71fc5e6db48441f011be66a61bef602e5170d703d7d2757687773a82af9237fdf73ab385ea436ac8fff6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0870d4263414ecd22a621b0326ab02e8
SHA1 7fe58b592a3deebfc39e51d470ebe7d4e694779e
SHA256 9350f9c729b0b9eaee520dfbdd6e6df355882ff03e032a3adda2c0e134f0f1ee
SHA512 6a23bcb0aceb1572e19a05a7e512f246db870b5478257a1d2ff0de64ff35a3e56f82ac1b252d8ce09313dea36297b942aee516c817a22e13a25aa5c1f7b689ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 6352c3c36ccddddccae3caae5029bf58
SHA1 b03b12ce7981d9b83a5fbc7407ebb9ea4bff0b58
SHA256 672875eb1e8bc10d4e0f17a63ca47de291a4470e5f905bfd9cb89d96d51e86e2
SHA512 36509f8e630a2ed11033fdb76c66e5caf9492f742257eb5ee1bf6b6588e854850764e4c1c482a1b53e579a18edf2640167cc4e6b8fd4214e6ca6b3101dd9aa43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a26338b15758d555c64fd30d03422d91
SHA1 20e2491404dfb1ddcb3913b1bfad177f62d7e803
SHA256 146ce436f096bdd568e5c5d96d1df346fa156472734d4b26634b5a8a5b3be22a
SHA512 e6b7d7184f53b49123ce104ad1026718824fec28f07c3a558c73cc084132a2c0b227c78f84dd37179414aab2b87a8b5ea2b4e1b09a1d660665a0448b448363c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 9cc4bc29726bf11971caac6174dfa443
SHA1 7405b9e2358b1cf928dd1573e84dbe107629cfcc
SHA256 8e2fd9611a549578dab44b3c0edb5a9cb0597af9b6d7d0d3a436ae5225193067
SHA512 8ac6fcca4522cdd4278f3e5245afb48a1bec658411f9410828d557a516cef555a8009ff393f9f081f8ee69e75d45014a258e346227bcb427fcf161436b75434e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2f22ea6b585c3ae2a93b8e1e94d2dae6
SHA1 07e558a2d6a5ce8349accc4635237a38d05a6216
SHA256 8de1db0f34ee8ce14548ca308f2c1783c00d9aeb993e3769f4aad30d2eccd2c0
SHA512 20eef8ebab34a8b8a08d1c1fd4867cf8f07b341a4d7d984b995322e9e86e8728d0f6e7becb8a93a9f27438c37b17f4cadc137f2327caa155c326a12d2153daf1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 359f531e618b022ded4dffe5a3ebd64f
SHA1 81f7bbb085b420b89ec70c8ccf34134cb6e55c0c
SHA256 ff6c3ce7ab4fd1f782a8fd2317445639eb66fba11711e2dd6eeadbbb1daa82f3
SHA512 67cd1070c935e72ea30221cc7d4bc09cc877e07b18a77b0bce22909532cc204cf785b8886a1753b1ade654106753bd7825608502b7e793bb44ff009e31fbda29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 a101ccdfed3252ad0731786d84700680
SHA1 64d3d641621b120c46be0b4c68263aa27123feb6
SHA256 8779900db2be1160c61bea8fee0cbf23914ce039db9f3924ef18ce03fa9e51c0
SHA512 f51634efb82a9cb5f2ef22f4394594e144fc2c67040faa32df4801266d011c0ff8519ebf29dfb68f9bf04f66e6e3606de7a4b74f4132e45df68bdd2bf578128e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ac6703c3b0e2397f115d87dbf1312b86
SHA1 e3012d38e58a59918970fa4cc97360d8a082700a
SHA256 8d486ccf16265e640177ac4548a7901a12844ba9f5b636712208e6a5a13d6bb8
SHA512 d3b7c00473ebb4ee4effd1984e5e46b32405d1abb5a7e73fad786aee841447b82de86571bd92a59af64371264fde30d4bf0e87e9cda74fe2620f08ed6685881d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

MD5 cc1d3d38a76aa2052249b12aa88cc3fd
SHA1 dd09c41518305f61a74ad6c1b513aef5e1eb6978
SHA256 593ac91ba735685909846f7b6755f3fcd4cac97a724fe049300a4507e09cbf01
SHA512 223c9d1b3dfaac635fcd60fde92389c56c4ef4db5d89100b5932a46df21ec3c224805ca2a3522f9dec1449639401dad2d4cb74b9e0a0512a1621f44749190898

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\519BCA8D3AE219A5B894AD416EF90CFE45AEE07B

MD5 527700d691117ae987142bc6710a3385
SHA1 45b79fa1c3d2db09c74144a580c8874d2b8e0ba2
SHA256 081441e5d23b6986d04a0b7165dafbdbeecadbc45add7c12ea3aada493f8fd4c
SHA512 7e6eba5c573a9f9bb96fe8f8ff37f8eb2228621ea3e51f861017c24b5cad86b50a261850ee98ca2faa460c5e229aad3c345e37200ad6275d3968927d57d321d9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\71A5877A224793604405C071054D003E804BDD71

MD5 ad441688dafa6ac2dea1d52622c54a5c
SHA1 0d9cd08d61f1fdb578dfb1a33d07c66bdbb626f3
SHA256 c149138d37260ecab9ed0b2c9382fa1c5de458b83bfe91faf04927ba8afd9697
SHA512 71edf0bbd60bea071cb1bf8406181ae13f5865c13333c76ba97cbae28e72b6587c39090feee9bb610dfea8f12b7cfb898d8471c7c4c86527dd834f8c949aa301

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

MD5 d9ee21e0938e23b4b9edbe859d6983ca
SHA1 64b786037ee4ae2a5d83365809c27fe8e0c22a8b
SHA256 f55a995ef43aefced8e46593d73dcd1856873cb6cdea2d73006965b082c4ae2d
SHA512 9d7b75c1c17b40983f28ed06d6fab122d55522beed193f9e683417f3feb2948f64c303654fea1082d8b91cadd8f0f4b67a67c95fe2d81bdb59474d37dfec53de

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\5EAD13BBB5CBE47846E6C546F28FE2F53142499D

MD5 be86f4de5ace838764a8f7d73dcb83b4
SHA1 412fe87836406486b36b96f627d5bb5aa09a9dce
SHA256 7dca813a576ed7f028c49859384dc78385fa54fa6cb1366fbfc7899bbf935c0d
SHA512 60e82db8837bd1b2c155eb9a0f67892503267285ca66fbc4c42708e9f1b4a96f12ea37223f913df6e3075d285eb1dc584f630d96269020f7e161f8e69e4a4297

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\8D9D13D2F1E22A996B4AB1AB746108030CA8BFA4

MD5 76462b56d26824ac460aa9e41db7529e
SHA1 8952c2a27e131fa0889ff1a3c3de92a6342dee97
SHA256 25d65208b9578f0de755e07c19236f66af57419ba7f843bc1836d2c5b671e658
SHA512 974dfb07f4a5ae8510e10b3a1c0e0f774fff78682ccc8e1d37badb40c1acafcd0eb93b503f9e55085b24859929bd753422aab3c506e9fa098832316f3e7c78eb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\CDB21C981CC9D3BF2B4FAF854D59E2DFEA293406

MD5 804875094aef082a9e1fb1094680d8d2
SHA1 2a01fd26baca20cbc2a9f827aa871352ce727f2c
SHA256 8dfa5d97e384c8395568e263ab21fedf8e0c3af54ef84c0582e33e19df7325bf
SHA512 38dd048b114fede0a8613d091f7a4614c01c8d0d53ff0dd760b7ddc070ce4d9e2dfc03ebc51492bbd9f4c6e10e111980dfcb382b659fc2135e2c156e505ccfbb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 001c0740cea26abcf32a5b1cbbf86015
SHA1 9bcfe0ead761a86b0fd76e625960cbdf24504b8b
SHA256 7fbd2ef9dd76916850c0b7bf90e31487d652d2b3bd09c83ba37d792fc26b1f0b
SHA512 493189701005881ca2e3495ef011f998940d5073d58f729e667430c552a2b75b468e1e830b2a6b0bcedc5aee2000571ae2bdfc03e55916105ff475c4f5d9e8fc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e4d8f173b7037a7139555019d331258c
SHA1 da9b48f9097201e79336e997fec71fe217f8df1e
SHA256 e348fdc9ef7924c0f40054c9eb7d906315ca29aca54826313f4c03d971724d97
SHA512 24e7a51767ea752239ccf5ee56a71c6b4551ffeaf454575ac0a9332affca9ebd799a4ee181cec29028ce883811fed8e9e0290451d59784b455d02a051bf361c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 4f46e806826ae1ae6b404ec7c09a3419
SHA1 389a4453c52c96f426ddd568f6f0910461a3e577
SHA256 634719446ce2b4a40812378e42dde76f04fccedb8036af5ea74b1bc789b82553
SHA512 f1c3a10ba698249560ef6c09e7c04ab351df9f3688fe3f825ff0f60535cbc749521b9dc42f1d59d41c412e68dbe7d4b5ed360be9a2c5814dc4f0ad9553dd0df9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a729661fafb052b626ea7a00378c4130
SHA1 35db62e0f937e65911a8f97daaa3ef1fdd18f520
SHA256 e7d9ab169175abed37d03ed68f0a9c7b447edabd0373508d4dacfb94c7460bb0
SHA512 8799be52e57829b3d95f144eca92906e9ed2bc31bafa452432ae8c8d523d7bec563860e8daf4ac474d3089443c87035dbdeaafed0d1ff284fd6cc43ad4f00418

C:\Users\Admin\Downloads\MrsMajor3.0.exe

MD5 35a27d088cd5be278629fae37d464182
SHA1 d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512 eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

C:\Users\Admin\AppData\Local\Temp\3881.tmp\3882.tmp\3892.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\3881.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/3912-1368-0x0000000000E00000-0x0000000000E2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/3912-1375-0x00007FFAA67A0000-0x00007FFAA68EE000-memory.dmp

memory/3912-1376-0x000000001DD60000-0x000000001DF22000-memory.dmp

memory/3912-1377-0x000000001E460000-0x000000001E988000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 7b894110a618730756d924ec7ab5ed9a
SHA1 267e076ba1034ab4eb1746030d4de3aa4e53f04e
SHA256 1ea9af961512002bd96043f8157e6b18b765318a93053ce7359d6226086707aa
SHA512 83d9ee4b1b5d100371c4fd7d45b086f945fcac82210271956c46e790b1ce10614167020b3f8c4310b19ce146bd5d0f7ec2463822b91966e3e6dc670f43e98fdb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7b23ca40bbe4d78c4f6a043c84a1fd09
SHA1 e4d2ebd47750f1484c405b60d597a7e99e6f53cf
SHA256 2573f717fbb44af48ae0f0d8305cab310f70e33334bd2057731236bd4131de77
SHA512 4d525e39feb4ad2331a757a573df356d031ca0e7bb07840b8d87eedf32888645185ddd93f942745b4415c97a5b3fd9bb7279ed4b415455fd3edd4b9377c797f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c93c0446ee3bf0c8bec230e313fbc8d0
SHA1 44ac8b3b4a0ae7e237150883988ed26d2f681d56
SHA256 53922e5351974a5baabc99afe098b16e9cad0af274b05a7a7c910b8f2d02d1f9
SHA512 4bb05a6ffaada9962d2f8f26b18541aef6ad1c050d905a73b1925eada708a36276a090088427971f5a2de741fc79741674273958140f5abca92956c73a3ec728

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 232ccbe386703391cac96a62b4f2bf6a
SHA1 2e5366926e4da686eccb0d781e26a1439d620578
SHA256 585c5512ec707a604a546eab55e195d79ceb321fa08d04f7d6295709fb93072b
SHA512 40dcea7792fc59b9422f53685bcc59f23ef29cbaaa94f1e53efe389bd76abaaaa946c5ffdb805e5504b96b1fddb87e92f8ec290a99a611181b673fe13826e368

