Malware Analysis Report

2024-11-30 19:28

Sample ID 240925-rkbdrstama
Target hel.txt
SHA256 e6a7cd09db490104366798d6ea71a3f1f8df01d59394e36ef6e1a8ecb8facf1d
Tags
agilenet defense_evasion discovery evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6a7cd09db490104366798d6ea71a3f1f8df01d59394e36ef6e1a8ecb8facf1d

Threat Level: Known bad

The file hel.txt was found to be: Known bad.

Malicious Activity Summary

agilenet defense_evasion discovery evasion persistence ransomware trojan

UAC bypass

Disables Task Manager via registry modification

Downloads MZ/PE file

Uses the VBS compiler for execution

Obfuscated with Agile.Net obfuscator

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Drops file in Windows directory

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Checks processor information in registry

Modifies Control Panel

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-25 14:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-25 14:14

Reported

2024-09-25 14:23

Platform

win10-20240404-en

Max time kernel

487s

Max time network

508s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\hel.txt

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rTErod.url C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rTErod.url C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rTErod.url C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\eulascr.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" C:\Users\Admin\Downloads\ColorBug.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Downloads\000(3).exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\000(3).exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\Downloads\000(3).exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\Downloads\000(3).exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000(2).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000(3).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\ColorBug.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\LoveYou.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\IconDance.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\000(3).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Mabezat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\WindowFrame = "205 222 160" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\TitleText = "17 103 16" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Scrollbar = "122 212 155" C:\Users\Admin\Downloads\ColorBug.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\AppWorkspace = "212 191 35" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonFace = "45 21 101" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Scrollbar = "38 165 82" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\TitleText = "137 217 121" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Hilight = "182 149 72" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\MenuText = "63 162 243" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveBorder = "233 101 98" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Hilight = "201 66 172" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveTitle = "145 251 15" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\MenuText = "158 11 122" C:\Users\Admin\Downloads\ColorBug.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Hilight = "179 68 220" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ActiveBorder = "177 231 61" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ActiveTitle = "127 148 109" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveTitle = "149 199 3" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ActiveBorder = "179 156 215" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ActiveTitle = "39 249 78" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Window = "173 228 100" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\GrayText = "230 250 54" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\TitleText = "63 25 116" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonFace = "255 177 108" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Window = "223 250 131" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\WindowFrame = "38 226 4" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\HilightText = "19 168 167" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonShadow = "198 187 198" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Background = "183 48 22" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\WindowText = "34 47 89" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonShadow = "98 94 89" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\WindowFrame = "167 136 185" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\MenuText = "223 9 120" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveTitleText = "178 23 156" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\MenuText = "136 164 149" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Background = "95 48 13" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveBorder = "101 140 130" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonText = "82 2 65" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonShadow = "35 242 125" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Menu = "236 63 120" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Scrollbar = "121 137 59" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Menu = "98 69 211" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ActiveBorder = "23 133 43" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveTitleText = "16 168 27" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Background = "245 98 116" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Menu = "54 200 51" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\AppWorkspace = "238 37 58" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ActiveTitle = "138 134 164" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\GrayText = "176 241 50" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveBorder = "219 88 206" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\AppWorkspace = "53 16 154" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Window = "183 114 67" C:\Users\Admin\Downloads\ColorBug.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Menu = "149 112 179" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\WindowText = "148 150 172" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\AppWorkspace = "16 220 224" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\GrayText = "128 23 152" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\HilightText = "122 219 30" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonShadow = "46 240 243" C:\Users\Admin\Downloads\ColorBug.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\Hilight = "21 14 217" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\InactiveTitleText = "233 173 55" C:\Users\Admin\Downloads\ColorBug.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Colors\ButtonText = "220 234 150" C:\Users\Admin\Downloads\ColorBug.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" C:\Users\Admin\Downloads\000(3).exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b957efec550fdb01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 992e08ed550fdb01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{15894823-F081-4B4D-A98B-E768A0C343DB} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 056ce2ec550fdb01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Ransomware.Rex.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000(2).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000(3).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Mabezat.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Ransomware.Locky.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\000(1).exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Ransomware.Vipasana.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Ransomware.Unnamed_0.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\eulascr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\000(3).exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\000(3).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\000(3).exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\000(3).exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\000(3).exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\000(3).exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3128 wrote to memory of 3656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 4632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 164 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\hel.txt

