Malware Analysis Report

2024-10-18 22:30

Sample ID 240922-nbfqcawgrm
Target Ultimate Tweaks.exe
SHA256 30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966
Tags
discovery zloader execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30091faafd62ea7ba9868db2ee575dab98fd126a78d39590f57ea7b38b20d966

Threat Level: Known bad

The file Ultimate Tweaks.exe was found to be: Known bad.

Malicious Activity Summary

discovery zloader execution

Zloader family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Program crash

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-22 11:14

Signatures

Zloader family

zloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

304s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3776 -ip 3776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsdB146.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsdB146.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsdB146.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

212s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 3268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 3268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 3268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

299s

Max time network

305s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3044 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 2664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.0.1524721661\1655230473" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1264 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18660dc3-cd3d-421a-ac36-37422378fc75} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 1360 114faf58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.1.1951607172\1803665560" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0915e6f2-a11d-409f-a638-6cbd0a58a2e6} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 1532 43fce58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.2.1935527947\132802561" -childID 1 -isForBrowser -prefsHandle 1920 -prefMapHandle 1916 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a071a723-85f9-4143-9fc3-e669ec1306a3} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 2072 19e93e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.3.1312907345\874953504" -childID 2 -isForBrowser -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b83d2829-81e6-47ee-a72c-d9fffbac2372} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 2472 d67e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.4.1178387559\1355602747" -childID 3 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e2f0151-82e2-4f79-874d-2bba799b2b80} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 3708 1e4c5a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.5.435353387\1462990345" -childID 4 -isForBrowser -prefsHandle 3816 -prefMapHandle 3820 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1f80900-d89a-4767-9461-6bdc2e29d069} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 3804 1e4c7558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3056.6.183093485\257716420" -childID 5 -isForBrowser -prefsHandle 3980 -prefMapHandle 3984 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d79a61ec-7f36-494c-a97c-731e2f830ac3} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" 3968 1e4c6f58 tab

Network

Country Destination Domain Proto
N/A 127.0.0.1:49204 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49212 tcp
US 8.8.8.8:53 source.chromium.org udp
US 8.8.8.8:53 www.kurims.kyoto-u.ac.jp udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 source.chromium.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 source.chromium.org udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 aomedia.googlesource.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 aomedia.googlesource.com udp
US 8.8.8.8:53 chromium.googlesource.com udp
US 8.8.8.8:53 aomedia.googlesource.com udp
US 8.8.8.8:53 chromium.googlesource.com udp
US 8.8.8.8:53 source.android.com udp
US 8.8.8.8:53 chromium.googlesource.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 developer.android.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 ci.android.com udp
US 8.8.8.8:53 android.googlesource.com udp
US 8.8.8.8:53 ci.android.com udp
US 8.8.8.8:53 android.googlesource.com udp
US 8.8.8.8:53 ci.android.com udp
US 8.8.8.8:53 android.googlesource.com udp
US 8.8.8.8:53 www.mojohaus.org udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 mojohaus.github.io udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 mojohaus.github.io udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 beto-core.googlesource.com udp
US 8.8.8.8:53 tsuru.kurims.kyoto-u.ac.jp udp
US 8.8.8.8:53 software.blackmagicdesign.com udp
US 8.8.8.8:53 beto-core.googlesource.com udp
US 8.8.8.8:53 software.blackmagicdesign.com udp
US 8.8.8.8:53 beto-core.googlesource.com udp
US 8.8.8.8:53 software.blackmagicdesign.com udp
US 8.8.8.8:53 www.chromium.org udp
US 8.8.8.8:53 boringssl.googlesource.com udp
US 8.8.8.8:53 www.chromium.org udp
US 8.8.8.8:53 boringssl.googlesource.com udp
US 8.8.8.8:53 www.chromium.org udp
US 8.8.8.8:53 boringssl.googlesource.com udp
US 8.8.8.8:53 www.daemonology.net udp
US 8.8.8.8:53 sigslot.sourceforge.net udp
US 8.8.8.8:53 projects.sourceforge.net.cdn.cloudflare.net udp
US 8.8.8.8:53 www.daemonology.net udp
US 8.8.8.8:53 projects.sourceforge.net.cdn.cloudflare.net udp
US 8.8.8.8:53 www.daemonology.net udp
US 8.8.8.8:53 checkerframework.org udp
US 8.8.8.8:53 code.google.com udp
US 8.8.8.8:53 checkerframework.org udp
US 8.8.8.8:53 code.l.google.com udp
US 8.8.8.8:53 code.l.google.com udp
US 8.8.8.8:53 checkerframework.org udp
US 8.8.8.8:53 pypi.python.org udp
US 8.8.8.8:53 crashpad.chromium.org udp
US 8.8.8.8:53 dualstack.python.map.fastly.net udp
US 8.8.8.8:53 ghs.googlehosted.com udp
US 8.8.8.8:53 dualstack.python.map.fastly.net udp
US 8.8.8.8:53 ghs.googlehosted.com udp
US 8.8.8.8:53 www.npmjs.com udp
US 8.8.8.8:53 www.npmjs.com udp
US 8.8.8.8:53 www.opensource.apple.com udp
US 8.8.8.8:53 tsuru.kurims.kyoto-u.ac.jp udp
US 8.8.8.8:53 www.npmjs.com udp
US 8.8.8.8:53 world-gen.g.aaplimg.com udp
US 8.8.8.8:53 code.videolan.org udp
US 8.8.8.8:53 world-gen.g.aaplimg.com udp
US 8.8.8.8:53 code.videolan.org udp
US 8.8.8.8:53 dawn.googlesource.com udp
US 8.8.8.8:53 code.videolan.org udp
US 8.8.8.8:53 dawn.googlesource.com udp
US 8.8.8.8:53 easylist.to udp
US 8.8.8.8:53 dawn.googlesource.com udp
US 8.8.8.8:53 easylist.to udp
US 8.8.8.8:53 gitlab.com udp
US 8.8.8.8:53 easylist.to udp
US 8.8.8.8:53 gitlab.com udp
US 8.8.8.8:53 www.netlib.org udp
US 8.8.8.8:53 gitlab.com udp
US 8.8.8.8:53 ffmpeg.org udp
US 8.8.8.8:53 ffmpeg.org udp
US 8.8.8.8:53 ffmpeg.org udp
US 8.8.8.8:53 netlib.org udp
US 8.8.8.8:53 findbugs.sourceforge.net udp
US 8.8.8.8:53 firebase.google.com udp
US 8.8.8.8:53 www.flotcharts.org udp
US 8.8.8.8:53 firebase.google.com udp
US 8.8.8.8:53 www.flotcharts.org udp
US 8.8.8.8:53 firebase.google.com udp
US 8.8.8.8:53 www.flotcharts.org udp
US 8.8.8.8:53 www.freetype.org udp
US 8.8.8.8:53 netlib.org udp
US 8.8.8.8:53 fuchsia.googlesource.com udp
US 8.8.8.8:53 www.freetype.org udp
US 8.8.8.8:53 www.freetype.org udp
US 8.8.8.8:53 fuchsia.googlesource.com udp
US 8.8.8.8:53 fusejs.io udp
US 8.8.8.8:53 fuchsia.googlesource.com udp
US 8.8.8.8:53 fusejs.io udp
US 8.8.8.8:53 sourceware.org udp
US 8.8.8.8:53 www.gnu.org udp
US 8.8.8.8:53 www.gnu.org udp
US 8.8.8.8:53 sourceware.org udp
US 8.8.8.8:53 fusejs.io udp
US 8.8.8.8:53 www.gnu.org udp
US 8.8.8.8:53 sourceware.org udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 harfbuzz.org udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 hunspell.sourceforge.net udp
US 8.8.8.8:53 harfbuzz.org udp
US 8.8.8.8:53 bgoffice.sourceforge.net udp
US 8.8.8.8:53 www.ijg.org udp
US 8.8.8.8:53 harfbuzz.org udp
US 8.8.8.8:53 www.ijg.org udp
US 8.8.8.8:53 developer.mozilla.org udp
US 8.8.8.8:53 jinja.palletsprojects.com udp
US 8.8.8.8:53 www.ijg.org udp
US 8.8.8.8:53 mdn.prod.mdn.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 readthedocs.io udp
US 8.8.8.8:53 www.khronos.org udp
US 8.8.8.8:53 mdn.prod.mdn.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 readthedocs.io udp
US 8.8.8.8:53 www.khronos.org udp
US 8.8.8.8:53 registry.khronos.org udp
US 8.8.8.8:53 kotlinlang.org udp
US 8.8.8.8:53 www.khronos.org udp
US 8.8.8.8:53 registry.khronos.org udp
US 8.8.8.8:53 kotlinlang.org udp
US 8.8.8.8:53 brltty.app udp
US 8.8.8.8:53 kotlinlang.org udp
US 8.8.8.8:53 registry.khronos.org udp
US 8.8.8.8:53 brltty.app udp
US 8.8.8.8:53 libcxx.llvm.org udp
US 8.8.8.8:53 libcxxabi.llvm.org udp
US 8.8.8.8:53 brltty.app udp
US 8.8.8.8:53 gitlab.freedesktop.org udp
US 8.8.8.8:53 gitlab.freedesktop.org udp
US 8.8.8.8:53 gitlab.freedesktop.org udp
US 8.8.8.8:53 libevent.org udp
US 8.8.8.8:53 libevent.org udp
US 8.8.8.8:53 lists.llvm.org udp
US 8.8.8.8:53 lists.llvm.org udp
US 8.8.8.8:53 libevent.org udp
US 8.8.8.8:53 lists.llvm.org udp
US 8.8.8.8:53 lists.llvm.org udp
US 8.8.8.8:53 libpng.org udp
US 8.8.8.8:53 libpng.org udp
US 8.8.8.8:53 libpng.org udp
US 8.8.8.8:53 git.gnome.org udp
US 8.8.8.8:53 ocp-ingress.fastly.gnome.org udp
US 8.8.8.8:53 ocp-ingress.fastly.gnome.org udp
US 8.8.8.8:53 www.freedesktop.org udp
US 8.8.8.8:53 libusb.info udp
US 8.8.8.8:53 xmlsoft.org udp
US 8.8.8.8:53 annarchy.freedesktop.org udp
US 8.8.8.8:53 xmlsoft.org udp
US 8.8.8.8:53 annarchy.freedesktop.org udp
US 8.8.8.8:53 libusb.info udp
US 8.8.8.8:53 xmlsoft.org udp
US 8.8.8.8:53 lit.dev udp
US 8.8.8.8:53 libusb.info udp
US 8.8.8.8:53 reviews.llvm.org udp
US 8.8.8.8:53 lit.dev udp
US 8.8.8.8:53 www.7-zip.org udp
US 8.8.8.8:53 reviews.llvm.org udp
US 8.8.8.8:53 lit.dev udp
US 8.8.8.8:53 www.7-zip.org udp
US 8.8.8.8:53 reviews.llvm.org udp
US 8.8.8.8:53 www.7-zip.org udp
US 8.8.8.8:53 www.mesa3d.org udp
US 8.8.8.8:53 dxr.mozilla.org udp
US 8.8.8.8:53 searchfox.org udp
US 8.8.8.8:53 prod.refractr.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 searchfox.org udp
US 8.8.8.8:53 prod.refractr.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 searchfox.org udp
US 8.8.8.8:53 www.mozilla.org udp
US 8.8.8.8:53 cgit.freedesktop.org udp
US 8.8.8.8:53 cristal.univ-lille.fr udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 molly.freedesktop.org udp
US 8.8.8.8:53 proxy-inst.lifl.fr udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 www.openh264.org udp
US 8.8.8.8:53 proxy-inst.lifl.fr udp
US 8.8.8.8:53 gitlab.xiph.org udp
US 8.8.8.8:53 cisco.github.io udp
US 8.8.8.8:53 molly.freedesktop.org udp
US 8.8.8.8:53 cisco.github.io udp
US 8.8.8.8:53 pdfium.googlesource.com udp
US 8.8.8.8:53 pdfium.googlesource.com udp
US 8.8.8.8:53 gitlab.xiph.org udp
US 8.8.8.8:53 pdfium.googlesource.com udp
US 8.8.8.8:53 azillionmonkeys.com udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 gitlab.xiph.org udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 azillionmonkeys.com udp
US 8.8.8.8:53 www.polymer-project.org udp
US 8.8.8.8:53 ghs.google.com udp
US 8.8.8.8:53 polymer-library.polymer-project.org udp
US 8.8.8.8:53 ghs.google.com udp
US 8.8.8.8:53 pypi.org udp
US 8.8.8.8:53 quiche.googlesource.com udp
US 8.8.8.8:53 redux.js.org udp
US 8.8.8.8:53 pypi.org udp
US 8.8.8.8:53 quiche.googlesource.com udp
US 8.8.8.8:53 redux-docs.netlify.app udp
US 8.8.8.8:53 pypi.org udp
US 8.8.8.8:53 quiche.googlesource.com udp
US 8.8.8.8:53 redux-docs.netlify.app udp
US 8.8.8.8:53 opensource.perlig.de udp
US 8.8.8.8:53 sizzlejs.com udp
US 8.8.8.8:53 skia.org udp
US 8.8.8.8:53 sizzlejs.com udp
US 8.8.8.8:53 perlig.de udp
US 8.8.8.8:53 skia.org udp
US 8.8.8.8:53 sizzlejs.com udp
US 8.8.8.8:53 skia.org udp
US 8.8.8.8:53 perlig.de udp
US 8.8.8.8:53 google.github.io udp
US 8.8.8.8:53 www.pertinentdetail.org udp
US 8.8.8.8:53 google.github.io udp
US 8.8.8.8:53 sqlite.org udp
US 8.8.8.8:53 google.github.io udp
US 8.8.8.8:53 gpaas9.dc2.gandi.net udp
US 8.8.8.8:53 sqlite.org udp
US 8.8.8.8:53 gpaas9.dc2.gandi.net udp
US 8.8.8.8:53 www.strongtalk.org udp
US 8.8.8.8:53 sqlite.org udp
US 8.8.8.8:53 www.strongtalk.org udp
US 8.8.8.8:53 www.suitable.com udp
US 8.8.8.8:53 swiftshader.googlesource.com udp
US 8.8.8.8:53 www.strongtalk.org udp
US 8.8.8.8:53 www.suitable.com udp
US 8.8.8.8:53 swiftshader.googlesource.com udp
US 8.8.8.8:53 source.corp.google.com udp
US 8.8.8.8:53 www.suitable.com udp
US 8.8.8.8:53 swiftshader.googlesource.com udp
US 8.8.8.8:53 uberproxy.l.google.com udp
US 8.8.8.8:53 www.linux-usb.org udp
US 8.8.8.8:53 cldr.unicode.org udp
US 8.8.8.8:53 uberproxy.l.google.com udp
US 8.8.8.8:53 vhost.sourceforge.net udp
US 8.8.8.8:53 cldr.pages.dev udp
US 8.8.8.8:53 hg.mozilla.org udp
US 8.8.8.8:53 vhost.sourceforge.net udp
US 8.8.8.8:53 cldr.pages.dev udp
US 8.8.8.8:53 hg.public.mdc1.mozilla.com udp
US 8.8.8.8:53 git.linuxtv.org udp
US 8.8.8.8:53 hg.public.mdc1.mozilla.com udp
US 8.8.8.8:53 www.linuxtv.org udp
US 8.8.8.8:53 v8.dev udp
US 8.8.8.8:53 valgrind.org udp
US 8.8.8.8:53 www.linuxtv.org udp
US 8.8.8.8:53 v8.dev udp
US 8.8.8.8:53 webkit.org udp
US 8.8.8.8:53 v8.dev udp
US 8.8.8.8:53 www.webrtc.org udp
US 8.8.8.8:53 webkit.org udp
US 8.8.8.8:53 valgrind.org udp
US 8.8.8.8:53 webkit.org udp
US 8.8.8.8:53 opensource.apple.com udp
US 8.8.8.8:53 sourceforge.net udp
US 8.8.8.8:53 valgrind.org udp
US 8.8.8.8:53 tukaani.org udp
US 8.8.8.8:53 sourceforge.net udp
US 8.8.8.8:53 zlib.net udp
US 8.8.8.8:53 zlib.net udp
US 8.8.8.8:53 zlib.net udp
US 8.8.8.8:53 tukaani.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.178.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.178.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5oxmp55u-8pxe.gvt1.com udp
AT 144.208.213.44:443 r1---sn-5oxmp55u-8pxe.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5oxmp55u-8pxe.gvt1.com udp
US 8.8.8.8:53 r1.sn-5oxmp55u-8pxe.gvt1.com udp
AT 144.208.213.44:443 r1.sn-5oxmp55u-8pxe.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\6026dbb0-e2f4-436d-9da0-59e7119d838a