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1d51fa28aa6251475c6323cddd2c675b
SHA1 c6ad2ffb9c9bc1213bf1b6eb9a379ae2ac6a7e65
SHA256 f11e2ff383024c40a00a63e72a5bf06a58f05d90a026680484f1546e7e35fb8b
SHA512 60af5c408f822c9d9222d6c669f15d4459293cce21a59844ee40241f35f42a5082e6c6fdd660a25b6b9c459fdc54ad345b9a25dcc393f3e10906448f531e743f

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 38ff71c1dee2a9add67f1edb1a30ff8c
SHA1 10f0defd98d4e5096fbeb321b28d6559e44d66db
SHA256 730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
SHA512 8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier

MD5 dce5191790621b5e424478ca69c47f55
SHA1 ae356a67d337afa5933e3e679e84854deeace048
SHA256 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512 a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

C:\Users\Admin\AppData\Local\Temp\B949.tmp\B94A.vbs

MD5 5706bc5d518069a3b2be5e6fac51b12f
SHA1 d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA256 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512 fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\CPUUsage.vbs

MD5 0e4c01bf30b13c953f8f76db4a7e857d
SHA1 b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA256 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA512 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\f11.mp4

MD5 17042b9e5fc04a571311cd484f17b9eb
SHA1 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256 a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\DreS_X.bat

MD5 ba81d7fa0662e8ee3780c5becc355a14
SHA1 0bd3d86116f431a43d02894337af084caf2b4de1
SHA256 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA512 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\mrsmajorlauncher.vbs

MD5 e3fdf285b14fb588f674ebfc2134200c
SHA1 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA256 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA512 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\WinLogon.bat

MD5 870bce376c1b71365390a9e9aefb9a33
SHA1 176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA256 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512 f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\reStart.vbs

MD5 0851e8d791f618daa5b72d40e0c8e32b
SHA1 80bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA256 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA512 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\MrsMjrGuiLauncher.bat

MD5 c7146f88f4184c6ee5dcf7a62846aa23
SHA1 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA256 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA512 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\MrsMjrGui.exe

MD5 450f49426b4519ecaac8cd04814c03a4
SHA1 063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA512 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\Launcher.vbs

MD5 b5a1c9ae4c2ae863ac3f6a019f556a22
SHA1 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA256 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512 a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\Icon_resource\SkullIco.ico

MD5 c7bf05d7cb3535f7485606cf5b5987fe
SHA1 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA256 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512 d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\Skullcur.cur

MD5 cea57c3a54a04118f1db9db8b38ea17a
SHA1 112d0f8913ff205776b975f54639c5c34ce43987
SHA256 d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\creepysound.mp3

MD5 4a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1 e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA256 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512 e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\def_resource\@Tile@@.jpg

MD5 3e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1 fa6879a984d70241557bb0abb849f175ace2fd78
SHA256 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA512 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922

C:\Users\Admin\AppData\Local\Temp\B949.tmp\mrsmajor\default.txt

MD5 30cfd8bb946a7e889090fb148ea6f501
SHA1 c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256 e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA512 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2

C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

MD5 e20f623b1d5a781f86b51347260d68a5
SHA1 7e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256 afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA512 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 bcc753a29a8538ac69c883f0369eb2ab
SHA1 be4aaa1a34aa58f6130ba9c51a35428ed3c44d27
SHA256 1625b6b37f4f17a5814271a241e63d8324f7e9b2f92a67255a5a81dcfea5f88d
SHA512 7cbba0b30a5e189b05b4480641b2b49cb7921b102c5bac7b1aed8018824cc47b120aedf6c6fc66ded0f9cd82fb7749595c6ac783be47e0962b922b7eb05c7d61

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 dfa090a2dd8cee86000f7a41e2f49a81
SHA1 1fab5c43d8fdf0cded03e9eec3bd28f9fcfe5571
SHA256 076693bb901e3fab5d921d08c9e5c04efa8e31f1ec55fa6cf62ddc4fb3e81588
SHA512 29bd91a77f187cbcecec104abd0cfa81b10e1c9ea529ded6b44fd08a036a05d56edf394ccde918348093aaee046f73239d446bf98a2b027cef792cb699d0f22b

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 babe93fcc8141448018bd1805bf315cc
SHA1 38b6752b6c7fac74bc429d33c83be332e8aca994
SHA256 b4f31f28c0d93634ebd3396ebd74665c79b67eb0b3b39893adc1443da473af83
SHA512 3f92e5082c43a2d264137c8110b5114cd16792d5bb4dd69b1fb5b808520a0c542ae4da3b6a6d13224a20c14878cbd2f7d198804c8911a37ae461d283241d441b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/5044-1643-0x0000000006F80000-0x0000000006F90000-memory.dmp

memory/5044-1645-0x0000000006F80000-0x0000000006F90000-memory.dmp

memory/5044-1644-0x0000000006F80000-0x0000000006F90000-memory.dmp

memory/5044-1642-0x0000000006F80000-0x0000000006F90000-memory.dmp

memory/5044-1646-0x0000000009B00000-0x0000000009B10000-memory.dmp

memory/5044-1648-0x0000000006F80000-0x0000000006F90000-memory.dmp

memory/5044-1647-0x0000000006F80000-0x0000000006F90000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 08a412bd6c069a74dede1dad8753bc6e
SHA1 6ccfe0176b11ea7de6d740a719971179545ca0df
SHA256 8fc753a5bdbc57a9771353ae7f17a85a4bc34f08737eab6db2c4319994c279b3
SHA512 6947b31dba3f871f0e6047c139b533d119e3e184cb42ef34432c62521ee54c79b716829528254d9c9426018ec22df222ec819970f7ac04dce7a2fa5d4df44d48

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 58172aaba5ae83c5d6522655aaa1ddec
SHA1 be7edcdeea7a333df92e8877b80c0d740e0acd3a
SHA256 ea5dfe74bd90e02d1e4bcd3f272f4269d0e3b918cb746c7abf29a683c3b21875
SHA512 a811f42084159eee5fff2eef0475a2fd4049512c15297947096560b27d79dce17e449df9372afb0e660e733536e32799f33d4812be5decb0425aa4d9c7317e9b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 99cdacebf597ea7d1d2aa6328a1717b0
SHA1 c2193fab04c4112671426fa996eb38b7207628e9
SHA256 0f81db310a5022cef89ecb5b176f636256d380907f9f9d7d4cb1b1b8631cb165
SHA512 be2969d60aa12af5358294a3bd1bbcbb167e28cb6848002047f72001cc4ede5f3e3b2f36daa0205a53f2a575d23dbe0775c1b2df846ac85c2b4cb2e265e728af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 a4d389cb3fe396088a4dd3b806964760
SHA1 a4f5bf197808563cee5dffbb762501a77f3d9a98
SHA256 20574005f8e7b6c6f0a0e67cc9ae99f579c9ac8c69c8804773f7aa960df21823
SHA512 453c21e33591180bb6e01e5d129df5843a40fb4f4122460ce0d2f88f2952622145a55487c77f65ca7a134fef382219a722fc3cae49684caf74b844bb7a9da795

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\e9093109-a517-4dee-a2ed-fa3575ffa88a

MD5 3bb50f98c08642ca8266d95ea59729f9
SHA1 aacc379edfe76badba34669412f7e7529ec0e89c
SHA256 fbd9a12075c8a93a7457bbe8272dfcdcd99b28bf2d192c22062f35155760b58b
SHA512 7833d2384b26c40c3f4d11d546991f71bc5acbd89cd143be91cba4aa681d2e41cea436b570f8b73b7799436d5fe7f6b6beb6b65a7f201962183b30fb5cb87064

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\9c79d23f-4785-488d-ac9f-4d9af4f0f1f4

MD5 f32999359f58492c3e61a7df72b19d09
SHA1 899c5345fdb8de1ee9cbb1d6599ce871498546ca
SHA256 b81dd12afbae28bc9df8c91692d355c76e22923152a4ab4d74e4a4f463b4ab67
SHA512 8cc774a3b1227b3c70cfdce38a53bfbd769b96d926f0a5f7de2e754c35e4dc022272ec4504b03176b956757929f6c7ac2ca6eef6b1c536cae28778cac2597ce4

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 d05fe2d53198c9730546f67ff1e5440d
SHA1 6671112a168659e0293e017d78a3993c9109d612
SHA256 94facb65a5239994f7a65bb75fc36e5d985b01ec25186ecc7962c7950a6bdeca
SHA512 44a786edab124b05e452fde8b050d4df478294cae96e7e1e4daf5528970b1dda741c34dc36921a083ab799ffdf608de62f606d95b13177f95f53cec799811c1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 bcf77dedc24a99bad3562cb7b3d5748c
SHA1 7495bd3826e6f7b0cf4c7a2cacd9ed0985a3f5fc
SHA256 ababf656cdc5d5ea5021fd52c76785851bfed1df32c75b674d09b5443986760d
SHA512 ad60ceba003314d6d63b3489b09107508355eca3b42cdf7a23da749ae6703cc658056e7c375a67dbcccb854d926e2cdd3cf4c29901c505de41d646e415fa8128

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 692cd9a7f4e2fb954bc588eebadcbbc3
SHA1 7c83014809023e365e4293f248551a4e95c19a37
SHA256 130dce6293b726caabec097c31686991606b7a1506f6c0c2aa72ffac64c85541
SHA512 ec6c8c9a836a68f9fa561578d1e44196de074a6a6485fa4db27f45a142e556e413e599d47c41ed9221ab55b07edfd52606017d889d889688d69709ada3a058ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\a9e19926-83b5-4da5-b09e-c231c37f67d7

MD5 f95866402736fc7193e4edcf603283ad
SHA1 74106d6a9b5d5aa8e510cc67af1874ddad4350e3
SHA256 510c61974070ebcf78a3b52552559f3c41f09f91626dc2c97b3e12f376466fb6
SHA512 4aeeefefbb9aec02ea298fe4199b8f425b3a823f8e2b8e26d4f173239534c0233302e9990c09eaff0c72e3eca7bb63ebfc14dcf2313ee336ab02e4c2ea8c0d28

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 e8460c90130be04fd42afc01cf04589d
SHA1 1f2f8c417ba1694b72cf3601b3c4c436122228a7
SHA256 f2972f5dff67aebd0cf9d2eae73cead558040e933285d00533464f5cba58485c
SHA512 c2f443eb3934ee044a86fd6685e0bf61a6a97bf1a569e39e3ffe8d7d44fc1c86b24c0b3b69c911366d4ff365f6e6beac4b713c0ddbf0b5763289e4e1ff117acc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 d679abc81843912e2cc42e57f2d0a65a
SHA1 34a2ce1329a1889000c47c096cb4bad583442583
SHA256 254caacca0c5d50b404f88da47d0f0f0bc9eb7c74faa07091c35a6f2ab495559
SHA512 13d7826bf91cade5770bb9fffe95a38989493c6363c7c47f9809af3a21d5097be2b563d1ef751c41e736c7ca2d06da2f72e5b4e62f969d46f4ef3a474ec2f897