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.0.1808139295\1331247991" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98dccd61-4c3a-492f-8dcb-540cb3e5989d} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 1764 1bdec282858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.1.1234221948\928381580" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f5a58b6-bc7c-42ea-ac2d-e5c7b0416e5e} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 2120 1bdeac3c858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.2.1010205302\605552336" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2908 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a41fa00-3575-4828-bd73-b0c7b8c43507} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 2884 1bdef397e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.3.556907743\526650223" -childID 2 -isForBrowser -prefsHandle 3396 -prefMapHandle 3392 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9055c1e-99de-4437-9e9f-d59b51b3d533} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 3424 1bded867b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.4.1097376904\610790540" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2fcddda-2506-44af-a31f-67364bf46e97} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 4236 1bdf10ba658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.5.1513251466\1045295914" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4896 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e938a05-e59d-4908-80a3-28574e781105} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 4884 1bdf1812a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.6.2084794574\1818868147" -childID 5 -isForBrowser -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {166f963e-6641-45a5-a423-c805bbabd692} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 4860 1bdf1e44258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.7.2071932064\320052859" -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {444b9cb1-aadc-45f3-909d-cf3433ecfd49} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 5216 1bdf1e45d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.8.1193077842\386342268" -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5744 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08f6a782-bb9f-46b5-b120-4da17183eb3a} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 5756 1bdf2f7e558 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\Locky"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\Locky

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.9.1876803711\923716231" -childID 8 -isForBrowser -prefsHandle 5656 -prefMapHandle 5604 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {824202b0-7124-4af4-9fb1-a059198b3ab2} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 4584 1bdf1687858 tab

C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe

"C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0vtjxzp\a0vtjxzp.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CB3.tmp" "c:\Users\Admin\AppData\Local\Temp\a0vtjxzp\CSC46A25D285E6C408199F5F814FD1168CF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\JesYXqkYNx\cfg"

C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe

"C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nnz4w4rg\nnz4w4rg.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54EC.tmp" "c:\Users\Admin\AppData\Local\Temp\nnz4w4rg\CSC71CCFC2293344A01B6C965FE5CC24046.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\JesYXqkYNx\cfg"

C:\Program Files\Microsoft Office\root\Client\AppVLP.exe

"C:\Program Files\Microsoft Office\root\Client\AppVLP.exe" "C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE"

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE"

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe" 5284 "C:\Program Files\Microsoft Office\root\Client\AppVIsvSubsystems32.dll" 1

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mavinject32.exe" 5284 "C:\Program Files\Microsoft Office\root\Client\AppVIsvSubsystems32.dll" 1

C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe

"C:\Users\Admin\Desktop\Ransomware.Unnamed_0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ocwz4hsv\ocwz4hsv.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E5B.tmp" "c:\Users\Admin\AppData\Local\Temp\ocwz4hsv\CSCB25914F9833F46E68BF6811562C1980.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\JesYXqkYNx\cfg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.10.904348234\1811439643" -childID 9 -isForBrowser -prefsHandle 6420 -prefMapHandle 4204 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a47eb468-61dc-4d7e-ae44-3662bf25c0ca} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 6428 1bdf2f80c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.11.922136868\973846663" -childID 10 -isForBrowser -prefsHandle 6808 -prefMapHandle 5384 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {102f5201-dfa4-451d-b6c4-6e067f69c288} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 6820 1bdf25f1358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3656.12.664585188\96505803" -childID 11 -isForBrowser -prefsHandle 5432 -prefMapHandle 5376 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b819086b-8def-45d7-882e-945dbacb6a68} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" 5468 1bdf6a04158 tab

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Users\Admin\Downloads\ColorBug.exe

"C:\Users\Admin\Downloads\ColorBug.exe"

C:\Users\Admin\Downloads\ColorBug.exe

"C:\Users\Admin\Downloads\ColorBug.exe"

C:\Users\Admin\Downloads\ColorBug.exe

"C:\Users\Admin\Downloads\ColorBug.exe"

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Users\Admin\Downloads\ColorBug.exe

"C:\Users\Admin\Downloads\ColorBug.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\Downloads\LoveYou.exe

"C:\Users\Admin\Downloads\LoveYou.exe"