MD5 785ad43c5a49459a9b869a70b931924f
SHA1 88052c38a9bbef5de5b5a93115bc55d135ffd6ab
SHA256 18336fbc871bcf5b745c620f04c1cacde43e261a29347883652c46f2b383a562
SHA512 159573e4def1d60cf1e30be2ee1a10bc5384c7a40b074c1661b29b3592d3298cf3b430c3cee22e5846fe7a65c062a6f131c8447a7de7a9db102e52584cd42604

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\9db2de9e-efea-4bb5-abd1-8c30dee23d05

MD5 27e7ec903b71b61a7f4265f02c487ba3
SHA1 3e37449543d77e44f5970f89f01a566ba0589dff
SHA256 84fd158c5bc739dd34f09820879f632282e7c265ad419591cac8e2caa56671d5
SHA512 dd2404fb2c92c22009f06ba8feca517006efdd7de4f604c9303840c2adfe894d46cf941978b748e3d1938f0f83e986ae87061af74dee8432c122cf2a79608cbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin

MD5 4b57e4591688fc4bb325d4d10d1504b5
SHA1 f5340cf5f52bdff1aaf46936421661f6f57b026a
SHA256 9bafd61bc8d3539dc79f4e87cefa4270eda470c03c1a913de9f85a47a80883a1
SHA512 76b9a8618d08f9013d2de74fce696543673862f70c46ad58584ebfe912f4978227ba2804edfd67f2c17537ea6937493cf9d808a07746ac59965f615cb88fcafb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\activity-stream.discovery_stream.json.tmp

MD5 39067d086916d30296dc6d7cb9284e18
SHA1 010e49fc3e1eed5858f6bdb7cc08e40a1831697d
SHA256 5038312292f96953da0f3937e799dd935212952d916319a6e8df47bf6e940583
SHA512 17bcb225c3e9b3f838e55551a9e8756777691dd23b2a25e68100c48e244cc49fae80723bbfdffdbeafd4168a01ca6a0e1e392b697c2b19fb1e80b58e8505c6a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

MD5 8582978afe8f8bc56cb42cf44a2b6bd4
SHA1 7d2fd7cdaea771aff448b27a3d2c032e9f5967a7
SHA256 748361011b5f2afcc5221b9e3569946c361bcb242e93ea0590d01e0a1d719266
SHA512 3469cda0e253e7006de006370592af801504f958b2bf8afd817aa5c82b8ef9f19e37a2f56dd1cd25a5a2e4dfbcfff17320d719c64e68107d5257cd31378d7f6d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4

MD5 cf0dee9090c2e9cc8d03a24bb7b61044
SHA1 c96b5059eca5a715f656127a5d0a2bff7de7dcc6
SHA256 643b8208914de7146b196789fc33852ede7fd1790b629cb7d19f8c04284e1fb7
SHA512 067d427148de9c79dc777aa8897bf5a320e92366b15972e61877689ac9956d7a1bb10b884258b2b98e35f44048d2722243059333145c0a38a44ad29343fa6fb4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

MD5 9193a96039abc1a3c1e6784a1f6dc57f
SHA1 8e1516b0f93b0eea5bc5a3325872f7c7f8f9f7e4
SHA256 251d912f20dfbe45cf187204aeb43df919809d1db3878a80242926d213cc080c
SHA512 296ef4b3fe1452d07727d56a82a77e44f29e942eff453fe84fe9483a821b9d4379e12e1bcc7d7642833cc6309746eaf2912590c6dd815b069c759dbcf98d05ea

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

MD5 3a5bc078368893d99a75e8604e795b76
SHA1 55e0c545d262e72d52dbd7fd207d89551a4b8855
SHA256 392e9017b101ea5c8a7c0ae0504b979e10b4cc4f3a83225e5f7942bf0450f2ad
SHA512 a9f04c316bfff5db2e5657a5a04045faa8943ffffe1beaa2f62c43312a580ce0f70c4b020d69c8bf08571ed9b62be4a8f9aa6b3e2dbf44e728c0fd3ce6a249b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

MD5 4d39be5941ae61d2be7d64cd4f466f32
SHA1 f5b52b9027e0fc8abff7968c4020591267229c22
SHA256 b1be273bbcb64c00c9eef618d76d0dfe1797a66b4d491d8ae6b8cc8990c1b902
SHA512 06ee39a2d2fcbcaa6a05e67c294002b3fed07938449554ffdbf2a315b692620f7977a1db4ebb286b66a6745addf1fa22c75b77847fcb83295de4a7b8cc386af6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 7fb24694efd1773f8674a3987c3ee334
SHA1 2046214d60c87b8f9f700773abe251403ecc6d34
SHA256 114e05ecd9318dcd961f8f7364d1297ce240da091d765392b6ce5ed5d69e74ae
SHA512 2ab02e80e709bb4dea9cba455bf214d12a1469a2194256c0e62b773bf1285db2865e6d2c1c0da17d2c67ed90f02b72642ad33ae2f199d244aa750305e9907979

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0fef2ccfdbb5853b3844b402f6396a64
SHA1 8b815912bf12e274070a35935f088367170f32ca
SHA256 f4dba43ca64daed4f66002377ff78b9ed89e7a8150615f9d81aa45372506e807
SHA512 a0044e4aafe4d0b685f52fa595607f22a2ef7a6d058984ebcda6dbc5238033f374690059a99ba728418927911440338de7f72908f6b30c7d7c5fa501e22d35b5

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 002db66f446c9b7e7a8d8c476a8bbb8c
SHA1 4b9c1d0fbbba504c282308418471170ed670e88e
SHA256 2e291b21010f2feb9cb5a4d0e3f89c7b6fa9b4849b9ae3879314080ab7dafd3d
SHA512 8a89d3ca6e4eb4c83808ef4415b3bab0030a68d155530ccd3d7122a9447c99896bedc175f6b42f54676ebec9e4589febff44f458abbabfe0a52a9744a9c81e00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

MD5 ef3feb143890e2aba71f625159affe4b
SHA1 aa3ef280b56c781ce15dab91d9c08196aff06ebb
SHA256 caf04b00c1a928ae5c95fb1f14d769b6054008d2c8185ae948a31f63ce80c70f
SHA512 16b7f191da8275deb40bf0d4393bba4e4c29a13807c1f56a543507408bdbd1ffe564a24f6f324c567113846771b9d6b30c682312c6299340b67ae63c5ea245a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\broadcast-listeners.json

MD5 a98adaa87f7a685d763056f62c912f25
SHA1 4ae2276f8a24d3c9a548f172c457dc13b6587541
SHA256 d5ec427912ef64d736c2e1b45e5aafd435e533caba045eebc7be8a8049fbc430
SHA512 abd54aa204034f011045f2cf2205a1498b063bd7fafd953675d328de938de759963ccab59122a54485af6ed3b77952eb7c426c65967c89a731b6e98feddc348f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\targeting.snapshot.json

MD5 b957568ab8169d03a477dc5ce99bd5f5
SHA1 bfd0c99c1ecc3f04ca686dbf0d9dcd094b858d16
SHA256 8f5e55a214462aa3b51268819abca9fc0d98f47c4a2440c59dcc1277b84d2c56
SHA512 098ad2c2bf7ab63557de1b43c54af448616e6d6d3e9fb891dc1e3c808b95413cabbf3e203264e5288efa340d843c4981907a5d625f6349bcb03a50e17d94cb4f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\bookmarkbackups\bookmarks-2024-09-22_11_JQcC4sfBNmv2Tr5WUD8P6g==.jsonlz4

MD5 c0b5b3ec984df12a18ec7dae769eb631
SHA1 2a03310190be5e1da31f5400a9994296aaae790b
SHA256 b3f23595c219b38e59ac956c6f9e465a505dbddc13ecded283d0d4b34dadec95
SHA512 0cf7849ec9d5fd64e0c03bde88f5ccb831facfea0abd90ca2feed4255a246e9154d98c1f3c8cae5d200161747af98dc00e325aa6c3b376a360ec63a953dc1620

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 0c4db7c61f0c4e8898044ab9b1ed63ba
SHA1 29172b54adf5093c121db275e313589e3acb5a02
SHA256 f51a0081ebbdc04a0a0a4516a83883fce92e367ed8a0b4b30675bfa479c0acf4
SHA512 d1c4e18e4662fe99671b7f919ed102ecef030f6cc541086f9d8f8b5074cdf5f253104a6d14f6744985ebe5a9f70e25f65eab0ac372d0a6f88b307c90055758f5

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

120s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

89s

Max time network

192s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nskA019.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nskA019.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nskA019.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

300s

Max time network

204s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 3876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3976 wrote to memory of 3876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3976 wrote to memory of 3876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3876 -ip 3876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.42.65.91:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240708-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2028 wrote to memory of 592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2028 wrote to memory of 592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2028 -s 88

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240708-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2372 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2372 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2372 -s 88

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

302s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 832 -ip 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

310s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 1180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 1180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 1180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1180 -ip 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

209s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240704-en

Max time kernel

119s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2196 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2196 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2196 -s 80

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

77s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 4936 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe
PID 5028 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\system32\cmd.exe
PID 5028 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\system32\cmd.exe
PID 2448 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2448 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5028 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1700 --field-trial-handle=1704,i,4163772060346678251,18004069619306332356,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2068 --field-trial-handle=1704,i,4163772060346678251,18004069619306332356,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2404 --field-trial-handle=1704,i,4163772060346678251,18004069619306332356,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe

C:\Users\Admin\AppData\Local\ultimate-tweaks-updater\pending\Ultimate-Tweaks-Setup-1.0.2.exe --updated /S --force-run