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-21 11:51

Reported

2024-09-21 12:01

Platform

win11-20240802-en

Max time kernel

402s

Max time network

572s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "ª\"Þ\vêÄ:¢nu_#ä\nX\x1b\n\x12ŽÈ¿›ô%÷Ü b" C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\r[¨ì£¯õË\x0e\x16Àû/J\x13lí\x1cÞ\x1c\x16ùw[jÈŒy" C:\Windows\SysWOW64\cmd.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "hßíp\x7f.\u009dˆ«óù1Ó\x04Íì(ƒ(· (i8¸<©á" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "¦‹Zö²\x02 7Óæ?¸%¦íœ›Ù\x03¶\x10?æmQ¥×Ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = "<\x19\x0f\x19qˆë\x1bŠÚgœ«\bOòü &±\x0f¨mô\x03\x1fæþ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "À²8kFsi*\u0081»»\x1b\u009d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "<—\x19\x01«é\x19\u009d\x04ò\x16V§\x05Ð7\x0ePÌc\x1cô•»I¡C|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "y\nº.\x11v²\u00a0—\u009d\x12ƒm\x19ƒvüS(\x1e\aÿÃ:šni>" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "Þ7¿•{6yî\t×¾>µ\x13*\bÕQ§3ŽÍÁWfÔa‰" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ØœœÔE\x06¼ö0ŠˆŒT=ÅŒ£”¯*\x1eÙMvâæ2Y" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "x\x01=ÄpŸ‘\u00815#ïgÑ]¨¥K™\fñ4]E×\u0090¯.ì" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "\u0081‚;\x19~š=.\x0ej^Œa\u0081¬Ô©sñSˆeŠ\x1e[lŠ7" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "ˆ£x\rw\x0f¬\x7f0í~\x12›ð7„ö\n´§‡;Œ”;µ˜Ñ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "è\x1a¯\b\t8ßaƒU\rÕ8\x19X?\x0exŒDÜ•\x16ˆÞA\x04\x7f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ = "bű\x1fE¬~\n\x1dßjë\b\u008fAf€\x17j\\¦5g\x1deð#\f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "Åì/æØH°S`\x012\aÑ8\x1cõ8\x1e\x0f\x06†ÎˆÕ\x12B–T" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "Áî‰\x16'U$Ƭž{Š-$,ïîœ\x7fxE±ã\x15C’¯p" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "Šÿ\v”ªðõcAí7²÷AË\fÁW!¡hKRÃ\x1d®J´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "x[\amâLÑúê‚Ò>z\x11Óý‘Ôˆ¢‚ Ì+$†Ôß" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "\u008fó\x13ëÖŸÁC6%èJ´Z¬8\"‰c.°oÆÃ•È¥c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "\x03Ý•>èÈ˺\x1e丂ˆWÊê\x125\u008fC\x1cj¼¼\b\\üh" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "\aždö«¹ñ”O͇#{)Ì7‰ã;c7¯bªñ]Çd" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "š§·=€9~\x1e•" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "æ1(‹\u008d“8µ\x05\x01nÚù£c+—-\x14/ášÖ}T\x10$q" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "8‹\x1b\fz»êr\x10c}“g?\x11®dý§ÛØ–V-¬E\x1an" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "¥\u008dç•f!¬N-ó2\fiˆsÒX\x06±\x14°Ñ°¹R½˜|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "ñŠª:¾bîåøç*y\b\tEÚ7\u00a0Š\x03–\x1f–nó¬\u0090g" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "8b;˜òI\u008f¯\x11³EÏ\x1e÷\a]Ž\x1açØ8\u0081ÇS\"=gï" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "\n1FKc¤\r7\x1c˜¨M툿È;A\tÆÎ¾\x13²P\x13x" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "ì¯âsþe)/”>¬’I?\u008d¾Ó(\x17BY\x10èŒzà\x1dó" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "P\x14©\u008f$\tf\x11š‰ÚA·AI\x18ïžð\x1ežq\x19;¢N\x0fh" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "Ã\v\f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "R®Ù1•uOb¸GdöòÜK\x14äˆÁ\x19\u0090S6óëп\u008d" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "G~ê" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "½ÖŒ\x18I\x19_÷\x14~¾bz\x0eSX%s_Ê•\x0f\x18¨'‚^{" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "ü«Æ{\x12ô\u0081W»Ÿ·,ñ\aÓµs0*]ƒš~º\a(\x12\"" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = ".½S\x13Œ\x0f«U^jqŸ3*œÌ4*‚ªþغa8z_\x1a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "šµÀ´÷1Q\x19D½bF¾çÓtÛYiA°òA4-¥¥Î" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "]n{4\x0fí" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "ØCm;&ðTЧ“å¡âãŸfÝ\x7f'k_%ï\x15+ý*D" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "dý+f«iŸQ¨¿/‹&‰PŒ£L[\r\x11pˆà\x04·W\x18" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "$-#›_\x18š&4\nW÷ïZš¯/Ä_þªv’Ü?I¥]" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ComponentID = "2Ã\x0fÜ]Žð\ru\x1e\x7f¯‡7£ï\u0081é\x7fɵ<š×o‡2†" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = "ÿ\x17ïtm<ÂI«QO6J]±µàf}\tŒ`¨Â.‡¤\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "¶}y¶wí:\x01>^”XøQGp\x17Ñ\x0f5¤f%\vð««\u009d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "šõ“þ~\x14cÙ\r¾\x10©þ³ÀÛ‡aˆ1’\x1f\x18Z¯.Œ\x1a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "“ܺ×+f7â\x10ن܄½ÔPçeù\x05\x13\x10~ã'\rs-" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "ãïá û |é¨g·êa\aI[Lq&\\²€)D\u00a0\u008dC¡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "to\x0f©¯R²TnÕ:\x12Æî7©SÿÕ¸xæo®FBq\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "i4“\x0f\x19BSÃá)£\x01s\x17z’ïQ\x16¢}\x1bD•ÎÆzº" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "69òªØ\u008fÒî—‹C\x16m)f\u00a0:?\x04\u008dª·”\bÜ%œÅ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} C:\Windows\SysWOW64\cmd.exe N/A