C:\Users\Admin\Downloads\IconDance.exe

"C:\Users\Admin\Downloads\IconDance.exe"

C:\Users\Admin\Downloads\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6247.tmp\6248.tmp\6249.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe"

C:\Users\Admin\Downloads\MrsMajor3.0(1).exe

"C:\Users\Admin\Downloads\MrsMajor3.0(1).exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\8D9E.tmp\8D9F.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\8D9D.tmp\eulascr.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchExport.mpv2"

C:\Users\Admin\Downloads\000(3).exe

"C:\Users\Admin\Downloads\000(3).exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='UR NEXT'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'UR NEXT'

C:\Windows\SysWOW64\shutdown.exe

shutdown /f /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3a85055 /state1:0x41c64e6d

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
N/A 127.0.0.1:49756 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 86.161.69.54.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
N/A 127.0.0.1:49764 tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 api.github.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
GB 92.123.128.134:443 www.bing.com tcp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 e86303.dscx.akamaiedge.net udp
GB 92.123.128.134:443 e86303.dscx.akamaiedge.net udp
GB 92.123.128.134:443 e86303.dscx.akamaiedge.net tcp
GB 92.123.128.134:443 e86303.dscx.akamaiedge.net udp
US 8.8.8.8:53 134.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.138:443 r.bing.com tcp
GB 92.123.128.138:443 r.bing.com tcp
GB 92.123.128.138:443 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.176:443 th.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
GB 92.123.128.176:443 th.bing.com tcp
US 8.8.8.8:53 138.128.123.92.in-addr.arpa udp
GB 92.123.128.176:443 th.bing.com udp
US 8.8.8.8:53 176.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.68:443 login.microsoftonline.com tcp
US 8.8.8.8:53 www.tm.ak.prd.aadg.trafficmanager.net udp
US 8.8.8.8:53 www.tm.ak.prd.aadg.trafficmanager.net udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 e-0001.e-msedge.net udp
US 8.8.8.8:53 e-0001.e-msedge.net udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 www.tm.v4.a.prd.aadg.akadns.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ax-0001.ax-msedge.net udp
US 8.8.8.8:53 www.tm.v4.a.prd.aadg.akadns.net udp
US 8.8.8.8:53 ax-0001.ax-msedge.net udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 dual-a-0001.a-msedge.net udp
US 8.8.8.8:53 dual-a-0001.a-msedge.net udp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\8c30cee8-b8c0-46e9-a2ce-c4a60665fc12

MD5 33aadc9c89d7a1e139c4942fd9933e81
SHA1 1766421a16df592a80be31115f0ea0de196c079d
SHA256 35043311fe17fcb6ed54cbc05d12c042c9c442481d73fc4c9ee924d94bd414e0
SHA512 72206a57240f36c10a6c644b8b487c11e67b4ba8ac2191cbae464ea5d426df53c765da1be37fff0aa0daa1299226d6e655b494452e58b28099b09b88c594df27

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\84a688ae-e913-4817-8418-c33b79d362a0

MD5 76302a731f41a3e29ce9eef1d18d44bc
SHA1 7f42f810366f604390406bd7b62f97d3d4d757a2
SHA256 2c4f6879b464062553939d8054c3ad87b086e97d8813c37ecc0193d445ee6005
SHA512 9106a545c1b2771418348be71f9ed1767324d014b1858fe9bf8f7d09bb3e3f4d2d7897937bdaad739fbfcb78390211990940e5131ed0271fccf224e30d23fe95

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

MD5 820f680cfad41de3d9ea588fcb734a1f
SHA1 20a81efa1c9bc82e7401c6f4b7e64f70aaf19efd
SHA256 29eea48513b2980f974942735574b07d8750ab82e6fb24f131d1c0cac92379eb
SHA512 73008aecf964624521d53507086249308599f57f26d13218d6a2d058030352cffdc2a7c81ffca7ee84297b3a371241e10d8203257f8fc93a6261e3fcc777cfb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 731c0e733fe1e3123d366af7c8e578ae
SHA1 9756304ea773dd9cd96e5996dc79de2ed6a9ae9c
SHA256 8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359
SHA512 d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 909263193957915b126d447a4747a54a
SHA1 47504b96095543ad72e7586bf38c998582a8b894
SHA256 7035b2da0acec30da504e82c6aacf039bd87e21c94d6a9f4d3e10324a9b1208c
SHA512 f41acc3ba846e5fe97219f10756004ef0cbc364e55013eea2166307b144f7ec1ad277eb5e9e465b12ca549fc3fc019f20f954b063002cd6408212eabfda40ea0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\2139