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --updated

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1744 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --mojo-platform-channel-handle=2152 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2436 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3636 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3560 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --app-path="C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3544 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\Ultimate Tweaks.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Ultimate Tweaks" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3036 --field-trial-handle=1748,i,5187955094878870905,6876468273860451291,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
PL 142.250.203.193:443 tcp
US 8.8.8.8:53 193.203.250.142.in-addr.arpa udp
PL 142.250.203.193:443 udp
PL 142.250.203.132:443 udp
PL 142.250.203.132:443 tcp
US 8.8.8.8:53 132.203.250.142.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie54expa.srg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1904-73-0x000002DAF85E0000-0x000002DAF8602000-memory.dmp

memory/4396-87-0x000001F3FFC60000-0x000001F3FFCA4000-memory.dmp

memory/4396-88-0x000001F3FFD30000-0x000001F3FFDA6000-memory.dmp

memory/1904-93-0x000002DAF8B40000-0x000002DAF8B6A000-memory.dmp

memory/1904-94-0x000002DAF8B40000-0x000002DAF8B64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5c3cc3c6ae2c1e0b92b502859ce79d0c
SHA1 bde46d0f91ad780ce5cba924f8d9f4c175c5b83d
SHA256 5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2
SHA512 269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 28c65370f12e84b734af87ad491ea257
SHA1 402d3a8203115f1365d48fa72daf0a56e14d8a08
SHA256 4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c
SHA512 56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a5a1b31e397f430cb02cf453dfce8683
SHA1 f48cf81689101c975afa31b198ab4881eddf175f
SHA256 9984ba6d46e89df8c5368627ae7b74c8500b4b5bf13333b3a07879114af9d766
SHA512 6fdde225377b54034d6630b85deac9d4e8ac864a6dbf8e2987a1b1a1073ad7f1951bb4dd20f0cd979e837fc89bb5c5ba3c7d5240ee4c3d6cb7215b77f223e217

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Preferences~RFe57ff11.TMP

MD5 d11dedf80b85d8d9be3fec6bb292f64b
SHA1 aab8783454819cd66ddf7871e887abdba138aef3
SHA256 8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA512 6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 52cf61a9bb0d93f700229e25917abeab
SHA1 3d65feda1cc831deedcfbb4f0e0c419334074c78
SHA256 467b2f924bb4a941aff22c0237845b2c3634883afaccd3f7a26ae5be1c9b2011
SHA512 5053b8196d794e02eceed5145a565ce5c800b56f7e522fa1a8a2781b5308ceec9f84e0179957797676d36bad7adf4270e78079f97d3bae549486a920f0ba0a33

memory/1372-186-0x000001CA70750000-0x000001CA70798000-memory.dmp

memory/4572-190-0x000002366A530000-0x000002366A578000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6c7d4ef75182eef3d7e16a08f3923e90
SHA1 7221407d0f4f750badb78db1c809dff40fbf1aec
SHA256 b7c81efa60b8b53b856a64f1559b3b321a34a63b7092292f2f5b2edd14cd95bb
SHA512 f9dd85517e38a492905ef8043290e50283887a8a1158ae850534560b2460bfdacf5ec861b0e28842da6403299ed4c9cb61fe3b63255bc7b0a28ad933a672adda

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 69e22225031fc5de2b61c687c5ac3ff4
SHA1 6ea095b9bee851360fa52e66fd355b71b81e3316
SHA256 bc1330e459b7cb8d67348360e2d10acb924b2c61610f0abdaea5e93f5e1a5f6f
SHA512 71ac77c2f757dc60adeb625338dfe750c19c1605abd70ccd719f78844798e895cf00ff32a6e60d449e2bb21321ada2cd411ab3b54dfb264a562fdacbb9813f97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dbcc5931119265f81da4cbe935fed23e
SHA1 2fde7154a30dfe860e530e448a1b874fa637f54e
SHA256 c2a8768d7f86101f819839efb11bfdfd3ba926c86bdf69f722abd2389d0c241f
SHA512 a2cff95c0142f602c780029a37a8f397143ed127878756583a53bdebd09f69b53b6b9ea173bac1167501cce3469cb66cb7a08c8a9e683cca3e3924771b64adba

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\logs\main.log

MD5 5f572c5fe5de8d5bf2830bb5b4efdb3b
SHA1 72fcc4fcca850b65412dbbad31418f5b3ff8e505
SHA256 bd76edc49bb99e93f0117b0da130a624ddfbe148b84efb782545598fdd56b96e
SHA512 c8edf57b7faaa8abc4d1cf476e44c57104dd00cf53927eb790251e75fafa7af28e175a160f35d59b82b346a31944563e0806092a78e0d1c5bc3625266e49460e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 226d1d095ab536821b3eefbcb1917a5f
SHA1 bb11271bdd1dd72ba354e7f3b4e49a46e3a7b0eb
SHA256 dbd5726584b89405d7aa8a62c5b5185e9dfd188e34d667cab6e571246dd20bc6
SHA512 94329c05c47e599b3a34b2e82dd810d73fe8379e607d002ee6861595a7c1d995b9aa77fd91a01352d39b219cd0f27262156b63674cbf159df1723bd00492364b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 63623648d7e06c651f88de5a432dc377
SHA1 d96ad320cdee769c5d70112fac9c4ccce8bb1007
SHA256 bdd34b2db04c9c5037d46cc366557256235e12b28c0134733624564fba65a848
SHA512 166b3aec9ac364eeaa69ac25d93f018d16866349cf5ea1374aae3641621fc251ea3e1829b684962fb0182f689e30188a18a644290cb231248621e8dd511144e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 503fd450544748dca3522886a2c89e54
SHA1 254be2b970ba926e12de2518caf50bdb36567add
SHA256 da4d4a955f643af10c310a471a6bc37c098d9d9d77fb9045d9ba32d9a6bba932
SHA512 4dcc7412e0a55f8b521d4897819acf4175fc69eaed2425107c3b3a7aa6373e2cec1b1732164469d90f9fcba190c365c3ab1e767b19aa4035d9deae9f1437a334

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

MD5 91a01b44439a757883d0d22a10677b95
SHA1 1307586d7f818aea82699b41b03e824b6d5d5cd3
SHA256 2263d4f467a687036f340e36924af0f2908941f2ea6991f6b106dcde08268c70
SHA512 6b7880978e3bf659f5e78e2299623b29b7915aaaccb7f604da4b966d0baf2a9132c2e1048ab24ca7bd4b8335d114b3ba23e03158f8f9683a274397188a8bca38

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State~RFe587421.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Programs\Ultimate Tweaks\chrome_100_percent.pak

MD5 b1bccf31fa5710207026d373edd96161
SHA1 ae7bb0c083aea838df1d78d61b54fb76c9a1182e
SHA256 49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3
SHA512 134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\ffmpeg.dll

MD5 bf09deeeb497aeddaf6194e695776b8b
SHA1 e7d8719d6d0664b8746581b88eb03a486f588844
SHA256 450d5e6a11dc31dc6e1a7af472cd08b7e7a78976b1f0aa1c62055a0a720f5080
SHA512 38d3cac922634df85ddfd8d070b38cf4973bba8f37d3246453377f30165cc4377b4e67c4e0bca0ffe3c3fa0e024b23a31ec009e16d0ab3042593b5a6e164669f

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\chrome_200_percent.pak

MD5 e02160c24b8077b36ff06dc05a9df057
SHA1 fc722e071ce9caf52ad9a463c90fc2319aa6c790
SHA256 4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106
SHA512 1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\libEGL.dll

MD5 3a5cbf0ce848ec30a2f8fe1760564515
SHA1 31bf9312cd1beaedaa91766e5cde13406d6ea219
SHA256 afef052c621f72ba986d917a9e090d23a13f4ab6bc09f158eeb73fd671b94219
SHA512 bd5713e1d22145b4cc52f4e46b464f443aad6f783a5793268e7d9dca969f27b70e706eecd54cb01be1c94256e6a95864c6b7e50027cef7fa870cdb16820ad602

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\libGLESv2.dll

MD5 c783045e4b7f00c847678d43a77367f7
SHA1 7f9192ce0b23ac93561aeec9d9c38daa3136c146
SHA256 3a39137dcee6cb6663ae9cca424b6b05cf56c0ad7e32fb72cb94549ea9dbcae8
SHA512 64e6d4fc84f1217ceef05a22ad63a6618ffdc470b1faf4ad9e2d7bab59e9285527b9c5fd7ea4be673a08b9466434e3c098e839bf6955597e3d8aa0e80589f4a3

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\LICENSES.chromium.html

MD5 bd0ced1bc275f592b03bafac4b301a93
SHA1 68776b7d9139588c71fbc51fe15243c9835acb67
SHA256 ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b
SHA512 5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\snapshot_blob.bin

MD5 cadef56f5fb216b1fbf7ada1f894ea6d
SHA1 373d2a4266be5c8fbf61d4363ec47ddeb2d79253
SHA256 0976145cc8c02f3e64ddbf51dc983bdbb456be7fcf3ce54608e218981671ac12
SHA512 9c90e8943f9ef6d644fe0fbe55ab25ed371739d17da8cf973893a2e41ebfa0a92bcf1761e72da032f9f3d1c6f1080c62f856aa07a3cbb609c9e8c186f92216b6

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\resources.pak

MD5 67bb5e75ceb8ced4c98cf0454933cb45
SHA1 c2b1c8c8d753318bc5ec18762c27512a5eb9f9cd
SHA256 5d63acd4034f7771ca346d138d7478014abf1f3f4386d07fc025dbc2c2bc0bff
SHA512 fd213d59ebc625f6f8b20cc8fde1a22132ce827b81deaddb9ca7993fe0d9616de17e089def338d23c4b6bbd7d3a931ee73aa329325eaa17f8145a58fe11d8c38

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\v8_context_snapshot.bin

MD5 81870fb2f641c8b845e9c6d1a632f0b7
SHA1 fcd47d8d1232c189a1c4087bb03a015ce14c25ba
SHA256 875515af4e7254458c17a98bed087fc609d45fbc8ebf60663e112c37204f6840
SHA512 7748c8fb6f356aa45023a56245c43c5171d0413617fb1ac6c75650be75bbe94bd5528e9aa83cd9df9a08af65540a76ab59bc866e5dcf0fa7284122f290bd45d3

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\vk_swiftshader.dll

MD5 0a071201e4dd76996e273c81533bfa74
SHA1 5c92c634027692c344a8e74eab8b4d5c3e049497
SHA256 08e34bc25653f9357a4ccf62966d698b7cc6265dc668046a28403ae5786132ee
SHA512 b5de6548c5c743b6f119183fa06aaf67dcd4cdbc3542378ff87916b670ace1e2f4270f6dcaa4caabd01460c638bd02b565267e7bd9617ca92d72187d374bb7d6

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\vulkan-1.dll

MD5 a6588e66186ccf486eede8e9223f0d41
SHA1 777a5c4028c7675ee1fc4e265a825b35d5099577
SHA256 419488597ea255ec61f028aeecd36572d072dfe49b7ab716cd2c0a8e186f24e6
SHA512 ba8b9577f47ac5b9503aab8d4cca6059c7208bf0eb37999f4fbef0c2cf03032a9359559a0221f332c6cd66c38366fb0e1f1d32173f282afd639fabea8fc9400e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ar.pak

MD5 7608398c66cd0b55396f7250b3c8747c
SHA1 7e8417dfc7055fb9ecbe7cfc97a8aba0bd5a0e13
SHA256 3bb407fa588fb801ab241e8dda018461b54010a38648c3acc1e3550c0dfbd75a
SHA512 5dd757e4f114782eab9ab8cadbfe3179ded594285b3d0f7f6fa5ca50d80d866e7c8ff6a1f44deba8bdf09c04106de635c1da22597c008023b1fdf1cc747b6f1c

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\el.pak

MD5 35ba1b364ecfff6486daed2a33cc6431
SHA1 b894b392d400fde4d35bc3b4edc130853cda340b
SHA256 c0434492be64b08f9ad00bc7cff65314822406dfb0c591fea0df6af9b6fc89c5
SHA512 5f5d2cf1d5c8158c62fe310338bfb1c9683ea2f43726c9f02fe6d2c29482e3211fd3d61a30dc0cf738549dc7047dfce0dbac36b9d22dfffb558f118fdbb3d856

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\en-GB.pak

MD5 a44922cb4cd8816b9ce3d018dba9e6a0
SHA1 2ed3a8bd4a11bb89d3699f583372ad7aecc46ddd
SHA256 e0df967ffdf872f0a9589a0d74d68a742fa9b956add7a6736b82aebd9e8f02d3
SHA512 461b04a170c562382f6c1022f881db9f6928a36c962a2e3aeabee62dd4c46e08b59ef33a2d1d26af21dcc47d00b0c51e10b43f14dcd627f84104ab4f31a9e526

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\en-US.pak

MD5 731c45f9f23957acc11b43d775758aaa
SHA1 12e66417a2dc0c5211ed67f026208ef02fcb40af
SHA256 02b97817b6eebd7caeaaff750f6462abc68911c398ddf0571b7900ff9b4ea9a2
SHA512 1a008df585ef76d9cf4459fc3e617b8d4397e7078c77852712fc7cf4f304081bc5195243437e64074016b05a8cd671db93666042e59b959595ba854ceb330a81