Downloads MZ/PE file

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "\x06˜Û\u0090Q¡üÌJšq5GV‹÷ÊÄì.\x0e'Å…P½ÿ>" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "KjZ\x12¯\t®U,¦JïÕ%£Ù¬õž\và**\x02§\x18.\x17" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "çÿÜ;WK”9" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "\u00ad£q.a/¨•D„”\u008f\u0081Õ>íö\r°–G‰ÔÇ\t|¼Ë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "p\vjŒ´·\x01\x1e=¬\x1bóU8ôݾ7Î.XN\x02;,ØAâ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = ";H™ö«ÿÍ×#שÒ\f$¦\x10éG\x1c0¸‡K\"ƒ\u008fS\a" C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "àBÀ=Œ\x01[ïò-h€Ò®eHí\t,\au‚[øe&:Ó" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "q=\u00a0aF¤]¨ï\x0eú÷™C8ÿ`©1¹ý•¢r§³áU" C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT\Dll = 5900ad006100d5003b0025007900a50045002700fd00150041003e0072007b003a00a100f6005a00b0007b006b00ba00b1002220dd00460000000000 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "LÈ;Ì÷%å¾í¥æ(\u008f>@$\vI#þ÷m.a\f•\x18Ã" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "\x1dLiþÛMþë\x05ïpF“ñ3çSJöv\x14\x13ܦ\x1eÿËL" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "*¾ÇTÄLˆÖø \x18»ã\u0090ç—„Sî?mÅe\x14æ\bN\f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "]¿Çø\x102:¦æOÑ&þÂ^˜ºÑáƒKñ+¿$\u009d\x1dZ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "\x03\x15‚Î\x12ÿ1JÎCXàè¡9\b‘F\b0Ìd.3:˜\x1d\x01" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "v‹/”\x16”œK=·±\x16iÛ\x06Ä‘ù\u008f\u0090\x0f'Õ®Ñçd^" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "…\x7f\x7f\v˜Þ;õïÉ{þ\x06fVð•ÃÛÉ^\x06A\fñå\x06+" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "]Ø\x19\f\x016\x1câá\u009d\x1fn²o\x05öšz£\x17ÞôVÖ]\u00a0‘5" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "<pR°l!¢ø^\x01Žiš\\ZÅõÙMB\x1c⨒\u0081Ë&\x15" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "®¿êÒ\x18Rм2\x19.í\x7f½\r\b(\x03âì$;Ñì}\x14Ķ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "—fp‘\vúq¦Éb»\x1e°•\x16–°tZ=¹Üg'³×¤×" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "›\x0f°0\u008dÃZ´bèÊxa?YÌ\u00a0B~b”ï©•²oñº" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = ",\b\x19îk¿Lù8e¬Ä|ömÏ&E®VÍrÍ\x02>\nÕ\x18" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "iîùa@\x02ñþh“ä\nV’ÖY\x04Œ\f‹\x1cÅv\u00ad°A´Æ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "\"2Bóé\x05O·“_ûç‡jîo+êæ\x0e‘qp\tÞE¥\x11" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = ">quo#Ýþµe°1zÿõ9Ý—K€ƒV\x17ã4¢…}\u00ad" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "î#dÃ3KÐtä«fi©¿³ß÷\x019\\\u009d`\x0e,™\u008d9—" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "ºù͸ñÐ\v½\x1a\x15Pº\x03c'i§¥}*Nw¾%ƒþã\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "ƒy²ëg\u009d\n5|0-å\x04þÙ\bt^N\x12Æm\x11F~Ж™" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "m\x0eÏçtôr\u009d)CÜ\u00adÄ”˜('ö\u009dVÉß\x1a6\x1345ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\FuncName = "\x12åÊ\f•ìÅ\x7fƒ5_ô¥²š›\x13Nˆï1¿ºÐ-~€\x06" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "—y›üõ³h;®%%\x02)ʽüÍ?8äÃÕÌÁ.¦Xå" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "GW\x03dÚŸR\x10P&½\a\u008f\u00a0yv¿`ä\x15yFÁ(\f FD" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "ûwiA›uªäO\x19š\x12\x11\x04ã\u008dU’\v‘rƒZùñ:üƒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "\x10=\u009d|¼=y\x02Ü0\x10ÉãqZ Ãzz\x06ߦ+bÜ\b<" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "å'‡õ‰«¼ÃÇé#q\aæÆ¯\bh\nºã²«-ÒÚ¦Ë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "Nâ3<uâÀê\x0f\x06–ÖAû$ûÈ…\u009dz68Ô©\x1e¶{" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "ô‹½šür\x04å‚\x115pÊ”b;&¨Ó,é¸þ¸\x13&Ó¦" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "ýŽd~þ\x06…x\u0090y}—-\x1dûXݱøA_‚<R×]aÅ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\FuncName = "“Õ°CŠBhþcÛªgìЄ!Lr¨u\x7fô\fíÑCV…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "æ\a\u008d`\t^ 6´dšâk\x1bxW\x13Üt@$ldŸ\f|™\r" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "/×?\x18ŽÁñ¡e÷Ë\x0e\u008d\a7€\x1d²Ñ܈ó\x1cK®-\x136" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "ƒA\\ƒm>î©\x03?¥µ\u0081Zh`b*\"ž\x1f\x1a\x14å\x1c\u00a0ÝS" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "³NùžõhþS«\x1aáli°\x06ÖÓß–ž\x1djË”åŒ\x17ô" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "\x05‹\fHkco\"93ŠCΕ¸¸ÂFŸÓË¢¬b\x02Iön" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "5\\§‰Jt\x02\x11Θ¥’*F\x11|Þ@}\x01\x03>ëE’zïü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "…µ!³Ò\u0090h¥ªz+=¥ÊÑ¥ü·Ð§ÇJmÂÀã³å" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "Yªdyl$Ä ~ãi\r\rC¬j\x040ç\u0090t\x17\x14\f\x1b鯧" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "\na`÷sÝ\x0e\x1cÐzž\x03”Y\x1fÿs?\u008fí/ó^ƘÅí»" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "N¤Þ±\u0090p¼õ«þòªAáи±š}\x1d\"/CŸg\x01Ò/" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "\x14ES‘s¯µ-¶õ\x13èò\x0e½Ð'2N2ÓûÛ¢,û\x15^" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "$àÅ–i£\x18á\b8ì\x0f¶m(\x05Û\x1c6Òá¸ñð†üû\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "O&\\gâ‡\u008d,\u008f!£\x12uNñ\v\"\x7f‘ö\x15…!ÿ?ΰy" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "\x16Z#£OίÀrt,áª\u009d%¬\x1f\x02s‹Ÿn0\aˆ³Ï\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = ",\u008fr\x04#v:¾üÕ\x17ä{JgžþÿÜ\x13XVË\u008f\v\n”Œ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "ÙÄÏï«r¼XÃ;Cz\x18{e\u0081öi·âÚ–\x15\x12º\x03\x0eÖ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "\x11G”g`x\u009d3óP\u008fˤ•(\u008fR’°CŽ\x18LDµ¹\x18û" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "x>{ߨ¨\x1e%™f\x0ftW°lkë\x0e5V,Î\f‡\x04Sñü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "–°\x11]‡„C™ 1w\x1cçL)E\x14ç\x11Þ¿®[:ÝEðÞ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "\n-¿;\\Wo®Å\"—‰+Þýæ±ä–42CšW÷,i>" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "£\x18+ä£\x1eA·kÓ[\x03Qà|8]ëî`\u00adƒÞ‡Õ^:m" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16\FuncName = "f+àBOh\x03äÚÆ³WÒ“\x1e\t\u00a0±ó>Ðm\u008d^\x12ü3‚" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "7Ø\u008dS\tLkklPjÄ\x11" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "\x19åøÚÑÃöîzÄ^òÚŽÌ€20é´\u009dŸ¯¸ö\x11<?" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "¢9'mèI›…N?5ÿ·ë\x02ß\x17yÍWUóG\n°CÀc" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "[_¤—s‘\x065\x18ÑjÍb'Ë¥_äzõòÄr\u00ad\x1dò{É" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "\u009d×ZùÚ`\x02â]ã¯\\ª^ì :ê<ØR2Äû\x1dCH\x14" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "øýìß™ÜZ¨ñŒ¯ƒÔ\x1ddv<Eᎌ,\x19Õx±\u008d¦" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = ")€åùÃÅDè¼Õ^u\x7f7,’ßæ<C,\x0f%“—Ì©:" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "PMÞÆb5X\x13I=–gO:!˳bYà‘\\/í¨[\bû" C:\Windows\SysWOW64\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo\Nation = "Ù\x11w&Õ©ðßž™š˜Ì>¯\x7f\x06jbª¤©@Ž8Éãˆ" C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\WinNuke.98(1).exe N/A
N/A N/A C:\Users\Admin\Downloads\LoveYou.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "p§®\u008d}>*À@ÈŒÓyÈ/!±í{,ì=4š°\rdO" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "\x15_YЖêR¯R‹o#õ|@f&¨ŽÃ£\bçÀÉ@<§" C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "ÿi\x1b]¹Ÿ{ZC\n?ý^\x05˜PLªÙÒ{¬ßC9\x18|–" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "”ì{\x1a\u0090²=ü¶¢ˆk¥êV%j£ç\u008f`nz\x1c&:T\u00a0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "Ì\x04®KEæ¸ÎÁܵÐí5˜¿eÇ4[}dïc}'ñ\x7f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "!l)‘\x1c\x15Ùæ5åæîN†”bÞ!®¿±" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "\v8í(ÐÈ\x18ô~-ÖO×\b\x1d¬\x01\u008d\x18ÖžèqšÖ23[" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "h\x18I\n==f‚" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ProcessGroupPolicyEx = "\t]›j©ƒô&¢\x04\aД‡ÂžÌ¸¸…PNDƒ[—Äë" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "Ö/º}J&/ÕîUÂ97\u0081\x14¨.ºþ–ŒÊ!=ÊׄÃ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "ê¼dÑíÐØ{¡ä–ˆ\niJ\x02ñ‚÷*ßš•ˆ\u00a0ÐÚ4" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "!üh÷g\x01Ü!Ô$T\b\x1d8t\aÐb•Š\x1a—Í¥\x1fT\x06[" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "~(Ýk{\\€\x11ÜSFú\x14cï\u008fW\x15\x1e1bdhCŸ0M." C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "ý\b˜™€eõUÈxO\u008d\x17¯LÖNÊ0½ïÈ$û+ãÓÞ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "s¹\tá!¨rs;@\vI\u009d‘v\u0081vl·ÔpPû\x17þé\x14‡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "ûÕ\"Pæ3g\u009d\u00adf3ˆÙ\x14-¤£\x1a0Êöü\x05 Q\x10\x16" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "Š0*j–Ýøü–\x17Wpm¢×\x11\u0090võÊ\u009dû\"\x11®\u00901©" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "Z\x16\tæl±¿mjî‘)-¨™\vUÇ!ñ]\u00ad°ÉÇEóÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "\rÀKѶ!;׆¹AÃé\x1c‹³û]çQ\x1cà" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "c-\x15\fÁ¡ñOwfÂØâYô݉àØàGo)âD+L\u0081" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "ȺPô”›‡&…\x1e¯R/·\a¢ËÏ§äŠ 7BÞ<=\x18" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "Õò¸¥ŒŠ¸$¹Ê™ü§Ó¥^9\\Ç\x10JMê̸PUõ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "\x15°\x14PSêIÌçïý|ÿtBa»\b¶\x14ì+¾\"ƒ²\x0f}" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "\b'\x16„ú\x05R~ýOöÏ\x0f”S¡R›ƒFsmeþ\b\"\u0090Ï" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "v¥PG\x19ÆõB\b„à" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "8†¼k`I¦3Š8;£9]\x0e—ôÁ\n1¹€MëîÒàÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicyEx = "¸?(Þ*–ù™7\x12Û©ág4:ù@R¿L\u0081ƒêæ•t^" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "2j±\x02ñѺÍÑ/:FŒ1l䨣\u00a0³\x1d¯\x1bUΩòã" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\DisplayName = "^1Òd+DüExs„\a\x1dÐ\x12äËñs" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "®\x19\x14˜l™\x0f–" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "Ñu\x1c\x12êö\x04öK8“@kÕ»3y2qO{ñ\x17'\x15°6ü" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "ØÄ@ÑëK™»bè©uFÛKþ´Ãz\u0090›u¯hÝÚ\x1dM" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ = "-8\x01èmH}ž¾ø›ù¤eÎŒrVûµ}h\u009d|¶ƒæ>" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4B7C3B0F-E993-4E06-A241-3FBE06943684} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "mC¶hО#éEÉ¿òãX,×\x1a±À4ü{x”RøÅU" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "<ˆeE\x12V~ì\x04øõ]/B\x1a;xí¢@®œ^šò{¢Ð" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 18200800bd00ed00c1004d00bf00bd001820de006600d5000c00b700e9007200a80068007d007c0028004700cd005a006400ac207600020000000000 C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} C:\Windows\SysWOW64\cmd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallPaper = "޵Iô\x02àzž»)vo)ß\u008dôªþí?ÜÛ\x10r°\b\x06ó" C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5500 set thread context of 5544 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 5500 set thread context of 4084 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 5500 set thread context of 3560 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 5500 set thread context of 1236 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 5500 set thread context of 3136 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 5500 set thread context of 6056 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\System.ini C:\Users\Admin\Downloads\VeryFun.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WinNuke.98(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WinNuke.98(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\LoveYou.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\VeryFun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\Blind Access C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "{m\x06dòæÛ\x10ÇÛã*Åjíå\x06\x15æ>OòÆùc÷(©" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\Geo C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\MenuHilight = "E\x0e™Éö²\"=Ì?dt¢Ø\x06ø\x0eÿ%¼\x19àa¹\u00a0tíÙ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "æ\x03Hqœ¥µÊäK" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sMonGrouping = ":\u00a0Ë«ÖßJ9qm\x02\x02µ©¥\x04UPI%\\DlïÁÇ3E" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iFirstDayOfWeek = "‡ŽôGÂîž¶\x01–tTY‹ËÁÓÝEmÑdYe&\u008dÜv" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\PowerCfg C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\HighContrast\Flags = "6¡Îw“ 3·\x12Š`\x1bûã2Â.\x05¹N×QRêÉü@”" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\ButtonText = "¨Õ\x1cwÎ\x1b\x1e×\u008fèÜ\x17\x15æí®’Ù£€’ô¨ÊRè\x025" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\HilightText = "=¹V¾" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\AudioDescription\Locale = "§qcúùï_2öúαêÿEš©èÝÕ*þŽ“9íñ«" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = ":\x7fÔJþ¹f:oºu1‡\x03\x18íî¶\u0090\u009dNä‰ú¶\x17l—" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\Hilight = "Úɉ\x1b¬ç¿\x1a‘,ù0q™¨rqIî^\x12“\x03\b^qÞk" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\Keyboard Preference C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SlateLaunch C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\InactiveTitleText = "e¾6IÓ×åFÄr“1•–ÛE\x16.o\x11'\u00811Þ¨l\x15Â" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iTLZero = "Ôb\x02\nÖ\"p¯‹—ׇ‰)úÚ\n\x04Ë\x044ýc€©\x026¢" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Mouse\MouseSpeed = "úuŒÉ{‰ƒ\x0f[Ç\b±CÔ8˜°ß\x1b Ÿt\u0090:;*÷š" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "/ÑSù–Ñ\x0f?š9Ìü»xÒÇg$\nÚè†{ð®Ö\x11" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "é_í\n:\x1bõk\x16\az\u0081W!îo`-Ð|Så" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sMonDecimalSep = "]\x16šŠ«\u008fØÏóm2£ƒ\x1bŽ\f¿OÀcNHmàTÜâi" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\GradientActiveTitle = "Ô\\G\u0081\x04>V\x01VfÁ\\)~öecôêÑæ\x10\x04\\¾üŠº" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\ScrollHeight = "\x05Ÿ¶ÙçowÍGNã×1¹Q‚Ŷ\x0e\x1b]0éëé¾—+" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\GradientActiveTitle = "\u009dš”|õ5Ú\x11Љ\x14\x1bÓžM´”€™Ò¤‹ó)r-»ú" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\Window = "³\x1a™¼+³\x10d\x15TƒØú/ÒKH}\x1aà£Â´Óµ1φ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonFace = ",!\x03pŸ³™7\x03ÍÍÅ$û¤¼¦1Ø<(¦WÄ8„}Ú" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\CoolSwitchColumns = "d§\nFA¬éº‰m’”n?€NAmñ²!¢\u0081ê\f`¸õ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\InactiveTitle = "\x7fÚ¹F\u008f\x13ÖJl)1\x17x‡X0¸\x13€\x11‹%x…+\x17\x1cq" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iCalendarType = "#è\x0fÐ’ŒûUpÄlS\fD‰X5\x1b«Õ¢ð‰½×Jª‰" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Mouse\MouseHoverWidth = "¨\x10¿¶ÖËYIêÙ¤\u0090g‘;v´\u008d4¯òæ\\#7–=\x10" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\PowerCfg\PowerPolicies\1 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\TileWallpaper = "^\x15/´\x15™S\\\rx\x14\x15\t.z\aÎ#Êd\u009d\u009d¿ÍÒy<=" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\GrayText = "‹#Æ‹7ôOv\x7fˆÁí'ê\fs´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\Scrollbar = "ZþF•\\sÒÏa¬9Ù\x13\u0081\vf3t\x06xš*\b…?\t\b<" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sDate = "Œ\x0e_<\x03\u00ad©ÝkÇŠ6@§&…XÞø¯k¤kåe¤ýÓ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sThousand = "ýp÷CˆVKZ.§˜Ir‚¢%ÃöÒð\x1cMÌŸ±Ûc`" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sShortTime = "IÌ;Q|r\x12R\x02Ÿì3‹}2è`Ô€Ysv^ÿ½ëí\x0e" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sNativeDigits = "1=±åËËT(Þ\u008f\bù’ÅùÖw¢\u008dÕ¡|ç±Yx5Ð" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\SoundSentry C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Appearance\NewCurrent = "\x05îýwÜÇ¿·žˆÝœÉ\x1daÇù‹N.D“-\x1eì/t\u0090" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\s1159 = "˜o\x1a§ó¯‚(Œax7ÒHæü\x1e\"\u0081ÈQG”v~\x14ó" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\DragWidth = "Cø´\\'êœ[±\u0090<o\bµu‚\x0f\x7f§´q§íÊR¤\fÙ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowArrangementActive = "JÁ\x127=ö}\x7ftøˆÈ›u\x15_Æ4x³9rOríÄ}Ê" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sCurrency = "¯0:U\u009d]@—ïvpú`=¨d\u009dŒÐä&{ŠD%7]\u009d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iTimePrefix = ".&LÀÙ׸˜r,)(Å3ÉÞ9\n\u00adk棿ÂV¨µ\x15" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallpaperStyle = "ÿÃÅ)¢w¬\u009dן̈õ²ÒÞ3ÑȲØÇ_Ì\x03ÖÖ\f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WindowMetrics\PaddedBorderWidth = "B»bE¾E]w–\x19l\x11Á\a„Y;Vr¨4Õr\u00a07\x06LÔ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonAlternateFace = "š¼d÷¬ö\x0f_1U\x1d<rÍ60دþßúÚÐZÝ£|Í" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iFirstWeekOfYear = "wÒÙT/‹V9\x1aqªÅ`lf\x1d'ÒÌi\u0090\x03\x1dC\x17bp\v" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\TimeOut C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Accessibility\TimeOut\Flags = "dÿ.Aí9 ~\x12‹Ò‰®¤\u00a0`q–;€Â’Å\b=ê;-" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Colors\HotTrackingColor = "Ž\x14\"A4}æ²sr1\x1aÇOÿŒyEé$\x16@\u008f'L ”¾" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Keyboard\KeyboardDelay = "l§ÒX\x12@_röö\x1cV´•v*{Ú/Áù\\°ç&\x01\x03r" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\IBeam = "Ùr3\u0090E)¯ñìG]°\u008dfÒ0¾òð~Ý!pBø1\x16Ê" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = "êêzê®Ñ(Ç\x1e‚.¦é\x12O<ê½$'„\x16\x1d\u00adϼ“Q" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\iCurrDigits = "~îÁ·…Ó4\a\u008fnsœ7§¾&Ó\x0f¯³Õî`µù8³I" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\PowerCfg\PowerPolicies\3\Name = "“eºn:_û‹¶ÍJþCÙŸí5#®5aÏkºƒõú<" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\No = "=U¶rÂ\u0090\x03—©9‚g\u0081\t\x15CS4ö[\u008dªŽ;¾S0S" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\User Profile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Keyboard C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\RightOverlapChars = ",ã¦H®øM\x04ΪIV\x05Üî¬qHë¡’‡É:R_·´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Colors\ButtonHiLight = "©æ*ôv?‹Y>\x12Úo\x7f\x0eÕ„µ¡\x1fˆJg´Z\u0081" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\Text = "ç~;a»È\x19áð\bz~c\x1bõ¡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HelpID = "2h‚ºði’)\x06ŠTúüÜÔܼ\x01k®>˜Ë¡#5¨" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\PlugUIText = "ëo¨ä-—'6«¸ãÈ™®õ£ºÚÖBðÓ\x14Ǽ[Þ\x7f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ANIMAT\UncheckedValue = "{#Üc\x15\x1aÌ>ÏÏ1¥Î6âó\x1a6ü\x14'4Œºî¦Œv" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV\ValueName = "¬ŸjMã¦\x04ø¸äÀãÔ>ð\u008f•Aù?n\x1ek\x7fºw¥Ø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LMZ_LOCKDOWN\Text = "IÛ¸]ÇæÉ\x11ë/¢\u00a0&æ\x04×\x12ñ**\x18-ÄìãíÈF" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\Text = "\"Weëkx\x11pG@ÃÂW€¦œº]\rÆäí†P‘\x1a\x1a¶" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TrackingProtectionLists C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{69ABB8E4-3A44-461C-93BC-C3BB6BDF2DF3}\Version = "šn)çö;Õ¦)¬ã\x06•Û^U³7Ô¨õ»W\u008fhóÙd" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\UrlTemplate\2 = "´žÅHÝ&\u00a0«*v4¼…t\"İ\x17¨9³¼wè©h¸¤" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\RegPoliciesPath = "\x04’[-\u008d'Ç}DÇO¿—K—6`6«r\x13}¢\b•̪\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR\PlugUIText = "©" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore\Type = "Úimؽ¾\x02ÔŽ°úµ0Ò]°Ü\rž\x1a•ЏZ\vÝ¡Œ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPoliciesPath = "ªœ(×ât1GÖ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}\BlockType = "‹°\fÀÙ$hßJp•çî\x1dvè\x03?\x1b\\\x19\x1fqÓu\raä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE\Text = "+\x16rù\u0081Œ\x10äûI…²,x*H€ª†Xš„ú\x1a\x0fvø«" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ANIMAT\DefaultValue = "áDØS’wˆfßÕs\x1f9•‰2OëÜÏ¿æ}a¢öÏ\x05" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "¨›\x03Üïç˜\u00ad.\x1e2Ô÷„hÓu\u0090œÛcÑWI\x14¦0ç" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "àÔŸÚ€Þu<ð\b’§\x12\u00a0\u008f%NHs\r…Jª\u00a0š\x1fmä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ZOOMLEVEL\RegPath = "\x15°RÙ_\x1e’}Š\x10©xªbž;z\by±»\u00adVÁq£.«" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV\PlugUIText = "ô‚ŒÇôºÍFb=\x195ø\x01æ\n9ÏÔê7\bwŠYc\x1d¿" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1\HelpID = "“Yý{Ìyæhß\x05Å»5VóÃ\x03Š×ðs7ã&\x16ÀÏš" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\DllName = "3\"ž¦ý\u00ad‰\u008d\x10µ<Jþðá8Å^ƒˆ ª\u009dÅÈ›=·" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\RegPoliciesPath = "x!‚–\bÁ\u00adƒÔiÝCV]ئÔï¶\x12žkÎ|‰\x1déX" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}\Version = "‰ÚQa\x7f(ÞTåBcý¥uÌá²Ö\x04Ýô6aŒ•¿8\x16" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBFWLink = "ŠlcJºT¼>y)´¹p¸ïAl5\x10À*K,]Rù>¢" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE\PlugUIText = "UNôÇð]O™\a5ûÜï\u00a0×'ûÎ*ßü`aØ7y\u009d™" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS\ValueName = "Õê\a\u009d˜DI\x1eË,ÿ6°5±„m·\x1eãG[×Ql»‰m" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\Type = "íÄ0zhõ.ˆ\f§MÅ\u00902Üö\x1c|uÍ{|Kh'ƒ«¶" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00021a14-0000-0000-c000-000000000046}\BlockType = "?y6\u0090tiuï\x03̉>Ù\u0081Ýßíe €ÉgºŸ¦ÒHz" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}\CompatibilityFlags = "xG\x04ù.:ù‰{°þ®-Íb-œÞE\"L@ ITÛ`\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{69ABB8E4-3A44-461C-93BC-C3BB6BDF2DF3}\CompatibilityFlags = "B¨›I(¡®åEmÓ\aº" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939}\FWLink = "\t=ƒ\u00a0°|!‡O\x18\x14ïC\x19DíG¢XÚø³ÅÝ\\åw\x12" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PopupBlockerAllowList C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62}\AlternateCLSID = "PÊêy*¤ºq\n,7‰±;7œ«ž›ßdÇzõõ—´|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\RegPoliciesPath = "\bAwÁ¶›t=\x05<£ÁªW\x01\x02¥w°n\v\x0fãÅ¥¸½" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES\RegPoliciesPath = "$õ>Õ\x1a¦…\u0090¬I„Z ¤›o‹/';'\fl¥\x10j—\n" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\RegPath = "œWÞ\b‘\nÝ\x19úÆãj\fÒ\x12°¸oé\u0090" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\FileAssociations\.website = "åÅ]‘{\x16ù\x02¢4ê^µ°oÒŠ(W\u008d܂Ϣà}Lù" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\DomainSuggestion C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "\x19¹EH\u009d;¢¨p(¬ð\x13ª™Þ§ÖZYaœ£Æ^±ß\u00ad" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI\PlugUIText = "«&éS<¦âÀî9°c&.\x0eE©\x7fwÆÌEv\x10ÏRÆ+" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\ValueName = "©Y%Ý\f\f]e#ÂN ŒŽôÏ\u008dîu\a,\x15eú\x1cªöG" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A}\Version = "§ºò½\x04po9m÷wã•í\x0e,¼yBçø€\x12îR\t\u008d\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USE_THEMES\Type = "\x0f÷ËÕ\\ÄtþÒÅ8-K\x01£Ü\u009dÛ=ù2Ö@\u00ad1*3»" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f7bd411-f034-4ac0-9424-224bd7ab4e4e} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\TEXTSIZE\ValueName = "×\u0081v\x0f<iu×\x03{™ØŒ¬ñ߆@\bš\x10\x10\u009d3wϳT" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}\DllName = "àÊA3ÃhWò*Ý›9`‘WÉ”\x15\u008dÎ\b¿©.÷Çß©" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08f24d68-9087-4b24-81ad-7b34af3e3ed5}\AppName = ".4\u009dTßš8ÆúO\x04\x1f0Qæ\"¢:4%Tb±yÀêÄŸ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "\x14\u009d5XÚè¦î\x13š\x12€¿4Ójàv9Xåçž2\u008d’À¯" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\RegPoliciesPath = "8lØ\x0f\x1a\u00adŽ\u008f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\DllName = "E¯\x16fȾ·Ð'ÞÊ%IRW¸°U¼ÑØ}üjÒšËU" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE}\BlockType = "¬…8ªÖ¢ER:Ôù©¨\x12MN¢ÌÜ\x1di!‡›ù\u00a0G\x01" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\Text = "‡²Ê>åi‚wg«=\x7f¡©ž1°\x7f–0Û\u008fßU\x7fÝì€" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\DllName = "„©¹ü.ù´[/‘LÀT}¶¶)[ƒÏÌ™à\t<\x06t~" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "$ÝP¤û\x1eOéfv§eùÙ\x06\tã\x01#y2¾7ó@8W\x19" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "Ñ\x184ŸC\u00adWO\x19Ðöµž\t™ÏlRg³)\"¤º \x04ýÞ" C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WinNuke.98(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2856 wrote to memory of 728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4252 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "bÄ$qÂ\"]´R’˜wÀÕ\x13'k^\x1cq¾]K\x11çX!\t" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "\x18Ìðºù¥ãÎ\"¸¤k®d©¦¼žpëì\\Q5i¤{Û" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "…)Í\x14KÜ6B=µævQ\x03€ã\x10¯UÖÚ\"ߟ|\u008d¥\u008d" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "¨Cö,e°¹²ZÇÞð\x05•\x04ÅŒ\x1a\r:l\x06Ž\u00a0G\u0090)Œ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing C:\Windows\SysWOW64\cmd.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\37626322_1871171556512529_4700140521996156928_n.jpg