MD5 24ea9fe28b463088779634238de2a2f3
SHA1 9828f8d99dfdc19183ff791fa58d9f5516321903
SHA256 8dcfac1989c67265b89283d64caaf887264d5c0827a0c0706b64734fb163c47c
SHA512 152fb95578efb3bac31fe97ac50f9d74122341251e67ffcfbbc9085b43205b0a27301c8dad67dfa4701ddd17c3eb157524635f0edc763adc5d9c60bf3d73a011

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2182844c1c13b37302a153539d49b776
SHA1 5d3f3011378b00efaddfa4c27f1825b965c7410e
SHA256 82d4e8df1ff38d4c2cdb6acbda3f73c1342fd1613ce2b54c424d4effd831aaa4
SHA512 441169bb13428b4f4489eb3d0789d90af85961f7de250df6de32c1f795a530e9fcbbda651a030964896185433d93fba1f4d975e8397a4d528cdde9b3652c8a99

C:\Users\Admin\Downloads\LxTajpNw.zip.part

MD5 b265305541dce2a140da7802442fbac4
SHA1 63d0b780954a2bc96b3a77d9a2b3369d865bf1fd
SHA256 0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
SHA512 af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 28b69a6e1624fdb0ee1d216712b34224
SHA1 0a3d24050b0533de73a144d5d003498c708eeabc
SHA256 28613cf309ed122c0c0e9b4496a64129d1014c589fdc06032fd55ee47ee5ea2b
SHA512 d2764a02c5687b6888beee51b1eff9f3c69aa601caa31352456ce77775a63e6e818e30319df4c203498c77b596a5b78caf66f56f39277b5091f0258b7b9dac88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 f59e3f765d87c47ec05ecaead425e703
SHA1 43a681e30dbcad8b1c38de311d7ad95c41f1184d
SHA256 6b2e69dc231debc319646a269d65d31a26f478c4a178e1222b52a15921d680ac
SHA512 51814aa4384e1dd8379bfaa31d9a313f523e40dc37aaf0f6ef24cd237887ce0e31e653a6951a4f301d8a7cf765c91498936dc2a639c01d9423d279f31d55531c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8ba6a06a425b347807814f0e5ba65b5e
SHA1 f4494a392fd56613c777623d166b55f90110f842
SHA256 9930cdd714dd0025ae322e391b60219905064f063269427df71dacfe5c9081c7
SHA512 bdf136b0a2c461ca39f2723c4890f7f7e6c21b6068807d0e2a777e2e582a03a28648b466ac07541b3849598882051f21775c5c3cb036a5d4235f0be1362297a7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\2356

MD5 24736ec1fd123f1067e44b78c8cc8f60
SHA1 d2f89460aa5c8048b752e58ae883c26b0de5e5c1
SHA256 85f27015de938e07a35aee46f6441dba9b2f5ee0d65f04f1a70f142d36699f72
SHA512 a68851140ff230da926bddb4721db54ce56482c31b44e3eafdb05edfacbbbf489416d691ad2bbd9bd0b0b5cde9e660a9155c0172e556588ab2e55e1955adea07

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\11479

MD5 9253f847f462c06c132cde1bbdb967a0
SHA1 7db6384dddcf1db3bd3a4d0cf13d730c49b580f3
SHA256 caf80c7db0f5337ad2f75daf8f071a5bdda023aea17311e477e4750de4e8a28d
SHA512 1c61e3224645705404d5bf4be719ddc4c605b5557435d4bf49601e8ee5d117ad279f089d066533bc6fba4725db4721c3c0dfe11660013837ad0f9e0c9368e608

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\24205

MD5 4cad2d89bacb6d4c97ce8510cce89a3f
SHA1 7b11a5dd56a93c3b65494adbf53f5ec427ae343d
SHA256 90912cee14fd0e805eb771005174b76b0cd7b9f646fcbc0ce5a9f0a898213191
SHA512 30d768fbd70a653441a68dcba201bd75a1c29d59d2cb907406b3d9eee5f471e576756fb2ceda3a18f4549fbb4eb01d7c28ec012dcda967c01f33923ae161044e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\F1DD23AEBAACEC3C0BCE9D576D6904F3233FD8CE