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\de.pak

MD5 5a252c49719970b8fb33fbc8ec98971a
SHA1 931834866af36a9e25582a1f631a8cbc965a8e84
SHA256 d5746f48800efbff7db9d1bb8d6e5a5102eb7d79ae136e0485fd427be1ca63a1
SHA512 d4e6ab68d0b1a564b886c8bbe60e7bf67c3f71e6fc70ed5bfbb63a974f72afce62e03559f29f46a424908c256e990ff6cebeab8fddfbd79f6deca997cf7117cd

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\da.pak

MD5 c54edb2260d2b907049cdd4772d5313b
SHA1 a12f623e6310b667a9c38b4c9143920d08564377
SHA256 318a9ec9e9fbe35d5d8cb9b719ecfbe1ecba9d8f246876c949c082107b439ddb
SHA512 4eef045080fecaf55bf2cca7d72d039b7d7a7b28021b649becee320a3a8c0753f4e0e5f869a188813e746bad05fd08c726b5c25f40ef9555967fafd93f7f6989

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\cs.pak

MD5 926b4d7f540ce0b1912e5fb6383dabb7
SHA1 a7adbc83ef38092a90d964d61359a6caa1253090
SHA256 2964edcdcb27b2edf73515615501d8af28ad94b5dd31d2794f2624808c74de38
SHA512 bf6160e46eebf16d6b6f05d330068fa226118457ff03277b59ed4e1a6d2d28b212155cae2f48c34adfa81d20ff71e4206f25052257559f4768323b342dd16278

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ca.pak

MD5 bd846046383d64073da6eb192f5cddb1
SHA1 6dd4bfb982101ecafc14eb35834caa1fe5b1e3f5
SHA256 1dca9a7fcd850aecd48288999b436ff7e70cd4a96f47b40319759a800fb8eefa
SHA512 521ddf6e8fb444b911212501825392562af14cfb5b31a80707fdeffb13c8afb04852b0e3f7e3363a1c3a37c5c35bb1cbe84b458e14e30b5e8d8cb00a6a349ce0

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\bn.pak

MD5 d179d38e8b9f7e60a943e2fc9f9471ad
SHA1 8d109081959d194c82b89fb25a514a65233435a7
SHA256 a45279ccc13390e0d93cfe1e33a7f276a5d9e97f6aefa6b6e14ecc4289703bda
SHA512 fa6f3e45f40e1e48f191e4a65f5d15dabd7058af4537eea3e34998dc67dd250b00e52d1f07b10a73a67a15aada4523e50f40160d98a5f37ef4684a30ff338468

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\bg.pak

MD5 c80a2008d9f61c182430a728a6e059af
SHA1 2f2aa33573156d9939e3fc81f8d81de4aac21e61
SHA256 5947f567ce1f4ab945dc6dab1599422d412f4417b9097905150d669122e43f7d
SHA512 016ce835b6bac4d5b38d72c0b3adf4d6b4e0ac04677d70c53e5938acd28b12220d2878bca7875471d008b779ea6ab4972a9875b44304e867d0bb5e4318c0edc3

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\am.pak

MD5 92ffe73f193d41c5a90303955b2da67f
SHA1 1d4136d8bb752da2834ebf0f4f62de56efefd78f
SHA256 325dd137903fc0d9e5010a62a314d9c6984ff82afbdff2254f7c48bd03dda06a
SHA512 6c4f0aac10276ab84ec4e63ec9ad0e20a1b3ce9d2368ec966cc6471600c3d28df8f9e501b4843bafa5bcf2aab57242559ba430d58853180ea653afbc8f468e67

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\af.pak

MD5 9554e414159d76754147d7e185056094
SHA1 e0fb0c95cef8e8d1ebeb11a6e2ea03b9067d799e
SHA256 f402c0d8494c9a2fceedcd7845ddf43b62e7d01ddb1d9c8e132efea83b724824
SHA512 9e8b41f69605d7bd426243e49b0f22347b211f7d13038ee6350d86d06cc7274bb2ef1918e27548802a5437903a653d86fce85338fa97f8c9642c0e74ed59ae88

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\et.pak

MD5 97918bb7b36900705b1a53b7851db6b3
SHA1 f8cca656478c6e15baa8f344dda2704087f54776
SHA256 8021814965878c4913d1f9f9d226da49cc2a37746d976f3b84aad7fe096fd14f
SHA512 6daa8f56c231cfd7dfc17bb5d5c56afca9490f953f22c92365a1f88e995c3a1705de98a725177001bb449070c860fd1c843ee0a499c6dd8321f2e6f4cf914da9

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\fa.pak

MD5 04f629bc5fa6d761f1d7b5dc28a6b97e
SHA1 d80f74a2b6508bae49b8344809062b48dc2b2dc5
SHA256 9b5334e4883a716c5616c859889aacd7b179b30ac65e5657198eb4e877700f81
SHA512 ea412096170ae29b33f3d54f17fb9f2f5a41035df56e2af9596ec7c15422277943c5c651df6b3a232aca4e979946732bec496da03b3e47e0d4629675751a4c67

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\he.pak

MD5 c47322869b458a1cd231f3dc385f80fb
SHA1 4155444dcb69c5b64711139cadb32a6df95ce3ae
SHA256 9e5544340da0e0aa28298e68765716a3960a28e50d86146b5324fd70fd756b41
SHA512 ca4664a9acbdd5896c6a0921e09d99f1a7ce3d7a80338c1a4310ad499a5a2cbb60ca074a02fcff128789da0a4cf82d3869f83836ae3ae3171085e58d6155fb73

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\it.pak

MD5 cfb2ddc4caafd038db00c1e7378d316e
SHA1 2573f32a41735efde916f0a73b415ca689c0dd36
SHA256 9395bf9a547561df6cd20d8e076452369cb72184f215448d1acd802dccf3a47d
SHA512 8a02ca980a8de8af8b179d610ff25557f81f67bfb5a9f82511641ec87b378a2ab7214d5ec681797acba1a865bd726cb9c5f609647ae6ee71a393b7e16fc06f8e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ja.pak

MD5 d84e12cecf6e4355933ed68816f090f6
SHA1 eb35ef52f341442dd887d43a52af7f02926d5288
SHA256 8de18410e38f4036367113bd4ed253a4957709d87e0aeb11134742bc89e16d62
SHA512 9dbe703493acb7b48ee1dbc4458ce0b9d757419e3fbf01379bc8dcbd22cc30a99348f7cb96840c19e873d6d97bb4d1a3baa4fcd6e0d332480273020a6e13a375

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\id.pak

MD5 260d34aaada70c9d491bfbedcf5ca8d1
SHA1 5fa83a3e53e6aa9eede9fa34a84eb55ee8493314
SHA256 64a8a25717ffae1855114d84b02223ad5b3963c1c6a21c826636146726d0a8a2
SHA512 a19ec6fae22689a8f851c1a782eb748ee9f38dfad89f05291c01a6070b24a8a02fac4bb4a441421f411966e8bc08e996900871d498efa307ac1793191710ebd2

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\hu.pak

MD5 f55e37076460b2e8b5ed0f414618d256
SHA1 b313287de6197f1bf9f9770e3d2c99e70c4d8179
SHA256 61854ab102bc57a7ad7b85a4fa008c3f071306838ba1a0491f68c19153decd49
SHA512 e8121a064a3209878f24c33e9c20c810c56aa15476909de1ce076c80ef635e69a60ac655b7714a116951de5b99bb690827edafddcd5e6b00ee6310807d78ce58

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ko.pak

MD5 c21dde26f43530135ef37323b00dc1fd
SHA1 a118e9713b155bd2999f04c3075f2e1bb05bffaa
SHA256 ff88b56be0614232947bfb07e6beb88327a18ebec98cece17caa9b7cd8e6dd24
SHA512 0db144f03992c41c3703719e985183a6ec988265e5a629d09bf683d9b208656d605565d6b5597cead909c814f25ce200739e65b1327172afe10d395a5018206c

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\kn.pak

MD5 a4cce1cfe646eb2c268493603dcb358b
SHA1 aa19ee1cdf8776d07bf35614ff063aed5a798ef8
SHA256 01250aec7310bb59e0e847382325f940ea2cdab00369c1c7efe2f340d01ff806
SHA512 cecb7794a288e879324e74e7522bee61a43072ab58a289b686f1d48d98fe9a0d29a5505b8c891fe411b823c3d8366d6c1cffbcc1deffa6c7d3a04339a769dbc7

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\hr.pak

MD5 2f7462a076c14f2c2733a41dcc5ecf1b
SHA1 c453dbf62d1cfe85adb64ae374b6a79cff2ef97f
SHA256 6dcc7d5d771475874471b78ee84db0230341f8634f4b38a9cb90c37226d70b00
SHA512 f1df750b779c908547a38b49bae0ed8734fe37cd96d3502186926e6cbd657c248c528cf9944353dfd26695ab384f17f22f0bec251e65a20906da4d67852cc516

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\hi.pak

MD5 6d3ce5a6049eda31ecbc55a9d3abb163
SHA1 100afed265c77a20f6636a0ab48c8a723e30b087
SHA256 8dae029a489f1bd7530650a9cb1be1f03741e1d7018503feb3c78759da8af531
SHA512 3668952ea707da9ee8fd3753c04d5dfbed97685b76dcc75dcf8d6a3699a832c3ff0db9cd40810f6ea9364f2b7aff4b1cd68980c74b59808fcb4900a36d933bba

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\gu.pak

MD5 ba34657d3f5ebe61b36a807c4a053d72
SHA1 163875c4ef39e3473d9d5aec4b6273f34a90a02d
SHA256 8c762963cca8eef2cbd39bd7bcd8b809f3b57a75353e687743894add9c19440f
SHA512 cb1c4adc59c3e99f819645ae84e3e6b601b340e05ae2182c0b1568bbbcd3eabf7bf09ef34e5d0757530997d0734dc52dd744b8b0edbb3702a3c06e29ba7f0c4e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\fr.pak

MD5 6708a286a0529ba7bed9840d53035be8
SHA1 af289ed518d9d90c75b69a870615e3f475c5d0e4
SHA256 7169684ff44f342b98648839b8963916f7323115dead332c2471baed6264b80e
SHA512 b329798fd85eac1505d0af5cb827ba11a5850eb926be39b414c40b5fdb56432db5f3dbc45237510bd4d1174c1cd62f623c6cc8ab10eb0ca51dea5d5487f0b0fd

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\fil.pak

MD5 89a63085d14b1b80f259e166e6ffe56d
SHA1 d1326c879a6ad203489226f7c5be08c897be71ac
SHA256 00b8cfe6131499a8a67a51dd8560a965a2abb863d52635dd3931df0479c3f5ee
SHA512 ab48fc4bc604648b4cc010a530fbcc5138b9d0a0f09398d2a69b6219799a43a052722c47dba96c9d001b4f6ddd491683c0a871c19ac2abc12843e68f9d4c2cf4

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\fi.pak

MD5 3acdfec7edd4d3eb473f0deb32713c14
SHA1 41fdd4af5f9fa78f4f81d3996ecafd69587f05ef
SHA256 4bf099ac8a76449bf597caf005790f5c02efd533b9a329c5fdc460d38f77607e
SHA512 b167caf1e5ff38b0c80f891715866a7754e9bf3f1479aa1faa3cf3e8ae7fe9b71a87109239750f71855330b6d20704b43e814f188672aa52a5dc6912297f1997

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\es.pak

MD5 f6f452e9fe45b56b489b2e99c99848d7
SHA1 c64384626ea966d3a24dfd4d6c2f42c1cc082d2f
SHA256 54f85551269c8b5f3985a09d313fdc04c4595e5058163cf147ede049b8faa605
SHA512 f3c50308531f9654ff394cbdfdcc6029c60dc6659fe60e0326b4855a31f3eedc86f3df82a96a9e7691d12c7a69079c4abe2722f599aae29f48b291fb5a39a3a1

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\es-419.pak

MD5 763f8c8ce092a3d64bbebddf4169e108
SHA1 89f2834c1b4e3f84870af29650bda6fe360350f5
SHA256 0c816f00b15d59809d30b6611aa455ea1bf8b022d2f887137f1c9d7a5600d5d9
SHA512 8401cec52e80a5136543473b317f0e2d920008c83b9667605cd0deb9fa5f933deeda0aa475b436520001c6a7c91118a4d9b11e28a9f4b31271662780e678dc06

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\lt.pak

MD5 93a0a8181e8c251a2375645a552293d6
SHA1 57faf2e9f965a49d5294cf9759b9b50d87c2ad1d
SHA256 f87b2baacdde69b2b24dc7859d47bad0844cf4d275072812aaf4eedb10318450
SHA512 51e1ff74442cfd51fd2fe218755335ed99e4850c8266425b8d55aa0abde2712ab765ff909d6ee620268ade9d7b51a93be659d6a52143da2abf4ec309bbe9f2fc