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1556 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d40f177f-60fc-4f92-9c6d-e54dcb0327ac} 728 "\\.\pipe\gecko-crash-server-pipe.728" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b833977-d0eb-46bf-a603-c4c4fbfcae35} 728 "\\.\pipe\gecko-crash-server-pipe.728" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2684 -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2944 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b646909-9f5b-44bc-a502-7bde670bfea2} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3388 -prefMapHandle 3472 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbd505dc-0a3c-4b01-bbe4-4b294f8f751c} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4208 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4204 -prefMapHandle 4084 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {576534c7-0d9a-4f26-a11c-baecdc42329d} 728 "\\.\pipe\gecko-crash-server-pipe.728" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5340 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9e0c76-8c04-4024-8004-770432964e9a} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5564 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bb97e44-0be7-4ab2-9029-b8e4dd4b21af} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a37829c-ab60-4fa4-b2a5-41cd2359ee05} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 6 -isForBrowser -prefsHandle 5840 -prefMapHandle 6020 -prefsLen 27132 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744f4a7c-27da-48dc-846f-932b84b8da9d} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3604 -parentBuildID 20240401114208 -prefsHandle 3460 -prefMapHandle 2760 -prefsLen 30451 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {006accc9-5a62-4eac-bb31-81d1e4b67096} 728 "\\.\pipe\gecko-crash-server-pipe.728" rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3440 -childID 7 -isForBrowser -prefsHandle 6672 -prefMapHandle 6664 -prefsLen 27919 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0be25cc4-5f70-479a-a6a1-38382af11388} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 8 -isForBrowser -prefsHandle 5868 -prefMapHandle 6344 -prefsLen 27998 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {687c2baa-06c9-498e-87fd-01dbfb0ff7ae} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Users\Admin\Downloads\WinNuke.98(1).exe

"C:\Users\Admin\Downloads\WinNuke.98(1).exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7252 -childID 9 -isForBrowser -prefsHandle 7216 -prefMapHandle 7220 -prefsLen 28038 -prefMapSize 244628 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c5cd8a-b634-472f-a577-6842a73470c1} 728 "\\.\pipe\gecko-crash-server-pipe.728" tab

C:\Users\Admin\Downloads\LoveYou.exe

"C:\Users\Admin\Downloads\LoveYou.exe"