MD5 5a85694e8abc6e686efe776de00e0e7f
SHA1 ce963e2723f792c5f3cc9512d202248debe1d4ee
SHA256 9027389df5f65fd8992d64cc8a028e0fd0a6db060522a13e788e0362781dc6f2
SHA512 0eecabce4b4556c78e960b7702a467738a4fd68aa69e4e36817985cf896ac4be9353c1e205df2f86da1420140e08b36da8b874d794302b0a20af58ed990daad3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

MD5 52d3d59fb47b654fbad078200bc946f4
SHA1 df3f4ef2de317744ea056d85831615bd08ef73a8
SHA256 0b722bc61cc9cbb5cb890ed757f0158ce1ed996fc06d13b531addefface3953d
SHA512 d27533a3ae635fc74b1166250f09b3a360f1eef214513e778079f3f95d1b8b8df5c628fceb3979e785b053515c7c999eef4c1fd3ed51d25ef0add5b513d26b29

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\966A0DA48F5B8311964BBDCAF442DFEFDEEB76BE

MD5 33b847952f1729537f41a21b189faade
SHA1 ff313702c17fef4fa396ce98e9de474a3cf0896f
SHA256 cad76818b8e562965983da3e56231276e07eeaaa5395f2adb8163fef6afbf7e6
SHA512 fca1ad845a6393e0cd08addd535f223b358cdfb8d63713f4d41bb2145e056eb2d172ca7f74378d15e2e9eb3fee1f35381a74fd4722caa1acda0949449b964698

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bed5b89068a83c4385759a5697fd02d1
SHA1 a0ae708861ecb1b8db69b593bd5838e128c88d93
SHA256 8a2c8ac1d963a2ef9e207e9985ded8ad704d0e4aa9dd7c81f7b59ee0ae33c0ef
SHA512 a04dfe525de0fc0bd8d16193b53abe2a01b7a752f28231e54ea1c43d09eb0700190d0149b7fa72385836aba3af4c14a44e79661512146eb5925ee62dde9c09b1

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 50188823168525455c273c07d8457b87
SHA1 0d549631690ea297c25b2a4e133cacb8a87b97c6
SHA256 32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d
SHA512 b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\D16479E925AF122292501EFEF9D2A14A47D3245A

MD5 25e54a3f3c1fd7e349fbd95adb9b3b9f
SHA1 4b827c03f8709f0efe115f929c99006da0fd655a
SHA256 895012896c35f848769f39e686baa48dc8e2c036df3b9f59a4a5fc6d7d90f959
SHA512 09af678f3fe8990a8c969f7b3dd03161814322525c1a4dccd05f5417be3c34dec132d81ab4cfab4f26abac67955cb0a3db0d409fb9589c7258d1d395c0eaa7cb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\4686DB80E616EA6E21005148EB9C309F02D66895

MD5 113a3f3128044caea63150e6e73a30fd
SHA1 5b822781960c7ed7238ebdca345e2a23f389a541
SHA256 1e432ebebdf4f4b78de594c6ad2fb3857edfd0e7ce4efaf9508c165e51a29160
SHA512 a3807c810e62c1c1fd644e87b4493558090a74d8643ec9eef99504f4e36a8a12deb8c270ea6fc2cc4f52842642f093071e4c76fb2e2aa2940093e131be3f6fa0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\920AC39E296723B718EF4658CE4D27B77449EAF4

MD5 ad73b9ea3e43a3feca5098e11475de16
SHA1 14bdd4adbdd9d5c34a8c562ae705d59a3ef96c92
SHA256 a0a3dd69a8f5ab6253a762308c5f3d3c85bf0970030fdc40bd0bbd4d4edeed18
SHA512 92e71cfd490d10a89dfbfcdb6e5295a876ee73ae6980b2618bccbfa4730468e4373b3bbc88abac0657364bb3ed06eb79be2f304c0348ca2996e4d217017442fa

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\58D9C8D20AC64380008A7BD763F507B049E5338D