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\nb.pak

MD5 c2c49ebaebc448cfeb7933ce2cbd6ca6
SHA1 c3efca0fee40a3daf7d69768d7659de60b3e2c4f
SHA256 67d997fff8a24eaa030eadede7f5345fff5e954e96bc8f36d399839bed998774
SHA512 c500bc1097ed9077742c5708bd55dc4215c45f751522131b8203d7ae802d278ffc3a9ef607325bbea5b650d594dde0d74e7fa4502e1a0f905534c32fa1521bba

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ms.pak

MD5 578dcc1aef901d00a57f2698a6e15826
SHA1 4dca370c3b22f9f54a62d31166a84848336a8fea
SHA256 e5e77421c5fca5b1eaef96fbf33c345c63119015986163cb43d65075df6265d0
SHA512 073aecedf4132faef7e896e6840bb6297e866a06fd65a7490f0a61179013f27b6592a4fb2be91cb5e139c77f6db7695bf60e5788154e51c9ab7889f6e7040a33

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\mr.pak

MD5 fcaca3a4264563461b42b16d8fde4b02
SHA1 af37d4e73588d4a6d3d52f2dba67414393c9b168
SHA256 362df1aa112a0a521617c0496087b3547a242eb79a5416b8414c5798f31e187d
SHA512 9114dc4e7da2affdcee5c86b1f1f78e47279c31d0f76c8deb1eac545e0268b9592463bbe1a4b433ff4fcab1ad4a596655b775608515bf7455fda550d3bf47b8a

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ml.pak

MD5 70c0c80fdfc006be0ff502e0e6115b2b
SHA1 43f96be4652ecbd22677b18ffe2260b79bcca19c
SHA256 878e268428ec7aa51105c921740931c545d4ba6a274b367c52675c90741d23bf
SHA512 c463c5d91b3cae6b2c70ef6b7e3758bacecbe76088d813e2632bde7939c1fb28bad3cccf914a14861b8611a490ea74ef2d8d10e7336b203d12cee9904e8f9423

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\lv.pak

MD5 07405dc51eddde72e367737c093c20db
SHA1 c66b8eccf167060c43b3c53631fc0c95b3afe05d
SHA256 dbc860a35ad08e4f502b8784ca1548110d3c7334478f6c392db42f52cb3074f2
SHA512 98f276fc137d6592cdbc1c804dd59983e290409bf7908137627ab114ab485e332f568d28c60a35d1dcb3d9753c2d1740065c654396af5f56f0dd5e1dfcffcf71

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\pt-BR.pak

MD5 f18cae95b8bb6760d370b435235c5629
SHA1 eb62bc4249ea8e5688c67aa65bfa2b628fd5e1d8
SHA256 952234ef1d2792204f4e65cc814e9fc6dc007610668ceffb980c74fc0167ba0b
SHA512 218e9e4e59c875fe7931f16e6df877f67b8466a5e8a5565a1cab0f091b40b0652eefcf205536f5f4b8697966aa201092c26249142dcd8b40e055529e23ef7819

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\pl.pak

MD5 ab94060826404cc09d5fed31f63cec05
SHA1 20d1cea9d2e60b9bbd4fddb38a652856a3561008
SHA256 03258ecf731487231cc7eab8f6cb96e92b7ede4cc5b63c3def6ba08e0f16da10
SHA512 a9ec28912bdd2b8b1e1b3fc4d5c76139253ee4ada8f0d562ecd611d7366b0cdc97c379c5ae93c9db69eb045d8834cd0e1e0ba84813ac0071b5a2bf6cea81173e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\nl.pak

MD5 9229e4ded3219c948747a4dc9a6a5e32
SHA1 9147b2f2ac3837588aa3b71eb4a255d29cab0e74
SHA256 d88b02d74e01b9350d3ac9c48fe08333ca9c68e3e3824d64fae86c5b8b531feb
SHA512 8a81cefd9fa718b18de87555cb2d5c8e87ed14921fd3a0247b47988a1f3896d63b16dbf86fbf103097c73181473c37393c0f4e9e0a07d95d847aebcad526e8e8

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\sl.pak

MD5 299acf51d74b95ae4272730c437763aa
SHA1 8a0ff73f37d830b6677e514371a5825631aa455d
SHA256 26e29cd70c4143d7e9fb65e86e02c9173997f2fc062633a5edb2b7df55942157
SHA512 d7d298a4eb476a3cd4411261058f6f9409d0dddb3756cdc1e27e64280efc8b84fe40afbd92c754d56f58ea333623b0481766320b5969f5dd71f0c2a93be8ff77

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\sw.pak

MD5 e2958cf2ab6cc74551c8360e6cc34333
SHA1 806aa1129f228ee48744cfa55d061149b37522b0
SHA256 51482431411be2d89bfc026b9acf9ce1a0fb971376468a47829a15392b47178a
SHA512 1f5f306b7233279800d18fa461f4c94ecad809b2bb7c292fce16abcac2e963f7567a86e43a3c950fc86bc73b4fef8451389fc57ac6750fe7546afad8ae00f589

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ta.pak

MD5 474a2016df48f886e91fb9fd331d9bf9
SHA1 2548525143292d7d150f5014b44ef294ba7c4189
SHA256 75638ac7fdb226c0840d5c2edf763bae35afa1f47e89199d9724ff46c003a2c2
SHA512 a4c2c2c046420c77948a0479cbd2be3aa11c1b347eb508d020231eece5cf0c2cba8d4f6a0e9f875dece4a16413157fd9e9f1cf09e1746335eb11e8f8590cd013

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\sv.pak

MD5 eb39645ebed4f980ab12585feae2f4b5
SHA1 fc7c471b93f59bef13f7bb4669e683385a8b9dec
SHA256 ca34ee1c147358b5e32b5829acc0c355708925dc8df91c21d8e495c7485fa5c7
SHA512 5fb25d7dfca3483967a5262d2c62b5d37a192f5a7a19dcf6722a9a8753e299e567bf7f26171859c374c8d035bb521fb4eddc4821aebf9ceea1253c63e1595c60

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\sr.pak

MD5 02bdb4d99bd466eed5fed3445560d52d
SHA1 c24e1895145b3066840be0d349f5e866e46e2a39
SHA256 ac09005a83d4ac8f61855c7e301e48a753d2f3558a04cdb94f23b539e2086e54
SHA512 fac7bcefe31f41b6e37f215f271b33ab21dad281c1b0bdaf28769c99e31bccca625f213fcfd7c0047b3e2104a8f51b2ebc5fb374b32f58ae22c4130e315aee1e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\sk.pak

MD5 e9bb6352cdd0f1c2fdd543a48ba076fe
SHA1 50053620d7be5566bb3ee588feda1a4daa207672
SHA256 441155d63257beaac9e2998afa1a9e65957286ed1cd9e0670072a63e24ff3f8b
SHA512 c1f87c7976159c8ff3e28185adcabf93d47ace0dc9b95fbaa4d1e5ed9ea8257263276880486a4c17a68a5869e6ec640eaf81f5ae6c4481e351e73e7b4dd9dd9e

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ru.pak

MD5 a0072d84d1bcb2fa7bbe7ae4e06151ba
SHA1 b9227c6cd4ff9f6db6a8edf694c444beccd369f6
SHA256 8c169d6995d97feae8b8ec947be27697ca0ff731b593fff36163e4f31969a6fd
SHA512 fad335e81a24427f2b0a2853733da94c9839139a7982796bf742eacba306ecd9998914bcac49b925d5bb18953091a4dcc62ea6a628fff125c086099cfd33e3b5

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ro.pak

MD5 36f8327b36f2c6c003f864895968af2f
SHA1 248d88aa9fe46cbcd013ea7d7270f8483215c073
SHA256 6343589863bdd2ae81ec9c33e335048fd8792d2c2e8872f91f7a325a1f0d97ac
SHA512 bb03b5af3ddf676dadb35d5b94f40ae1c95cba2e7175c87d128c319e0055dd91f412883daace89fa33a17b9761f1cd7bccdf261b16ffadd6e10da594445c2c8d

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\pt-PT.pak

MD5 4aa908b531adedb0ee795704ab72e248
SHA1 2ea9f4a7e561e70b06b675b3fe35ccb0f2a12fca
SHA256 72ca754dcb34c54b72087ab7fd5a4a3fa03e09cd1ced906d99d6525c7a19ee9c
SHA512 7d4a1add737136acfc7ed7848b0ee54646d5c8aa3a54addd7cf0340ebf42b58f6ce2eff56a2ba94125475e7b64989d06fedfc8b1ee41ece63b18b1f95686ad08

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\tr.pak

MD5 4727af70df9094888ba46f3a62eff264
SHA1 d2ead301efab607d040c69c238a06d3b4d080717
SHA256 026fc65ed90fe356ce2b5e2b459a4487512d89e48f0ff8b044d6739ef51c1658
SHA512 5bb8dd6ad100581a7e0cb87b57e054ab23551c263144f7ffebf729b2280a1bd95e92eba9c64b80e2f77ce59c3c4315ba2b5253ac83dbb540828e7a59a70e74ac

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\zh-CN.pak

MD5 156894db535f0fbe193d66c0afb4b112
SHA1 e347caa3c41ea7461c217c029dbca54567fbe27c
SHA256 cc5a411d3bf0ddfba9e5041dfeeaed70265ba949f7b7ccba0170b88e3e14ceb0
SHA512 e81a0968598536e91c17a1998682cb5fff42bd3199c41b64e2d76827c96b187e8f86182843c061735dad2b7cd5e32750e473c1a5f9c82bcc0dcc30f1bdb8b806

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\vi.pak

MD5 593d33203c539d027c5b5bcc13bb38c9
SHA1 2f6288bc43ddf31e49a733af97e3e9e2fb8a2940
SHA256 d435c4c7154c24982185842a09cacd343cea77a5eb7fb859c4d38973cf240a42
SHA512 7c41c74f7220270da242562b93db8db053c0a7b08fdc1864d063706caccbc6926f288ae6bff1de43af656af67fcf2d8ad57f53d791bbc47a3b29a6a0856a68e5

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\ur.pak

MD5 305d39b5de5a1935d786da4bfc736dc5
SHA1 8dd952fea4dae937b9f87d229638cd22ca197a8c
SHA256 b551a93a300ab78ee6da5087ea417584c4fd3941fbac99c84c9c58be2c88a7e8
SHA512 d75ef12a56c2dbde5c7a1967297270f7d717a366776f6b2a316784f033c71fcb9d25dabc857398e8459d8ac40aae1bae59e82f551e00e9b96bfbea00a54fcde5

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\uk.pak

MD5 7f8d31b43f7319164bc0f6453bbaf007
SHA1 4be254da0ccb13040489403cc2d8015f448292da
SHA256 e33b1a611feca93d105dee7c867521b5fbf27da38532ea3ca0aec61bec7f6108
SHA512 9569bd24aa5d2f9b0a13784f5f3d98e636f72177c7ff7a14c7d390f1d5f0b39ffab512276f70e4d2df0d37fba94a2c2322a840ba303a4cde33ccb20f7980395f

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\zh-TW.pak

MD5 337bba163068f2dd7ff107ea929c8473
SHA1 536ec5756f229696dd6f875180778afcee1966fb
SHA256 58753d4313ed7f548df16a9cd9aa1f0e30cebee675a76b8359ed23fc95825574
SHA512 000b98249d7b0e4c7e463bafdf827e3dc5afac447750320d6344c984f4ad41cab5795861920525f03dcaeea5aa3615684101b08bbc103d3ba01065676c8bd64f

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\resources\app-update.yml

MD5 b0e31c54422860c9390a2e456d8f4624
SHA1 1b73cc7e00cbcae94a3ed921fbd055a393dedc0c
SHA256 897dac554968a2c49044a5e601cfcaf7c24d41599a58c03e91c62bd664b60ecf
SHA512 561cff0a281e073b0b2e3bc139a18b44ee1e2ab147d99ff007d5deae48c0c4c847bee4e14ad2e36abb27f7d9240f95aee7fcc9987246c717ba48666f550cc121

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\th.pak

MD5 7512a162ea0b65dd9477ac8c190136b9
SHA1 ae5fbce9516882a0d58da9ebee3c767c7ba4c305
SHA256 d01ecd4edecf1809d5c2133366df2502a4621e88d894817e80b913f3a0926fa4
SHA512 425fd803cd3ed9589df5d04bb8ca4b62af0e573301d31c48a1a05bf3b707a0672e1a033965946223e5873a98eb3c9d52bcdcc1296a08cb4971d0b1b6d2e95eb7

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\locales\te.pak

MD5 1f20952c1a61fa6e42a7f055de8986ea
SHA1 301ec89ca80695865d884927c4c07c6777fb321e
SHA256 caeba6c853a0ee12a802fb9f610a95c676071414c1d8407d18b05f2fe8ce6bb7
SHA512 c43f5316dff21cd08f86e0d3d7c407449cdc751ff466683dff9a51e3a07bda203e8e22064bf240726e6e389b661d6dc2bf5ed5dc42750539990379e513228d53

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\7z-out\resources\app.asar

MD5 04261cff6d42b7dac2b2429df634387e
SHA1 bd26ae0ef0c42a898f7a04a5bd8bcc7291ee11c7
SHA256 e0abebd549f6705666f056ac69cfa9989ffc9ea19eb86a562ac99ccacd8bee45
SHA512 0163f376c24cad9e2f189a60eec22f34ebc2526109fc9574a0c0986177e01179218507cf55e60c39a64d1b410f6e2cd2432b9523f6ac3aff7696106e6f482f13