C:\Users\Admin\Downloads\VeryFun.exe

"C:\Users\Admin\Downloads\VeryFun.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004B4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\Downloads\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\D3CE.tmp\D3CF.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\eulascr.exe"

C:\Users\Admin\Downloads\PCToaster.exe

"C:\Users\Admin\Downloads\PCToaster.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"

C:\Windows\SYSTEM32\attrib.exe

attrib +h C:\Users\Admin\Downloads\scr.txt

C:\Windows\SYSTEM32\diskpart.exe

diskpart /s C:\Users\Admin\Downloads\scr.txt

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Boot /r

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Recovery /r

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f0303cb8,0x7ff8f0303cc8,0x7ff8f0303cd8

C:\Windows\SYSTEM32\taskkill.exe

taskkill /im lsass.exe /f

C:\Windows\SYSTEM32\mountvol.exe

mountvol A: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol B: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol D: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol E: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol F: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol G: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol H: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol I: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol J: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol K: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol L: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol M: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol N: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol O: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol P: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Q: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol R: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol S: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol T: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol U: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol V: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol W: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol X: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Y: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Z: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol C: /d

Network

Country Destination Domain Proto
N/A 127.0.0.1:49761 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49769 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 142.250.178.14:443 redirector.gvt1.com tcp
GB 142.250.178.14:443 redirector.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com udp
US 52.111.229.43:443 tcp
GB 216.58.212.241:443 csp.withgoogle.com tcp
GB 216.58.212.241:443 csp.withgoogle.com udp
GB 216.58.212.202:443 ogads-pa.googleapis.com tcp
GB 216.58.212.202:443 ogads-pa.googleapis.com tcp
GB 216.58.212.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.238:443 play.google.com tcp
GB 142.250.187.238:443 play.google.com udp
GB 142.250.180.14:443 consent.google.com tcp
GB 142.250.180.14:443 consent.google.com udp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 216.58.213.14:443 encrypted-vtbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com udp
GB 216.58.213.14:443 encrypted-vtbn0.gstatic.com udp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
GB 143.204.72.186:443 www.mozilla.org tcp
FR 151.106.4.82:443 bonzi.link tcp
GB 216.58.204.67:443 id.google.com tcp
GB 216.58.212.241:443 csp.withgoogle.com udp
GB 216.58.212.202:443 ogads-pa.googleapis.com udp
GB 216.58.204.67:443 id.google.com udp
GB 142.250.187.238:443 play.google.com udp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 140.82.113.21:443 glb-db52c2cf8be544.github.com tcp
US 140.82.113.21:443 glb-db52c2cf8be544.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
GB 184.50.113.73:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 73.113.50.184.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 104.17.151.117:443 www.mediafire.com tcp
US 104.17.151.117:443 www.mediafire.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 117.151.17.104.in-addr.arpa udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
GB 142.250.180.10:443 ajax.googleapis.com tcp
US 104.17.150.117:443 static.mediafire.com tcp
US 104.17.150.117:443 static.mediafire.com tcp
US 104.17.150.117:443 static.mediafire.com tcp
US 104.17.150.117:443 static.mediafire.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
GB 142.250.180.10:443 ajax.googleapis.com udp
GB 142.250.178.14:443 translate.google.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 117.150.17.104.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
GB 142.250.178.14:443 www3.l.google.com udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 translate.googleapis.com udp
GB 172.217.16.234:443 translate.googleapis.com tcp
US 8.8.8.8:53 translate.googleapis.com udp
US 8.8.8.8:53 translate.googleapis.com udp
GB 172.217.16.234:443 translate.googleapis.com udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
GB 172.217.16.234:443 translate-pa.googleapis.com tcp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
GB 172.217.16.234:443 translate-pa.googleapis.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.180.14:443 drive.google.com tcp
GB 142.250.200.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 github.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp

Files

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 27152171537c47796aa7194ac41383bc
SHA1 430c380ea885fce765a771cc40cbfe6358b4d04c
SHA256 28276ad4adb3f540918a28a722f10a63406037b96a14e05565e31ec90c605c22
SHA512 044ded8d45d2249f69ae617768398a33cf060618f1cb583aa9d9a34171de10bf3e23f6e49b3c0b8ca872f5ecbe98e841168fb3e94fdef2efbb299a3cbc01f616

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 f8f606a032719f0447a78d9b50fb672f
SHA1 45d741cb2185064eb8c06a91d79c928fcb657abe
SHA256 d5e5bb3e87ef84f4e352d277fbe38a57f65ed50c0f8309dbff43d57af778b3ca
SHA512 96169b9bcfce9f671452010340d707e2dd3a60a1ba2847cccbf1fff2dd11d0f74dfdc74cb9c20015bdbe95479f52501f9ee30ac634f547006104fba349472b65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\e04c748c-0e16-492e-b151-5fb86294b2b6

MD5 603a91526deddfb1677fcb1b224b21fe
SHA1 afe494fb80c749dda26a76b8eac844c15037c561
SHA256 d80a52ee91b36600fecc15a5ed0c3fff81891bf8491d269a9c483497fa872110
SHA512 92f1b7e9295aeadd8ed642772372fbb9f64c99be9fb3fd91a4d0d1f6cba07160ba6122db3a46eb39432f8914cf0d991967f61023dd9a0f9d16bb7e2b62db8391

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\657d5a42-2cba-42e1-a0e4-6c6c3b6d38e1

MD5 04496489d4e0e53ea3a01c3e43eac8cc
SHA1 793a9aa2f7110465ac1ed520cfd02aa0d8f169d1
SHA256 d40ec77ff0d9e0b9b11fd15af555bb15189efdd562dd117ccc16f76cce3e5f46
SHA512 623e225dbc6e0a9a800f25f6e10297797da4fe35904bd877ddaa9c0281ed4d4deedb373f5e536ef3f5c3cd3827d8a62d7eef9ebfbb5704a3484657e9728be742

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\de9fa218-1bf5-47c6-b836-a24afc232771

MD5 f271b6f80fcf33e6b155d3cf472b9ffa
SHA1 1062ae0ff7ca223745fe20522fb7fc1e48a3b749
SHA256 71ae02f36a44b9e5c9dc46f69aa70ec57f229fda125b321717dad713bbf961ad
SHA512 4f9f6d2ddf252e4de7f0bc842be249e945a8277b870f70916bcfdbf94fe24b36d06b9405c96539060a2b87fd738661f912d22d77d38b742f56ad6e77731104c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 ebed5934036d29db8455fe6ee327237b
SHA1 32611db6c6fdb97ba65e9d7b5d1e9e7d6d554e2d
SHA256 49f51bfa867d7db900fff0a7d726cb7484732bdc1d544cc23feebe7e4f0d98c3
SHA512 ee6afdc5a7a1e9de3d93aabd17b9bf6c0e7fd46951593bca52dd91df843b975d1386df37642ad66fff5f3b810e67fd5b17ba013e425cdc48691d0966d914a427

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 eba9f0ef5357572817b016811965b797
SHA1 6920a8271292831bf1b31bbf0c2ae1f218be4af1
SHA256 6f0a4c75a19282276cbef131804f7269b3b515df8f282b1241bfb08e4c15fe7b
SHA512 4d4c21edcc2998b6ca04f6a996dc8fbd79ab66d99434550c72cae3f17698500934d2b0a736de0ca9f03dfa8d9992f2c6e1d583f2d90825f3df26726f2cf99c8d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json

MD5 3dc631567716eb1c874e91573aae7d5b
SHA1 d82fdb8b26f2583688ed02d6838b98cdec9034b6
SHA256 53b717bd069c7f70b38b7146b3bed97b93625c34bde7da80730d5d5a98526ab3
SHA512 76f7f9159032063b23422dac6996855a152caaf0f5dbeb1770288fa2a0937e5499155c19d233315878c6d5c4a355a235e68431c581bf43b7f20798155efc8294

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

MD5 6fdbf85ed922a668d8d583d39d30602d
SHA1 01dc9c0683375bcaa01db00e4389d29d8736b5e4
SHA256 efd6a361bb754ad80e446117c42b1003ddca21b5f3a4ebf6e2b4e92a7ce6ed0b
SHA512 69216e97fd265b30fa51ed746dc4477eaadfa4ae2b846d6bbd7bf28b82e7f022b32833c9ea58f3864056e679d4a6cf17449bac02fd4acb65439501d8173ae0f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

MD5 1dc085f4e38b4490564812f42ec37c31
SHA1 7046e7f07cf36ee241c592e74972bb5483f40a35
SHA256 5c385deb2946ab9788d74f57172df1895274f6bbc11b34cbb38ca7665b121b55
SHA512 8392b127b8c09a9ca6d8777883505ff3df726aa7d374eb4fec24ee7ed01433c27b4d2ede7eedd87cd7ab8416fb4b86663a390d5b46e2123ab5b541a51db69659

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9514237c10ef9e6dcc1c0826bc6f2ca7
SHA1 82cba885af6f80de0ad3c3d736e4376d1cf7d5c1
SHA256 a225d9a312e86f5a02b149e5e02a5b9583b3df9a1dde49cd690670e6db6b2677
SHA512 fbf7e612a0f86bca961832c274de682259617775d7641c96ddc51b646eba87a233a2522c54bdf291bcbeeb85ee83bddcdb3a170adadeaf9bf94b2c87e4cdc4aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

MD5 f2d04b893fd5994ed03688d2fa3bd085
SHA1 8daa4edb56ae9ec83e7eb055bf8ec39564088f31
SHA256 9b98341d82ec6d8fa20073d7606cf5777724abeb080fe90f21e7cf36b2bce4ca
SHA512 f4ced469973e5e683bcb27c2f4c9b3be915991ef8f9ca16548635fe484f4b61acfc4b9d065aa2e87acfdd84039f54f6c6cae336e843ed14c17edd736c475d002

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 6578bcec197112f3cf5e82fb1d521bda
SHA1 425ae8c2fe382ef6894a6d0e03405e183bf2af93
SHA256 2ceeafa4f305b968985ce9b0893675e76db91ef26be6f05ea3fbeb7e2592bb61
SHA512 67045ae73fec53507280a57f50aec62ba9bd7d75c51df11ac20ed538c666e403c60dda420570d37fbe330ff9c58ea6c3e15d5a9eefb45e083f62778f73db9518

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 0526a6c68430736b64446693ca363159
SHA1 6f557ba52f462eaf2a77ae38931e05c8302960ce
SHA256 f99751e058f818273bf6540cda6797bf61bec67a070ff79a8d00dcd0c7c9851d
SHA512 89ecce09d892f7bee8404e0f9f0363a10d969dc38443cb55e077aba4f3cec0ca85d5b3500d6a19e9b98e91b046faaa1b00686bfe6c3336e9086ed2ff305c5073

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

MD5 e42fe018db58469a407e3bc00c92b0a9
SHA1 7e39dc73e6af69e72b4b0e8cd5b5aac14be22a01
SHA256 ac1fd08280403406806d7b2300bd3bdcaab81104de13b62d4b0d4092770aa244
SHA512 b61630d5eecf624ea8fd1999882f59ddf9a58a80a7af8733a7d84960ad9a6f92208d7ba89185908320135b1ec05bad53ff5ec11b2b043fc1af0a5d2cc0a24bf2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

MD5 28842a897b136e64af95e44d3533dd39
SHA1 d81e08ad97004b9ed364fd608c7467c3b6f3b067
SHA256 045cf0f167738bd90ae0cb724b4bbd2a8c4279a47e02acda03291a64ed839e53
SHA512 01091e57a8b8f052fe072b3e837813e6f0166a75f73364987dc6ffacf1c399b73377911cd9945c003eec7a7d0f83e14e526079d3d87c8caf7b0331bf5c8f19a8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 916bc59ae2c381875ad024ee2e8d0653
SHA1 09fa4fdbae55626771fdd8231d4245b35fbf625e
SHA256 957b7805be3c31e89ed47e1ab8913419855a2a6ab4cea8f9aab60de55cf8df4d
SHA512 d44d41d588c58f5b452f4cd57e163ce194970c4ab87458c653d870d796b262208b68b501e2ec67ab110403d751cf27cf1ad4199076dc86b17e1a970692485d64