MD5 b8b5955bc9d4b7015ba3bfe0d9b09af1
SHA1 23e90c45e0ee707776d582ab067ed86de1095393
SHA256 6f97689ba3b49b1bd9f7e8d1b7312210c9abc72429604f3b2d32eb81f28c8387
SHA512 af89114a749d37c24fd8c7cecba490b0a5da95e8ec00aa05e88d813da944563eabfb42cfc6f459a60f0a2f1bf199d46f5086ce846f1eda21779734a46ca4f88b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\FA3992A2602013AB45FD90493DD6F037011CEC3E

MD5 3ca126d2729d9ff5f354de80018f3027
SHA1 a872235b2fb6eb63d8ab57a73361bee0d7414cbc
SHA256 211b3e431fad9eba1c1ae3fc4ca556cf3676bc8b0908f9bb538aa18cdd428bc0
SHA512 1cb102cc8badf113466bdb4bf22d377b4710ae9664d567a35eaa52ca7301ccc9068c52c5dd4fcaaeb136b9f4e8cea4e280b470185299e17c3a0c5beccc97a437

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\8744

MD5 73262c248ff888d6948e8e38c5d78a18
SHA1 5384b273a35b3a0abbc51cb157470120122ca685
SHA256 33acd49b6cda778f6aa0985af8062c15ed5e6f8176b0b82f7bb551270a416fe4
SHA512 b15f1095c9e65e352c5f80a01c010976101e14fed828627384eac66997eba5246b6a1042c769e4cceac7b3b2af9683d71592b86e43c5e0978586922fbc720b71

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\11673

MD5 52d1eff0d5d01f3a4d05bbf74bee1eb8
SHA1 cb89fec0f7e681ccebd5f90bd7e2b48a4f652cb3
SHA256 ff8ef002c065b267f4b86bb6aa25dbfb91ac3c00b104c50adcf5f6be6c892825
SHA512 1b5e94ba8193ac2a18b065c99c8fa69be4eec90714033325b4d95d6959929859a07163f4289a67807c9a8b5e017be8aba395a835905e0bb4e8c05de5505e7ad6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 829a9a4a8c1b9cabf160d321f584a3a8
SHA1 0eca5fce5ca80785d8f0866f500d24c92ea42230
SHA256 0dc0c712355632aca5888c6e2f4ae29f42941f28aee2e92a6750d35d1a376994
SHA512 3a1b1bc2bef0adbe9a4be4fb15b814d1e57b0db2ed28687149e6336f7ca92908121f2860f3861772edba7722f8118a8f7749546923515c6747841fa7afecdb45

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\4412D919A32B54AB53754B2E68861EB10099D124

MD5 c52295c3f9f13f49110038a2d7a1808e
SHA1 650afe294e5f8130c3b91fe62ad1bd655a3e56f8
SHA256 b400045957df91737a328e8bcc35230ff4d09f73883e9fea30d1ea8ab870252c
SHA512 8744192d14442f917d63e7558c07b9a4fdf27f2ddd2b0c85979f2eba70c6f17b8a5d066a7b169deaa36c112de0056511b49b80d3afcd20a62d404701aefab887

C:\Users\Admin\Downloads\M6QVED7j.zip.part

MD5 8d2c4c192772985776bacfd77f7bc4d9
SHA1 3b923b911d443e321e551f26c9588b16a994d52e
SHA256 1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8
SHA512 6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\851540802DCF1E2CD3F49794131C039431DBC489

MD5 6d01326b7608fe31852d490c380c05d5
SHA1 213cbc79ca60dbfb9406aaee9a5dee393d9f69d3
SHA256 af3d2835f0b475810ee13e9587091e0e2f5b93eaa8029b1ebe3e95c72eb4bedb
SHA512 8a3be196273332ef1b69e027ab4d44ec82e020cb4b7ce0f47e410e80ec6a4e9c53c55e3e6c67e5a03e96f3e034a2aafb9b3c5a9508bbd6f56ae741b64bb6ceae

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\A5D107697D4860D4E45EC4244FA58968FB2A23F7

MD5 23ce7599929079bdda0371561bc568e7
SHA1 82651237c0c7c3f1bbd16ade043d534ad725418c
SHA256 cf7c53341b8f4ee982390918827caf21a6dc522f6eb419b163bf10e3eda97373
SHA512 68c111d16ef8cdb37a49641b9f0383f043fe3cb01e8cd677fd57cc33c5971c197a745f421aec003e25ee670a190abf121cf28d177e07d17cd152d0baa9498fda