C:\Users\Admin\AppData\Local\Temp\nsp7636.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Local State

MD5 1a60d8c264b4bd388376d09065521303
SHA1 57b41a3d63e5b1e22b1b8eb1033074709586d202
SHA256 01b909a8d5d647ff0783d1af060aa9294af976bd7497cc6d3a3a0301d0bf9a4d
SHA512 0b9e50cac1c94f67ba4b22f834d31cfb3ba777b59f2d498d907ea14c600ddc1c60b6a0ab551bd33f7bb911fcee429e1a756809257f13494f3c4c4a03f852ca26

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Trust Tokens-journal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Trust Tokens

MD5 7289d4bdfbd73ed571278f95cb4c1939
SHA1 7c911f54243d9777a34666f4526a49c7e7aea244
SHA256 2d4ccf8ac8ae4f5c6ec8e0566210ff56585b6ba0290501a1a11ed9b23bfc226e
SHA512 6e7d48e18b0317449807c4ac2c377b3cccf5bd6121077d51152d7e188ba1ea3cf62372b7611036938986dd0c84465dbd747fe8580e3a699f8470229a6d57a749

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

MD5 d2bc41fae11192d93df9a87ada0f7d11
SHA1 69860828d0e94ae3f9b86779cb01ac2b5a6da271
SHA256 cd0ebfc9ec2d99e0268a512c6aff45772fb9245e0d2682ca165abbe927d289e5
SHA512 73ecb6b90aeeee6b96ddcee87d424e9e7fb48596dac3dd7ebdc15c230574d230f6c1861d4534d210a423e154caae5917b29796a27bf21824fc40879c00f8eaeb

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Cookies

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Shared Dictionary\db

MD5 71ccdda9f3186c8e729bb559f93bb992
SHA1 3712c11bb21b8e2a74bb879d47b2819ed1ac14a8
SHA256 79b107307408e5ad9a145c87533316174fd13f4ad943497d079522fbe325b3b1
SHA512 19f8134fcd1211964111b07884b52878b1649644b6ec623bb586df1a9b7dabc7f8c8a755d2a52c908b563bdd968135f4f703cc35103696e40d0ab0020c8dc4bd

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Shared Dictionary\cache\index-dir\the-real-index

MD5 92917a927384361303902f97a6a9ac71
SHA1 944c59acc33239426506a0812b54c4f4d1b1cb1d
SHA256 9bc50ecb8598db2c38e3df7c1363f3db50ea12ca2c1eabe29e0bacc1705a3468
SHA512 7bb3dbae8122f1988ea5705aab40f0d435710f33362c392bb594b06f76ca91af20b9532bded8dceda82b1866983d8d543f10b73ef74311091e5b7f7311136276

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\index

MD5 25f5ff5146bddce4b456d1a5b90aed58
SHA1 5962ab9d4bf1303f957cbb02c5af5b2454cd3cca
SHA256 c277a256c08226f34d01973c99b2023d75fb68bd197c0334b1a18d4016589cd3
SHA512 594f4f0a69d4a2cda339df2ab36a256246acceafb227b3b725ca64c62a4334deca6a786360317b6ed9213545bf4ab8bef3883bd845e4e927d7eb0bb6a2cb8a32

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\f_000001

MD5 057478083c1d55ea0c2182b24f6dd72f
SHA1 caf557cd276a76992084efc4c8857b66791a6b7f
SHA256 bb2f90081933c0f2475883ca2c5cfee94e96d7314a09433fffc42e37f4cffd3b
SHA512 98ff4416db333e5a5a8f8f299c393dd1a50f574a2c1c601a0724a8ea7fb652f6ec0ba2267390327185ebea55f5c5049ab486d88b4c5fc1585a6a975238507a15

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_3

MD5 6ccf4c8c68aba99ab8413bb44aba14c2
SHA1 ab13634b1f2bb1ba2e90f127008207bc4dbc0ca1
SHA256 fc9c6072300da7994d561747aced727463f43fba287ddc361b950abaf4310419
SHA512 63dfe5bc54e4b3785a979e77094ac8755c0b04ba1d48001fa7f8a2edba65dbcfdfab63d232adf542effd62e1ccae568098ed9828080e28ed50a711415ad3b50b

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_2

MD5 8251265bcd9e7c145bfc2a579f7eefa3
SHA1 a3be9866da8624df4d32f4682fd0e8ff3e33728a
SHA256 22627a4d15b0687e4e6731f45e0869e3306fd69f2bb0e4e70a231ca6baa492a8
SHA512 c8902999322b427e31928cab813cdfc8adcd08a78cbc2bbf3c2e5f7475c91a1d565dd31f321680a3aa79b63ad5994a360551f16efcb0079e32301794a6180fa3

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_1

MD5 ce8766dc10115e337727490e5fa8e4f0
SHA1 b9082fd9f05ae00725ba0fd6a970587d0b040d27
SHA256 6c1df66ea9f55fd8efa88f2012d3c8cc29b821eecc3fe65f6ef1159cc76a43be
SHA512 64b7ef21d17cd4e17c83632f770a8e50ebb50a719bd951de60a5aedd46d0ea93691366f1de6fd90a63f9be5e2033e411cfa966efaced57319478ed8ad8730a30

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Cache\Cache_Data\data_0

MD5 5051109320b13cb92029615254f382f2
SHA1 848a60a2b215e0d539b9b8e98cf1735da13ac382
SHA256 a5edaa9f8b9129cc66c914f5ede381dd61f8d9bad7df25210dbaeba5f8c04ef6
SHA512 a0a9f83b412cbd9fc8e44ca1c106a8caafad3bf6ee4ef0027ece1f35f70c225432234a1f0f5594eff0ab2512635887c4503c30edd19f70f34167416ad880bf28

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Local Storage\leveldb\LOG

MD5 7f027f73b98a887de5712c1d6572f80c
SHA1 3fe6a44f8498341ee1a7452ebbf9a6caeb269e7a
SHA256 28af4ae10f5eda9ee4cb41d2fb0adc155c66eba8187dda8ad6b122de3978327d
SHA512 d26e69b5336be874d8001632858e3dd3865ce811ec4bc494d9af68929cf370d76214ebf70422e7d4474a0d7c4d6f80c1ee18099eda504ae45b7021b438610b0e

memory/3412-1298-0x00007FFD0C310000-0x00007FFD0C311000-memory.dmp

memory/3412-1297-0x00007FFD0B270000-0x00007FFD0B271000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

MD5 b63d48c8a7961fcfaf2586058d40ea5b
SHA1 ce4a3076bbeb7eba1203b4a1d98650dcd4870a4a
SHA256 d1b7f59368fc156ae51d6f07081be890f997360815ede2262ef9d52cf2291ec1
SHA512 ed382c0ebe6faafe918af8662673228e22e00db343ce5a10a895e2aa3fa00c36a94b8733279afc05c4949d533773b190e0d27a696d77a0cee8ee9780526e7464

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

MD5 c03370db0a56e1cb99860200a70923af
SHA1 5873a9a737c5f94c819aa448d0d14a74403b6a10
SHA256 e148c6fb6e9596cbdaf59560716bd5c788605e2c45da0dc14ab4c138cacccad6
SHA512 3ebe428d790c1bffd47988d60110223f24f83fab86129e1cac7738d83c1d957346ea60f3843d0597ed0efe7e750de915bba980a6f1fe74a7e1d351539d0336ee

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\TransportSecurity

MD5 5d0b2c2a85eb4b2c1e06886ca20eae12
SHA1 3efca9f7fa746bf637e5206bc64939de339eccfe
SHA256 0e7609260b6e778838139050fa7bdd91a010b0b612488fa858a07544814c024a
SHA512 04ff0538562ce02738da14e03244ca38465f01db3c9fe86e66d00620a22b1f516a1115b20ef0cff0c897738109dbbe143cd7a87b8c537aa52110098537d91389

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Code Cache\js\index-dir\the-real-index

MD5 485958adb2ca8df1f49cedad523cd0c7
SHA1 b691dfc5bddfebfbd09677f36564b9286d87f483
SHA256 c6b9f8e93f14fcf6b3cd8ebb1cafa3487f5d4374fab11f3d469a4666e4501601
SHA512 5d72438cc82e3ecaa05a1a312e7aaf62a0c58ed810679374ae8a69af7c7e8de4fa87897b8c2c8da17b3ccbcd9df204509b7f57015346bca5098c192b66909364

C:\Users\Admin\AppData\Roaming\Ultimate Tweaks\Network\Network Persistent State

MD5 2ecc4359e1278fdbc0e6a934771c1159
SHA1 1d10112f704aaffcb966c25bc69739fb9981e94b
SHA256 f40e48a11f403cc56c4d46650b48bd191722eba34872b7c3639514d76c121b4f
SHA512 dfa6b1864e71255ae8cd25193f4b371f1a2bf753e1aa5312276a3c57cfa4b7b4e7f665b3d1700ee0ff895a75121e8e0a503307431ab10b1fa7f821a01e046efe

memory/5260-1909-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1908-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1910-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1920-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1919-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1918-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1917-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1916-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1915-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

memory/5260-1914-0x0000015A12D40000-0x0000015A12D41000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

212s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240704-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 220