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 42e15d93b2ca885a0b20f8399701cd6b
SHA1 2fb5193af00f4ebff3ae7a30a4b1840b00c41787
SHA256 f1cbd16f93b5caa72e2e1cbf99855f2264486b1f3f320a165cc7a6efbbe5e27f
SHA512 4dbbe256f8250378d09ef73bf5f1b589ffe9ba025a7ee184895e5c79fc5b5b47aa211f9a77388558d79372354b0d678dfa3a839a3827ea468f31d8f3f87dbbb8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\F8D2E540484662F96C508D774D38A9CC0519306D

MD5 3bcccfb8e4843b8177490a74eacba9f7
SHA1 9343d7a91479b357fcbcfa42c58c444500460b3f
SHA256 1d5f9ccda003fc66eefb553824fc7ceea4cc425024266aea5a0e6cee56ce2f16
SHA512 61a0bfc51bff77bd0e0ee64c9354123fbe75f41de01ef669d57150de784f4a419944dda6864de36510d477402d70cbbef040a757a44fc367563200605ed7184a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 5c7ee9d6baf0f034c99ff979e7bd4d0a
SHA1 e4c85d53f6a74b211c5d5cdf56c7de6609b51619
SHA256 51f4710ecdc9bd61a78376e53279e3d7a50ecbea5a13aa2c89642ca79e38b5e5
SHA512 a54f3365a62686ea3321f4416d0364fa32fa741b27dc6bf5784f570038cde627dc21cd637e667d778a7e2d1f9828f88362ce629d8633393526d9f2f0f3cd9e4d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 0c078c4f34107f38bf63e1f087ebd6f3
SHA1 383ff0c9ea59695f93acc11f50bcae96a5f92a55
SHA256 60f13f7c6937867014f50a431aa4c3dedc1f05e303d96ed9d3fef69348de7fda
SHA512 467e4eb5b7e61d6a6e09345a426e069202bf162c2e713090c324e7f797cc921e88151c3184b072465b3e78193006b244fe5a7d16fe78f0e9bd1da7c820191afa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 d094d4745ac0ab63acf286af613e697e
SHA1 55896ae3a7b74cf8b59ca4cbd27ee9b16f7ffd2c
SHA256 ab186e8377d9350187a2e1e70ce4d609827c472d9e88bd62328140826524a89e
SHA512 b6e9cfa4bf596b4ebde84a2975fb94cfa274ab75143c19db0c7e97e9d7ace04471acb251e341f08813801d043b171872c27c60caf44f3c12d3cbf698d8db2f10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 8fb6abf2ecac12a89bc57c5d8111d129
SHA1 d779db232abd97910c79c950d4dd0c5f28319bb5
SHA256 de6b577b99fd93356ee6d420b73214de4ca482af0e0f6b5c0887ecb7d451946b
SHA512 1fd928a82838a53d6f4c075fb56712d6b70e5b9ebe00c138ab9b7f867107ce15e1f396f458fe0fba268b7fb5b8ed1fe83c6d21b514038228dbf3436a0abf5bde

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 b35200a5f0a2c190662dd2abcebd39a8
SHA1 df250398451daa5a550293f256474fdfffb6b057
SHA256 538c18143bde1691aab84e8ff947f67efcc9ff43045cc9f24a9378a426777130
SHA512 eecf256832873466acb1d43e41af505e29986f0ea878cef5e80d8977164279d5ebf200cadf4eadd5bf416585fbd3e3d0cd2e15ac7bf401edb83dcd74732b16bd

C:\Users\Admin\Downloads\WinNuke.98.exe

MD5 eb9324121994e5e41f1738b5af8944b1
SHA1 aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA256 2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA512 7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

C:\Users\Admin\Downloads\WinNuke.98(1).exe:Zone.Identifier

MD5 dce5191790621b5e424478ca69c47f55
SHA1 ae356a67d337afa5933e3e679e84854deeace048
SHA256 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512 a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 a899b05438a3916a65f6c46c00551988
SHA1 455d2dd8d2314591abd847cf888af8bfc6daf0f7
SHA256 f4f0563444bc2709fa6f0dba3dee66edc3aa152afc14b024e415bd120f5821de
SHA512 5f23446bfb5aff69e0b393913adaf7d55b1417eb98ab13bef502beaceda7a3545c72fe7103cb89998db18d7c664dfd78b509a536d0b429b17837047b5b86262e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 51a66a4e30c65585fc776a75188a170d
SHA1 f88de13e6cdb7f911f46616f92688c6e5897467c
SHA256 ed67984e61360f292fcdb7f941cf666f1aa2052565aa8b487ec331cb0fbb9c0f
SHA512 1d34b978a2889d6f093eaac0c91c5b2e5ff5c0ffa525ef2c4160e34e17ad95434f60f7571ef373a2450a3245ea0487c125f3bf1dd76d392e3ad29a2ff7b58a89

C:\Users\Admin\Downloads\AodAW_3X.exe.part

MD5 a56d479405b23976f162f3a4a74e48aa
SHA1 f4f433b3f56315e1d469148bdfd835469526262f
SHA256 17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512 f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 498307323f0dd1dab703b81ca2be3cb3
SHA1 9ba924f6b32ef34732a5fbd86ad87f7f13564078
SHA256 0dc47f7b85346225bff01505e8ba30d26f29931de6c6fe2ef34db90c2563f51f
SHA512 e5fc0a1b7cd0b25a4ae73bad9a988b60944354bcb8940e035e8e85d58c389566425f64c841d537343f6aa15954496121d60b882471bf053dfacb6cfe11533359

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 f01751888d91f1dcbf6d27978df04832
SHA1 c760a9aeea95b897ed101449650f5ae91a592599
SHA256 375367faa708ed80a2307e1dfa423d38fa9f3397f54098bc4de778f955a93221
SHA512 835dbe954b2ca5623075770c799b07182d9d8b8d82c5b0c8445fc973a1ff34f3d3f2bc8b3fbd13dcdee452038e96278e8264be658d3bfa506b1d2a6de40ad3ee

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\jumpListCache\rsC0IwZXNWMY3JWIAVeJrs66EWZbCk_wv_Wsi0dOIQ0=.ico

MD5 6b120367fa9e50d6f91f30601ee58bb3
SHA1 9a32726e2496f78ef54f91954836b31b9a0faa50
SHA256 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512 c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 a6951ef44f404bfa1761addd61f2e694
SHA1 d2269f2ffe619d5166479a767fee2e4293a319ca
SHA256 8b61301df7061443f58a180313d02a1c6d5ae01b75f7d63b2a8d3859ad908710
SHA512 f134c1a4bc8a876cf9f284d6d2a2d52fdadedd22438b6de0d827714f6875f50ea8824d25be1d898c5ae096b7e70547cea048e4f2179f7cc1b9aeb355b429e130

C:\Users\Admin\Downloads\MEpO3OQj.doc.part

MD5 4b68fdec8e89b3983ceb5190a2924003
SHA1 45588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256 554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512 b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

memory/5088-1348-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1347-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1346-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1349-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1345-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1350-0x00007FF8CE090000-0x00007FF8CE0A0000-memory.dmp

memory/5088-1351-0x00007FF8CE090000-0x00007FF8CE0A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 7c285b091ecccf99fccab19200e1dbe5
SHA1 ed636a48296db5d4adaadd7f45518fe613480547
SHA256 51d077ff6592f283757472dbf8b00077e39d5b70c53fbcba852ed666499cad3e
SHA512 ac00dfee264996a59cf7ebc3738e2cb2284549e31ea7a66268858dcdf27c048a4a583d24dc909fa7a4937bf57510e71f666686f1211b3e3feed6d6d13c4196a9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 d69cadbba68a1cd436e25a2d02c1286e
SHA1 5cf58761b9cf5f4993fdee7e0f2ad0d961b12761
SHA256 07e1c9a4656d425beb711501338afebb77a7196005e17a4544bd11d265ca0237
SHA512 ae0323bdb900babc4ea4c09382e263bbdfeebea672072593ce6198ede95d008f6cb1b33bbc441c790287d0dcf6d09498837a7a0d9b77875d96d465640399c46f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\1cf27709-3daa-48f8-818a-a6240444cd7b

MD5 dd249452ec438f977ced6ce0216201f8
SHA1 a2c98e84907f777957d3438223c96f9501bbff0c
SHA256 1b36241e6dacebb25d433e361877fa99e2a1f76d2c3d8d7860fb4a96d3471ae6
SHA512 111a9f2d99aeb95ab95e58cf205a04a320682d42c950eb41e1aff3a51aacf046da1ccaaa2345637a365e6270d9559e9db065312646eb6355891a46dce70fd442

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\8fe67401-6ae4-40a2-91e8-8971861683d3

MD5 b2c95233bf3bdb0ae0478e9f7b4a570e
SHA1 c7b848c3e71e69d714f338de7a57ad7d7d600a41
SHA256 81ee1943b86df63a65711d8cfff35d82718fc8af721a0bc79119ae001264f4e8
SHA512 525c8211ad2cf11b36267573d04628557819210a73150f5636ece46e1cdfa38a70e1b1996b5c180a8984de8bf8dd25cb07271d2433a6da6cc4da32dcbdbb0427

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 df482959db89b2d5a096578667e27242
SHA1 34acafbb14fabe7cc4cf391fb38819db6ff1837f
SHA256 1468d8ddd5c41870393b7c418068b66e53a69f8d0cf230e1f91aae7e14039800
SHA512 960286a77fd47ae9f9e76bb8855cdaa88615f5b613d42b0f162440111b4b1821a479defe48b0646cfd6aedbb1e9e7fcded310076fac934e644d6f5df9189a66a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f6ce3cac487560b3696e7bf1e065f096
SHA1 71a1b4c7d9fa0ac1080d38b98d6ba70c551311cc
SHA256 ef96daa49b2dcb1b5b4d0c0868af5347dd3d2e723a4517bcfc7b2157e593358e
SHA512 c3e1b495dbdfa421b0abb09f4fd951d9f3668d4e67f1617f213c5e4637ea19cd10317d77b2f600bfaa0bcfaf2fa02c5f180e1c49efa8cd41529b5d899700af6f

C:\Users\Admin\AppData\Local\Temp\TCDEB39.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

MD5 9ec017d4923e3c345510015c8db85717
SHA1 f18c07f317ab1376459502aa4543ee5de3a301bc
SHA256 d35660b87120575d12dedb06bc1823567dcdee14c350d7caddfccb1a501b1be1
SHA512 7488e27cfdd7f9a7c57b1948ed74560bda7044d5747912ca450eb84ab3723de8db74d14e2830b31f763a319105f552800df72865d4cae7ddcb805fa408a16c0c

memory/5088-1988-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1987-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1986-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

memory/5088-1985-0x00007FF8D07D0000-0x00007FF8D07E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 d38ff13a9ab6eb2aea33b877580e5637
SHA1 495f167946b62875e8081f82f2d924aa6329dcb5
SHA256 d767430184930d287a48e48e3a326f1b617a7439f87263817235ad8bd96140f8
SHA512 4e5f6941e16514e3c8b8bbdea92f575217c312eecec8cdeee84c14265942223b12613df71e1ca04ff0f18ab0ae84e8356759bc1e81e0d8a04790367fb2381985

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

MD5 6f8b4f532968d31b3929955dd6c5aabb
SHA1 4b91dd70734f8a9f55584b115f7e7af6a657bb3f
SHA256 992d115dfddf117a206f4cf9a932445fd42d48414ee54d04bd07f36a97495c14
SHA512 f46110b6baa2417f54d3fc70701469c27155ca0a0b60d7926f8791562dbb21dd059f245774908420460ae7dec5321e92971156f65eccc6b64fffb30050460b8b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 e8354d610699daf6a898ac01f48f7523
SHA1 a4b2b8427e1d7b82cb2e10cb6ad5f80b33a47ad6
SHA256 1e0f64dc7a85cbbcec7330c13623def6482afe236f3192479828e750b9509380
SHA512 7e1bdc81f7ab916246065dcbfa2bf46dfa5e36be0c43b57314d6c5c7665677ed104da8acba2a4c4b0cbb05fd5324e41055c00e1f0d704b50c2a2f84e2f36e3c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 a2a919a56967d50f174f18368c5d7fa8
SHA1 418b93e0fa69753dcd03d303bdac4e584a4367dc
SHA256 811b26859d0347759ce75d761937595b77cbbddcb55addb5e6e582f89e618ec2
SHA512 8a69c1ce35e480753b397bf666776e8de4bc05099cc5e869e7035523636c7d99e51cf5a6c5e324f057d4883805839fed13a442cfa72be1220ca9799d165a8245