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

240s

Max time network

252s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

302s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

242s

Max time network

311s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2216 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 2248 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 3508 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2a98660-48de-4eb8-808e-ca36003ac319} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d9a56b8-6c5c-4efd-915e-7137e3a416c5} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3056 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {717dfb25-3f73-4680-bde8-597fce2c87fe} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3448 -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 2792 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f64ab4e3-f0a7-4890-93d9-03e68c5da086} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1092 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4676 -prefMapHandle 2564 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {446eb857-b91f-45cc-82d3-a72078d3885a} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -childID 3 -isForBrowser -prefsHandle 5048 -prefMapHandle 5056 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a42a7e5b-12eb-49a1-b26c-ccbd48f0e142} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b71e5ad9-5dac-4c6c-ad47-ab5eb0952eb5} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5092 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24d14b8d-3427-4dc0-9e48-704b519fea1f} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:49864 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 79.70.235.44.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 source.chromium.org udp
US 8.8.8.8:53 www.kurims.kyoto-u.ac.jp udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 aomedia.googlesource.com udp
US 8.8.8.8:53 chromium.googlesource.com udp
US 8.8.8.8:53 source.android.com udp
US 8.8.8.8:53 developer.android.com udp
US 8.8.8.8:53 ci.android.com udp
US 8.8.8.8:53 android.googlesource.com udp
US 8.8.8.8:53 www.mojohaus.org udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 beto-core.googlesource.com udp
US 8.8.8.8:53 software.blackmagicdesign.com udp
US 8.8.8.8:53 www.chromium.org udp
US 8.8.8.8:53 boringssl.googlesource.com udp
US 8.8.8.8:53 www.daemonology.net udp
US 8.8.8.8:53 sigslot.sourceforge.net udp
US 8.8.8.8:53 checkerframework.org udp
US 8.8.8.8:53 code.google.com udp
US 8.8.8.8:53 pypi.python.org udp
US 8.8.8.8:53 crashpad.chromium.org udp
US 8.8.8.8:53 www.npmjs.com udp
US 8.8.8.8:53 www.opensource.apple.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 projects.sourceforge.net.cdn.cloudflare.net udp
US 8.8.8.8:53 aomedia.googlesource.com udp
US 8.8.8.8:53 www.chromium.org udp
US 8.8.8.8:53 software.blackmagicdesign.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 source.chromium.org udp
US 8.8.8.8:53 mojohaus.github.io udp
US 8.8.8.8:53 world-gen.g.aaplimg.com udp
US 8.8.8.8:53 code.l.google.com udp
US 8.8.8.8:53 boringssl.googlesource.com udp
US 8.8.8.8:53 www.daemonology.net udp
US 8.8.8.8:53 android.googlesource.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 www.npmjs.com udp
US 8.8.8.8:53 dualstack.python.map.fastly.net udp
US 8.8.8.8:53 chromium.googlesource.com udp
US 8.8.8.8:53 ci.android.com udp
US 8.8.8.8:53 beto-core.googlesource.com udp
US 8.8.8.8:53 ghs.googlehosted.com udp
US 8.8.8.8:53 checkerframework.org udp
US 8.8.8.8:53 software.blackmagicdesign.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 www.chromium.org udp
US 8.8.8.8:53 projects.sourceforge.net.cdn.cloudflare.net udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 world-gen.g.aaplimg.com udp
US 8.8.8.8:53 source.chromium.org udp
US 8.8.8.8:53 aomedia.googlesource.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.daemonology.net udp
US 8.8.8.8:53 code.l.google.com udp
US 8.8.8.8:53 dualstack.python.map.fastly.net udp
US 8.8.8.8:53 www.npmjs.com udp
US 8.8.8.8:53 mojohaus.github.io udp
US 8.8.8.8:53 chromium.googlesource.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 ci.android.com udp
US 8.8.8.8:53 android.googlesource.com udp
US 8.8.8.8:53 ghs.googlehosted.com udp
US 8.8.8.8:53 beto-core.googlesource.com udp
US 8.8.8.8:53 boringssl.googlesource.com udp
US 8.8.8.8:53 code.videolan.org udp
US 8.8.8.8:53 dawn.googlesource.com udp
US 8.8.8.8:53 easylist.to udp
US 8.8.8.8:53 checkerframework.org udp
US 8.8.8.8:53 gitlab.com udp
US 8.8.8.8:53 www.netlib.org udp
US 8.8.8.8:53 ffmpeg.org udp
US 8.8.8.8:53 findbugs.sourceforge.net udp
US 8.8.8.8:53 firebase.google.com udp
US 8.8.8.8:53 www.flotcharts.org udp
US 8.8.8.8:53 www.freetype.org udp
US 8.8.8.8:53 fuchsia.googlesource.com udp
US 8.8.8.8:53 fusejs.io udp
US 8.8.8.8:53 sourceware.org udp
US 8.8.8.8:53 www.gnu.org udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 harfbuzz.org udp
US 8.8.8.8:53 hunspell.sourceforge.net udp
US 8.8.8.8:53 bgoffice.sourceforge.net udp
US 8.8.8.8:53 www.ijg.org udp
US 8.8.8.8:53 developer.mozilla.org udp
US 8.8.8.8:53 jinja.palletsprojects.com udp
US 8.8.8.8:53 dawn.googlesource.com udp
US 8.8.8.8:53 easylist.to udp
US 8.8.8.8:53 gitlab.com udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 www.gnu.org udp
US 8.8.8.8:53 www.flotcharts.org udp
US 8.8.8.8:53 sourceware.org udp
US 8.8.8.8:53 code.videolan.org udp
US 8.8.8.8:53 www.freetype.org udp
US 8.8.8.8:53 firebase.google.com udp
US 8.8.8.8:53 www.khronos.org udp
US 8.8.8.8:53 fuchsia.googlesource.com udp
US 8.8.8.8:53 harfbuzz.org udp
US 8.8.8.8:53 mdn.prod.mdn.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 fusejs.io udp
US 8.8.8.8:53 readthedocs.io udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 registry.khronos.org udp
US 8.8.8.8:53 kotlinlang.org udp
US 8.8.8.8:53 www.khronos.org udp
US 8.8.8.8:53 code.videolan.org udp
US 8.8.8.8:53 www.gnu.org udp
US 8.8.8.8:53 www.flotcharts.org udp
US 8.8.8.8:53 dawn.googlesource.com udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 sourceware.org udp
US 8.8.8.8:53 gitlab.com udp
US 8.8.8.8:53 www.ijg.org udp
US 8.8.8.8:53 easylist.to udp
US 8.8.8.8:53 ffmpeg.org udp
US 8.8.8.8:53 brltty.app udp
US 8.8.8.8:53 harfbuzz.org udp
US 8.8.8.8:53 mdn.prod.mdn.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 fuchsia.googlesource.com udp
US 8.8.8.8:53 firebase.google.com udp
US 8.8.8.8:53 www.freetype.org udp
US 8.8.8.8:53 libcxx.llvm.org udp
US 8.8.8.8:53 www.ijg.org udp
US 8.8.8.8:53 brltty.app udp
US 8.8.8.8:53 libcxxabi.llvm.org udp
US 8.8.8.8:53 www.khronos.org udp
US 8.8.8.8:53 kotlinlang.org udp
US 8.8.8.8:53 gitlab.freedesktop.org udp
US 8.8.8.8:53 libevent.org udp
US 8.8.8.8:53 libpng.org udp
US 8.8.8.8:53 git.gnome.org udp
US 8.8.8.8:53 www.freedesktop.org udp
US 8.8.8.8:53 cloud.google.com udp
US 8.8.8.8:53 ffmpeg.org udp
US 8.8.8.8:53 fusejs.io udp
US 8.8.8.8:53 libusb.info udp
US 8.8.8.8:53 readthedocs.io udp
US 8.8.8.8:53 xmlsoft.org udp
US 8.8.8.8:53 lit.dev udp
US 8.8.8.8:53 reviews.llvm.org udp
US 8.8.8.8:53 www.7-zip.org udp
US 8.8.8.8:53 brltty.app udp
US 8.8.8.8:53 registry.khronos.org udp
US 8.8.8.8:53 www.mesa3d.org udp
US 8.8.8.8:53 kotlinlang.org udp
US 8.8.8.8:53 dxr.mozilla.org udp
US 8.8.8.8:53 libpng.org udp
US 8.8.8.8:53 ocp-ingress.fastly.gnome.org udp
US 8.8.8.8:53 gitlab.freedesktop.org udp
US 8.8.8.8:53 searchfox.org udp
US 8.8.8.8:53 libevent.org udp
US 8.8.8.8:53 www.mozilla.org udp
US 8.8.8.8:53 reviews.llvm.org udp
US 8.8.8.8:53 xmlsoft.org udp
US 8.8.8.8:53 registry.khronos.org udp
US 8.8.8.8:53 www.7-zip.org udp
US 8.8.8.8:53 cgit.freedesktop.org udp
US 8.8.8.8:53 lit.dev udp
US 8.8.8.8:53 cristal.univ-lille.fr udp
US 8.8.8.8:53 libusb.info udp
US 8.8.8.8:53 www.openh264.org udp
US 8.8.8.8:53 prod.refractr.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 libpng.org udp
US 8.8.8.8:53 gitlab.xiph.org udp
US 8.8.8.8:53 ocp-ingress.fastly.gnome.org udp
US 8.8.8.8:53 gitlab.freedesktop.org udp
US 8.8.8.8:53 www.azillionmonkeys.com udp
US 8.8.8.8:53 searchfox.org udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 reviews.llvm.org udp
US 8.8.8.8:53 xmlsoft.org udp
US 8.8.8.8:53 libevent.org udp
US 8.8.8.8:53 www.7-zip.org udp
US 8.8.8.8:53 molly.freedesktop.org udp
US 8.8.8.8:53 lit.dev udp
US 8.8.8.8:53 pdfium.googlesource.com udp
US 8.8.8.8:53 cisco.github.io udp
US 8.8.8.8:53 gitlab.xiph.org udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 www.polymer-project.org udp
US 8.8.8.8:53 prod.refractr.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 polymer-library.polymer-project.org udp
US 8.8.8.8:53 pypi.org udp
US 8.8.8.8:53 libusb.info udp
US 8.8.8.8:53 searchfox.org udp
US 8.8.8.8:53 quiche.googlesource.com udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 proxy-inst.lifl.fr udp
US 8.8.8.8:53 annarchy.freedesktop.org udp
US 8.8.8.8:53 redux.js.org udp
US 8.8.8.8:53 opensource.perlig.de udp
US 8.8.8.8:53 molly.freedesktop.org udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 sizzlejs.com udp
US 8.8.8.8:53 pypi.org udp
US 8.8.8.8:53 skia.org udp
US 8.8.8.8:53 pdfium.googlesource.com udp
US 8.8.8.8:53 netlib.org udp
N/A 127.0.0.1:49872 tcp
US 8.8.8.8:53 google.github.io udp
US 8.8.8.8:53 www.pertinentdetail.org udp
US 8.8.8.8:53 sqlite.org udp
US 8.8.8.8:53 proxy-inst.lifl.fr udp
US 8.8.8.8:53 www.strongtalk.org udp
US 8.8.8.8:53 redux-docs.netlify.app udp
US 8.8.8.8:53 pypi.org udp
US 8.8.8.8:53 quiche.googlesource.com udp
US 8.8.8.8:53 annarchy.freedesktop.org udp
US 8.8.8.8:53 azillionmonkeys.com udp
US 8.8.8.8:53 bitbucket.org udp
US 8.8.8.8:53 sizzlejs.com udp
US 8.8.8.8:53 www.suitable.com udp
US 8.8.8.8:53 pdfium.googlesource.com udp
US 8.8.8.8:53 swiftshader.googlesource.com udp
US 8.8.8.8:53 skia.org udp
US 8.8.8.8:53 google.github.io udp
US 8.8.8.8:53 sqlite.org udp
US 8.8.8.8:53 gpaas9.dc2.gandi.net udp
US 8.8.8.8:53 perlig.de udp
US 8.8.8.8:53 www.strongtalk.org udp
US 8.8.8.8:53 source.corp.google.com udp
US 8.8.8.8:53 redux-docs.netlify.app udp
US 8.8.8.8:53 quiche.googlesource.com udp
US 8.8.8.8:53 lists.llvm.org udp
US 8.8.8.8:53 swiftshader.googlesource.com udp
US 8.8.8.8:53 www.linux-usb.org udp
US 8.8.8.8:53 cldr.unicode.org udp
US 8.8.8.8:53 sizzlejs.com udp
US 8.8.8.8:53 hg.mozilla.org udp
US 8.8.8.8:53 www.suitable.com udp
US 8.8.8.8:53 git.linuxtv.org udp
US 8.8.8.8:53 skia.org udp
US 8.8.8.8:53 gitlab.xiph.org udp
US 8.8.8.8:53 sqlite.org udp
US 8.8.8.8:53 google.github.io udp
US 8.8.8.8:53 uberproxy.l.google.com udp
US 8.8.8.8:53 netlib.org udp
US 8.8.8.8:53 v8.dev udp
US 8.8.8.8:53 valgrind.org udp
US 8.8.8.8:53 www.strongtalk.org udp
US 8.8.8.8:53 ghs.google.com udp
US 8.8.8.8:53 lists.llvm.org udp
US 8.8.8.8:53 vhost.sourceforge.net udp
US 8.8.8.8:53 webkit.org udp
US 8.8.8.8:53 hg.public.mdc1.mozilla.com udp
US 8.8.8.8:53 perlig.de udp
US 8.8.8.8:53 cldr.pages.dev udp
US 8.8.8.8:53 www.suitable.com udp
US 8.8.8.8:53 swiftshader.googlesource.com udp
US 8.8.8.8:53 azillionmonkeys.com udp
US 8.8.8.8:53 www.webrtc.org udp
US 8.8.8.8:53 sourceforge.net udp
US 8.8.8.8:53 valgrind.org udp
US 8.8.8.8:53 uberproxy.l.google.com udp
US 8.8.8.8:53 www.linuxtv.org udp
US 8.8.8.8:53 opensource.apple.com udp
US 8.8.8.8:53 tukaani.org udp
US 8.8.8.8:53 vhost.sourceforge.net udp
US 8.8.8.8:53 ghs.google.com udp
US 8.8.8.8:53 v8.dev udp
US 8.8.8.8:53 hg.public.mdc1.mozilla.com udp
US 8.8.8.8:53 webkit.org udp
US 8.8.8.8:53 zlib.net udp
US 8.8.8.8:53 cldr.pages.dev udp
US 8.8.8.8:53 valgrind.org udp
US 8.8.8.8:53 tukaani.org udp
US 8.8.8.8:53 sourceforge.net udp
US 8.8.8.8:53 www.linuxtv.org udp
US 8.8.8.8:53 webkit.org udp
US 8.8.8.8:53 zlib.net udp
US 8.8.8.8:53 tukaani.org udp
US 8.8.8.8:53 sourceforge.net udp
US 8.8.8.8:53 zlib.net udp
US 8.8.8.8:53 tsuru.kurims.kyoto-u.ac.jp udp
US 8.8.8.8:53 tsuru.kurims.kyoto-u.ac.jp udp
US 8.8.8.8:53 v8.dev udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
GB 142.250.178.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.178.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-ntnxax8xo-cxge.gvt1.com udp
DE 185.46.139.12:443 r1---sn-ntnxax8xo-cxge.gvt1.com tcp
US 8.8.8.8:53 r1.sn-ntnxax8xo-cxge.gvt1.com udp
US 8.8.8.8:53 r1.sn-ntnxax8xo-cxge.gvt1.com udp
US 8.8.8.8:53 12.139.46.185.in-addr.arpa udp
DE 185.46.139.12:443 r1.sn-ntnxax8xo-cxge.gvt1.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\2cee1e11-2364-4111-94b2-981c26249e26

MD5 1dc7bbb678f39a8447d5c46ca2999c5c
SHA1 1400d7d46f515a4be1c834bc305714073bda0917
SHA256 c102bde23fd34d91402c84b46e33f465d83e1d6eb063f50aef832c0d88ef0bf1
SHA512 6e1ea5131b43f627c5152bce564153785db1643abae32173d6c023e09ad78e62f86ce4c3913ba5ba8b7800c93cb6c4c544b3a4114268b3ec9e882a7f86e5f852

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\d424fca4-ab1b-48c2-99c4-010dfa4a3802

MD5 d0aaac99e3841f6bdf9ea39a7b8cc538
SHA1 559081b32ca50c953393f3076b81b65e18ded4a6
SHA256 4139d0b6a9593448a0109357a3505e5df3d0dbbd8f45e8babb309ed781388d85
SHA512 19de29e887a47c1554d6cdf8567d589bd4a2bd54a8908ce87a9d6d03a1ed0ac52e06a6061b6e6a8863b343be795bdd7a3ccffd8e9499e3b90e92c04a2ba86386