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 2955195213bbbe574f61e00fdde51d17
SHA1 93c763547c5523c670a8f82caf4c1fbb6ac5b03d
SHA256 b65d558983d9731327cca0d97283308d86a6b8ccd66ee542d3cbdbc04ba8d019
SHA512 a47da0a9a34ed6709062009a25b6dde730fa2b181a7ac8a34d9dec723ff1762cd32a262a64802ee285b262d8be2cf9bea2fff015cce12b5b91a132aa74a0038e

C:\Users\Admin\Downloads\LoveYou.exe

MD5 31420227141ade98a5a5228bf8e6a97d
SHA1 19329845635ebbc5c4026e111650d3ef42ab05ac
SHA256 1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71
SHA512 cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 d45cd055d7878cae5acc7e91cc0ddcbb
SHA1 82fbf5d87bb09127be7507dc6d2501df0fe1f33d
SHA256 fb832cf3931eddb47a6306f6f192269845efc311dc19f1f9c683d497e9038cb9
SHA512 93c043427c3b8c0e1e0b2042d7d9624cd0c762ab5d5604033f926d001a233583652766c8a551b998b8df519f3d8dae1612441c001cde39fc53f780ea31bb7ce3

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 ef7b3c31bc127e64627edd8b89b2ae54
SHA1 310d606ec2f130013cc9d2f38a9cc13a2a34794a
SHA256 8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387
SHA512 a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

memory/5500-2197-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/5544-2198-0x0000000000A00000-0x0000000000B9C000-memory.dmp

memory/5544-2200-0x0000000000A00000-0x0000000000B9C000-memory.dmp

memory/5544-2199-0x0000000000A00000-0x0000000000B9C000-memory.dmp

memory/4084-2201-0x0000000000CC0000-0x0000000000DB4000-memory.dmp

memory/5544-2209-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5544-2208-0x0000000010000000-0x0000000010013000-memory.dmp

memory/5544-2206-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4084-2205-0x0000000000CC0000-0x0000000000DB4000-memory.dmp

memory/4084-2204-0x0000000000CC0000-0x0000000000DB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 1ef257226c5c59671528367274605322
SHA1 0c169c76f806579c3f204d1e6eb7c1c35d84074d
SHA256 8a38f9007b0c7d5731cc89a4a66efb3a517eb77f1dbd48940017bbd2f84320c9
SHA512 19b9d2350bec709a37275eab12fa10509ade7bcc39b92d7ddb62abfc6c8906dbdb01b2d1ec1bf3d8c3a26351ac3812f9fb4e2053f610bf3b30bfc28a8b3676e3

memory/3560-2230-0x0000000000DC0000-0x0000000000ECC000-memory.dmp

memory/3560-2231-0x0000000000DC0000-0x0000000000ECC000-memory.dmp

memory/3560-2232-0x0000000000DC0000-0x0000000000ECC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 27febe232ab0215d28f34770ab3cf433
SHA1 ad91b41d6eef61a808d8dc2575caad08823ebe83
SHA256 a259f8475cc1421e49ab5d50707c5becceb20318bdec06477ce7ae92e0e2568b
SHA512 c7c324a3ef0bc7b52b13da09a33a1c461dfb1e4b03a1b04770f33881179d8b73532636168dee5c103a0f06e423dd716c7484e589fc3cf662680fa98ad7ce0491

memory/5500-2240-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/5500-2239-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/1236-2241-0x0000000000E10000-0x0000000000F1C000-memory.dmp

memory/1236-2242-0x0000000000E10000-0x0000000000F1C000-memory.dmp

memory/1236-2243-0x0000000000E10000-0x0000000000F1C000-memory.dmp

memory/3136-2244-0x0000000000CC0000-0x0000000000DCC000-memory.dmp

memory/3136-2245-0x0000000000CC0000-0x0000000000DCC000-memory.dmp

memory/3136-2246-0x0000000000CC0000-0x0000000000DCC000-memory.dmp

memory/5500-2247-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/6056-2254-0x0000000001110000-0x000000000121C000-memory.dmp

memory/6056-2255-0x0000000001110000-0x000000000121C000-memory.dmp

memory/6056-2256-0x0000000001110000-0x000000000121C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 8f912c44dd373882444170aeabbcc40b
SHA1 f088c54a97a2fdd2f42e27f4941aec5c30ec03b6
SHA256 40d75dab05db0459612ebaac0ecb238dfabf828214e42281230b11b499627c96
SHA512 9dc5050e95fea0fbf130422585e5f9c5e8ef84b37888d64ec2d2599a1568835dd67b3a10cdd825be3da86e17dadd50e7195b51a47e78bd06f41cd4ff1dd9cfed

memory/2884-2274-0x0000000000DF0000-0x0000000000EFC000-memory.dmp

memory/2884-2275-0x0000000000DF0000-0x0000000000EFC000-memory.dmp

memory/2884-2276-0x0000000000DF0000-0x0000000000EFC000-memory.dmp

memory/5500-2278-0x00000000003B0000-0x00000000009ED000-memory.dmp

C:\Users\Admin\Downloads\MrsMajor3.0.exe

MD5 35a27d088cd5be278629fae37d464182
SHA1 d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512 eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\D3CE.tmp\D3CF.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\D3CD.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/4744-2317-0x0000000000640000-0x000000000066A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/4744-2324-0x00007FF8EA720000-0x00007FF8EA86F000-memory.dmp

memory/5500-2325-0x00000000003B0000-0x00000000009ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 a0fd472db7b7e1c9a0ca2746156074a6
SHA1 312e1badd37f3cfcc27120a77de3de7cbe0dd32c
SHA256 cb98c977722e57d9bcb7c5a8443a254e5c70bc8fdad4efc48f2bd104b1c62746
SHA512 d0994da1a29b2a3cc300a37090d9e8d70ffe7c356ea4456ec8f391f1cfa6bd0897b4b0182e3f02c65ceaaf07bf2fa51ad301f8c5a52aa32c7e86f1093a466c1b

memory/4744-2332-0x000000001B770000-0x000000001B923000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 fd54b9cddec0c128ed03287c008da677
SHA1 99bba22d95eb1f91f35837fb968d541ed02f6816
SHA256 397f23dd96094d3ce29141670503573be316aac8eac96a2a8f411ee887766504
SHA512 b65ad356fdf0e8afc07247d017abf69bce13e9c2436e4f09dd3853a039aa642647653721b4d1b8012d17a43b8575285ccde01be29dd4e990e611d056b9ef8521

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\0c4c577f-bcf4-4184-8078-2650c457a54a

MD5 61f9947640ee5e679df2e318214f659d
SHA1 c7779b3727609b422deeff2e39c55125cecd7023
SHA256 ea277b7c293a0bdb35582fc463247cf7d66642029183b686ad70f49c51696ba5
SHA512 500e7f408a66189903537c8177d72b2d8863bbca23c2a727345f5c30e15b8d083a7579a8ec68fff2750a976e51e4d41f2a388a56fb70712dc841f2dc456f1da6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\3f8846be-e6c1-421f-851a-b6abc222a3fc

MD5 4065c6bd6127e0135979b8fca9460d9c
SHA1 1a5247ace261332998b8deb773a53d09b9bb75fa
SHA256 a726f79700e82d6d8af9f19393940a8136e1b08ff508e92d4e682328d803abde
SHA512 1e36057d1d5a77f34fdeeb996ce061b1c1b028376d4a52b74e39a47d0b96bac1338b59c24ae89850c56058e678cc4f02ddb00f10a13f5908ed81d48c424f2375

memory/5500-2364-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/4744-2368-0x000000001B770000-0x000000001B923000-memory.dmp

memory/5500-2378-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/4744-2386-0x000000001B770000-0x000000001B923000-memory.dmp

C:\Users\Admin\Downloads\PCToaster.exe

MD5 04251a49a240dbf60975ac262fc6aeb7
SHA1 e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0
SHA256 85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
SHA512 3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2

memory/4744-2397-0x000000001B770000-0x000000001B923000-memory.dmp

memory/5500-2408-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/5356-2415-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\Downloads\scr.txt

MD5 ad1869d6f0b2b809394605d3e73eeb74
SHA1 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6
SHA256 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394
SHA512 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136

memory/5368-2440-0x0000025454560000-0x0000025454561000-memory.dmp

memory/5368-2444-0x0000025454560000-0x0000025454561000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 4e2680b46baa7b8a715e586bc2945fe9
SHA1 2f97d860d38f973e682bd3b7d578549bc6245261
SHA256 ea714bde197c585ab2c088228706faaadf26d0249716d6e603d963021ffb255e
SHA512 2b9938eacb110e331d9cd2d9aa7742b010225e657113f02dcb5ceaf373517a6a5b1f72a0ebf3747124bd19214c5170bb8eeede0a1c75c27c95755643df316929

C:\Users\Admin\Downloads\4fiz8jz_.apk.part

MD5 45be5a7857a4fa1c5eadd519e9402e8a
SHA1 36feb0809c1853f9a1f6d587302691abd7ce90e9
SHA256 7d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5
SHA512 46c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73

memory/5500-2475-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/5500-2477-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/5500-2481-0x00000000003B0000-0x00000000009ED000-memory.dmp

memory/5368-2484-0x0000025454560000-0x0000025454561000-memory.dmp

memory/5500-2485-0x00000000003B0000-0x00000000009ED000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f081a02d8bbd5d800828ed8c769f5d9
SHA1 978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256 a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA512 7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 70627da577bc88f7c8da106344dd8e42
SHA1 ce343397b73cb30afa8a8a809e940b40e08ef6c7
SHA256 d62c7c4ca89179c373164e7271a9beb32ad62cf55ae215619905fbf8c1ff5011
SHA512 988d0a27ec6a7e95ffa4c4ea54e5a826da94a8034a8ddb04dd039c3c59a05fbad251a574efd2f46116f9a790b5967196f82e3fbd685780a56f3a22b5d6efb99a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b13693dc-63fe-4e33-b462-411fe8af6746.dmp

MD5 644b41c2ec711afd31136b4443dcec33
SHA1 4ff54f527b2c7ddd6713887067f53a77ab30e21b
SHA256 31f6323e40207c8c607a2f41484b36b9e5e160d24a5b9cd4cb1925ea08daaa61
SHA512 b9d498ea9fb1025f9d826e8e560a425c26f7fec657b4a557490cb74e0f5ab2ad66d7bf3a572f86dc2af3920c059e1f0a222ccc1f39bae4508ccfb9f6777afd3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 c0bc6fac593b2b60e1fa2039d32109c6
SHA1 3e9ead4cba0f198ea57273a3ebefee404b62c82c
SHA256 929a04ccfbbce67db102f52f70e28e27c75aab81598a7673230f94d2aeceba68
SHA512 3b413d496f53d94b2b8e61e2829df6da738315192aa5eb99763d13621c2c0d8df4c2cc70d80c4d036a366e9fe6dc2b43e7bddb0d2d3ed5c6bcb4f68a518fbe93

memory/5500-2572-0x00000000003B0000-0x00000000009ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 f2c7409f2cc4e52eaddc9c71eedab9a6
SHA1 fd2a26634bbad2bade1c9615376f583f39b6c449
SHA256 ca23928679b33334ab13abf2437166d8e4de618b4afd5a9d08c512bbe13dae8e
SHA512 79823d5c95e9a53914ea2cc66f712279b2570f88136e3fb4fbc3f3a4cf67bc0812172272db982ebae3ec7f6dfdb86c94ab32847673e8b13a36c9b226c92c8f6b

memory/5368-2624-0x0000025454560000-0x0000025454561000-memory.dmp