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\1be7e7c6-a14b-4d30-8e60-2dea765496c4

MD5 7983423ea7203dd94a53f567348af193
SHA1 be6db253a3dd3a91a1f617b1cc05ffc691b42d4d
SHA256 7983bb6c2b197df9cfa8857435164318fa9caab8ec3a2a8d6add254325f6ff42
SHA512 ad527ecf3fb6fd570a60d212be75c017c73238f745418dfac4493b4c4ffd44def0d24c0f4884242a29be418fb44bc631dd93cf96cc477e01d6e85756a5aa4edd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 8fe923973b2b17568a707b63e6a9f1c2
SHA1 a776c799185fe5094ea34d86f5983be79e1776b4
SHA256 e4522a829d3eef2c86a0281f00a26fc73424e3d59559884283ecd33fda1008dc
SHA512 64a34672b76391c2cd7b566710470416d60684689625e15099a8ada6c7cdbfd4bd2993d366f5bbc11f019f8b98445fff9008909302a644b223e2612ce80d73a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 f342f4ea79f75e5518bf7793b783cef7
SHA1 52b9b7cdb4cb099c01980995fea44ff129b6fda5
SHA256 ac8e72536b3536a866837ede391e00adfed8f483c82456ed08524a73a684ce20
SHA512 35833a414c89217c5fd309dea1cea7edb75fef0e01d232327a6972543917495cae00d9858edeafe799bcb56cf06fdecc82ab46953f1f31488ea4405e5f0f6848

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 006647d2c3933d8f2e9e6116b6e51354
SHA1 82d56f95ee2c99fb854ea5be7510ef4f24a3693a
SHA256 49b47b6826ebdab69ec9652ea555f255a99519de81507c4e73eb4dfb16d8c7ff
SHA512 05fc482896f2c98c3843147153c07842b817c1bcc6ff7ce2c0634a9c6305e81ca6a05801c8cf1bbc7796f43c5212647350501bf6213be775184c64c7736e34de

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 86390ffb275fe040c5e581dc50f6c0ab
SHA1 76fa33a898d0ceb822c409ff64ca56958e88389d
SHA256 1dc4b79cd34185f773ca6a410ad0e1437569f1fd04f947c45404c55ea541ab44
SHA512 cc7188f9c9e38ccc5eada34a731c20c14a28f2f28706e1b699455a9dd37278ee660645f9f08a55098c75b10bdddfbe7fd41d281d2c1cd32b580d9f45e3f6af21

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 2eea8f88c7177de10947055fce340c88
SHA1 3935d9623b353af29b3cd8e576de5a9f5e339fed
SHA256 7840063aea8dd550f43b93345748fd31df57db5a15d987ecb8f662bfe2afdada
SHA512 e7207e62c050136273460a5c17b075a01fae8e5857b2f682749b18cf7557c691a53eb7c7c80090cb742f7e9e9be0c43e39c5b12b6f19d513ffcf09f0e460c81c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.bin

MD5 cb8eee8b61746101730e4057d17dfa05
SHA1 7391ef0df6fa9008ab9a0a1b4b58e777fc8e3767
SHA256 8c6d123708217f36c6ef6127f3d7f0eb4d4295e08281ba1838062b2f179f9d8e
SHA512 a1412f30b7fa3a84e29bca198c51875b2291b2ab2a775796fabcb1160f29dba45b7637ab11c495c485c2a08ab394e5e4c71692a75e9bc2fef5c056e9e2f9a28a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 6ac1b8fb9ba380ea4cd1101977745175
SHA1 b311ede99651af39e6cbbe43fa6d287d26eede32
SHA256 31a49e888e8c27d95edc4933c692dfa518955b978ce8428cfa80e10144f222c4
SHA512 1afad5511a2c92ecc719e864b3afffc70a21ead8cc458d895e6a2fd00bb1331055f6a5435bd4227947224df885d05fd6c9512f52bb10c525d3a9a6ae5cad485b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 2a1ab3f092245c5de039907b2c89795c
SHA1 bf2b4049ca8f9027635f06804398c4e45cc9d633
SHA256 f8ba66b8c4eece4cdeeed89d1e354d13a93d273c19ce54fcf7d6239ec0beff6f
SHA512 5832c371562bfffb2b561c4bd4f0eddc65b428c774f5e575d0e4828cc86822f334fe9d447ed33c1e75e7682c4669abf5575552ddbd6b02b8a3a25ba6bb9742ab

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

MD5 512fe020fc4fb8d0498309017c08cbe8
SHA1 f7c448b43a780177e73bff4db4998cce2ba1e37d
SHA256 421820bc792bc79c834847bbe1ff59aed4cef4f1a5e7026693cb046fa1798029
SHA512 ae1755315ebd58e99f22b223ad899a521872d83049d394b16ada5f09f8afbe431dd98e5b1ab8d5ca8512c228ae57f6271331eeca6dac56ea08b6add0485b9ebf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 4cca0523d83bca189b8424910272c555
SHA1 3adab769d13c506d82e90f28d1d3ba96071926e1
SHA256 fcbaa1291e747e525baef744889ee6903da3ad5e676b3dc748f82c89cc123825
SHA512 ebdbfff7f350c196fabcc9b5d2ee1ff911c2d4e7e2e522609ea679fef67c06159e432c129d9ef68b89b8a69233b8729e036be8f1dc3e9413c08123753d787cd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5464b19379bfc270bd78c292a4cf5250
SHA1 85e364514bbd4606341f32b6d45907677b952ead
SHA256 d4012fbc6a0a7ba10dabadbcd0351905c75739dcc41af81ff6ff6ffb59ca7710
SHA512 1e9103eea89e666300b623987ea87727c6db9e0b72b3325ad922c0ddd8550014f33df89c23a30e4e5ebb0ed7b879df41c43c04ce9a55381618390913fc8c0478

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 37b2a255f1a48dda17040030bfe7996d
SHA1 3fe3e25797032723677df3e656892aaf76742bb4
SHA256 2459588d8eea69aa110abc9471b3dba141f6ef0ff16555970d874e13424f9025
SHA512 d2c9d3ad10aea263844374dfc895dc20db03e8c562f3962f733a895ed4ad4684297e778b450a447fb5788bdefe8170da6406732f2c87cae17b32cde059dcd48b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 fa2b5f7d961f4364a54d971ef92d9843
SHA1 0894e7f2ecec4a0520a5ac3200be8234b5a518dc
SHA256 f0ddccc3f9e31e3beef87df5910a388fb917c5fa4c3afa8999fd0a4f1a806341
SHA512 694d0d6a01eaa18f25fdd3a594a2d7ef40ede07b94673771fbf1b715c13c12ee44766a0cb759f80da0fffd0bff974e568d9f1031fedb199e2b5e2ae068644d60

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\recipe_attachment.json

MD5 be3d0f91b7957bbbf8a20859fd32d417
SHA1 fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10
SHA256 fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7
SHA512 8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_sports.json

MD5 ce4e75385300f9c03fdd52420e0f822f
SHA1 85c34648c253e4c88161d09dd1e25439b763628c
SHA256 44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14
SHA512 d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

MD5 6ccd943214682ac8c4ec08b7ec6dbcbd
SHA1 18417647f7c76581d79b537a70bf64f614f60fa2
SHA256 ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b
SHA512 e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_science.json

MD5 7a8fd079bb1aeb4710a285ec909c62b9
SHA1 8429335e5866c7c21d752a11f57f76399e5634b6
SHA256 9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32
SHA512 8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 ec07372c62cfb593a434714552305d27
SHA1 73062a9314f013842ba6abcd0011e50cff1081c6
SHA256 3f70becdc0735110b2e8a959a2f5b0b3378289327421f572e9fbb46a3b0c89ec
SHA512 f938aae4de30f2bfec1443a1e7c72656736ad69033a0c6905718727d24328b684c2fa9c1483a86d59f4cfa6ad4c8c2a7398f5f1a99ee1e7c84397430901353bc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

MD5 2d69892acde24ad6383082243efa3d37
SHA1 d8edc1c15739e34232012bb255872991edb72bc7
SHA256 29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a
SHA512 da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_real_estate.json

MD5 9899942e9cd28bcb9bf5074800eae2d0
SHA1 15e5071e5ed58001011652befc224aed06ee068f
SHA256 efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a
SHA512 9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_shopping.json

MD5 97d4a0fd003e123df601b5fd205e97f8
SHA1 a802a515d04442b6bde60614e3d515d2983d4c00
SHA256 bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6
SHA512 111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

MD5 b1bd26cf5575ebb7ca511a05ea13fbd2
SHA1 e83d7f64b2884ea73357b4a15d25902517e51da8
SHA256 4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0
SHA512 edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

MD5 39b73a66581c5a481a64f4dedf5b4f5c
SHA1 90e4a0883bb3f050dba2fee218450390d46f35e2
SHA256 022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17
SHA512 cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

MD5 36689de6804ca5af92224681ee9ea137
SHA1 729d590068e9c891939fc17921930630cd4938dd
SHA256 e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52
SHA512 1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

MD5 5b26aca80818dd92509f6a9013c4c662
SHA1 31e322209ba7cc1abd55bbb72a3c15bc2e4a895f
SHA256 dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671
SHA512 29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_online_communities.json

MD5 37a74ab20e8447abd6ca918b6b39bb04
SHA1 b50986e6bb542f5eca8b805328be51eaa77e6c39
SHA256 11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f
SHA512 49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

MD5 df96946198f092c029fd6880e5e6c6ec
SHA1 9aee90b66b8f9656063f9476ff7b87d2d267dcda
SHA256 df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996
SHA512 43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_games.json

MD5 4182a69a05463f9c388527a7db4201de
SHA1 5a0044aed787086c0b79ff0f51368d78c36f76bc
SHA256 35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85
SHA512 40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

MD5 0ed0473b23b5a9e7d1116e8d4d5ca567
SHA1 4eb5e948ac28453c4b90607e223f9e7d901301c4
SHA256 eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b
SHA512 464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_finance.json

MD5 e95c2d2fc654b87e77b0a8a37aaa7fcf
SHA1 b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc
SHA256 384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e
SHA512 9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

MD5 6c651609d367b10d1b25ef4c5f2b3318
SHA1 0abcc756ea415abda969cd1e854e7e8ebeb6f2d4
SHA256 960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9
SHA512 3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

MD5 80c49b0f2d195f702e5707ba632ae188
SHA1 e65161da245318d1f6fdc001e8b97b4fd0bc50e7
SHA256 257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63
SHA512 972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_health.json

MD5 11711337d2acc6c6a10e2fb79ac90187
SHA1 5583047c473c8045324519a4a432d06643de055d
SHA256 150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565
SHA512 c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

MD5 a92a0fffc831e6c20431b070a7d16d5a
SHA1 da5bbe65f10e5385cbe09db3630ae636413b4e39
SHA256 8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c
SHA512 31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

MD5 70ba02dedd216430894d29940fc627c2
SHA1 f0c9aa816c6b0e171525a984fd844d3a8cabd505
SHA256 905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34
SHA512 3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_reference.json

MD5 567eaa19be0963b28b000826e8dd6c77
SHA1 7e4524c36113bbbafee34e38367b919964649583
SHA256 3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49
SHA512 6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

MD5 250acc54f92176775d6bdd8412432d9f
SHA1 a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65
SHA256 19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54
SHA512 a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

MD5 c82700fcfcd9b5117176362d25f3e6f6
SHA1 a7ad40b40c7e8e5e11878f4702952a4014c5d22a
SHA256 c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780
SHA512 d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

MD5 bb45971231bd3501aba1cd07715e4c95
SHA1 ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a
SHA256 47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d
SHA512 74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_travel.json

MD5 48139e5ba1c595568f59fe880d6e4e83
SHA1 5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78
SHA256 4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa
SHA512 57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\bookmarkbackups\bookmarks-2024-09-22_11_ur4QAd1T37d7n-N7hRALqw==.jsonlz4

MD5 99a805992ec9e668f077d145f44c7772
SHA1 e12680aa9442d649197b0aa95c7dce714e469c21
SHA256 de60c0ffe55b67100bfbcb3129221cb3f6b427ca3b575d0c1f9f3d634fff054b
SHA512 1a816aded29b43ee6f7c436e71adf8621da746e27626eef7fa7ce3193b4938f8fd17ef464df715c13d6152fdc64dc69c61cb790ce504436b265ffd1fb064d427

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RYJOAPTDUGR7GQ0LUV5C.temp

MD5 fd0c6b81fc2fd1ea660cce39eeef2ee1
SHA1 a036f85a407768f3fbc7ded75c5a7fc1f96561ae
SHA256 6c5cdce84858ac482f9b85c397d02a16d2a3304651a4904e472e2ed9ac412098
SHA512 52ce55edd2ceae4208856c37d9f3137aa77724935037e3aa0d9fa031c7373ecbc8cb6602d8db568d7abcc74d48c4f321abd52e2a6375379e000aa8af80cff0ae

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe

"C:\Users\Admin\AppData\Local\Temp\Ultimate Tweaks.exe"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

306s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

301s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 220

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

306s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-22 11:13

Reported

2024-09-22 11:23

Platform

win7-20240903-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 240

Network

N/A

Files

N/A