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\CAADCDAC80B542AFFFAC671000EB25784EC2DB2A

MD5 0169bd7347405e22466d430d918714de
SHA1 f2da6ec3515145cbffea1b8fc4a8585b90d14fe2
SHA256 ba882b8cb88bab574c67043a507344ba6cb89fbd5090e82aad08c68a4fef4687
SHA512 295eedd91693d55cf523ca983e7b7ac4c384619601a2e1fdae18e52f853aade8cbafef4efce00c82994c29390330bc0ff4a3a1bbb39dc5b8d68b0eae742e31ad

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6CEE2727CF2F7831FFE7912B9B073F4BA25A9DE5

MD5 400df368690526cf82bbd37c35a59d84
SHA1 1ad75598673d5062856eeb338b2f1bc9cc1a943c
SHA256 f8618081d65f7d47e137694e347517581663ec62baf946fcc061218f4a30a883
SHA512 46a77cadd917db2fecdde6b410a7c7363b26a7f87d9943cde5a79c93b3a50bc32abce27925f5c3bcc3d0b2027d6ca5ded2474166e4188f3dc7bb05669df35efa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b5c3e0e7d0fd02e0deef59d2ce2ae370
SHA1 b9de77336cb6f0a051865674cb72d4473817dfdb
SHA256 919060f1080de3ca1a29d647c2e8b18cec5ce6ef179600e426f812d132a84895
SHA512 fe4f619a7df9eae6b17ec159e185ba9af57fbd52dcda7e4b78ce5a0ab48efbe73f693aaf0b65233d12276fbc5450a9343bfd14a9d62015c3c6cc7dbee85b9df5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\5193

MD5 cb18cb7f670987fd0ded210fb4fdf082
SHA1 0a56151258c3cf12238747d835b2be5ae2fffdfa
SHA256 176ec737aeac9be8d3d1c23b6bb1682aabdf8890174cbcf572b147cad7505cbe
SHA512 68942d5017e519a5d27177a21ec46bc449ada364a82eb55e013d989a34e5535b960be25776a15bd73506450a054c8be97a5ff698a5bcc4a1d9393891e261553c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\5C2A2B940E0EC346270C250EBD62F95402CF3D0B

MD5 150ea3491a2d3df33b36871267a914d2
SHA1 01ff7839291583667960542db9754274c7577eac
SHA256 5acfd6a1794b8bf525326cbc4dc020a4dcacab395295ae5188c04c594ba59c66
SHA512 4e40f0cbca58ff856544455c032bf1a0c2f4ea628c3930f0005e47a7af47ad045c07ee3f8080dee592d572a7c04c44d30447162f2a2456f27c60eab66cc6462e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\D28BD3D2AD841735B092E987962FE62DA2CD29E4

MD5 51590fe24f89d64f529bb367e3f3a8a4
SHA1 a31b75068cb0475ae5fcd69178dfa4e030af0556
SHA256 ef3ccd0033f78b87200a56946e18fb2c4372142479fe7b047e21a9b0c0301a6e
SHA512 01857939e05c358903565da06fcbc940e358ab6fff84b8821e68aaaa644b6b6bce386f46f872f94b8c96e0573044d89487c4f7d3a9c4bd1bfdc6fdae08ec8bfb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\default\https+++github.com\ls\usage

MD5 a0724df43b7d8f5f08db3179c6ef1352
SHA1 c249517bdffeecfdbce50c92663bec4004207d1a
SHA256 fb8125881b2e30b18f90dedf681af9431e23d990c03a86059457bb86d68d6414
SHA512 63a43f8463994a2c9fccd4ec0010f386e423a5194681262b7c4f71c346be9041d1aed159a0f53ad00a53b464c5918038f528377f564b5a79b0b783cbf0026677

C:\Users\Admin\Downloads\WGR2Fn5p.zip.part

MD5 abc651b27b067fb13cb11e00d33e5226
SHA1 1869459025fcf845b90912236af43a5d8d0f14dd
SHA256 690339e6d19da0b5c63406d68484a4984736f6c7159235afd9eeb2ae00cafc36
SHA512 4b85ae9001b9d1f11d57b6b2565ab0d468c3b8be469cad231e1203c4f6858af98d8e739b03fb849c2f3ec7b493781e88d32e7b7567c4b61cc1189daeea285bbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5650b5a8f617b0a820648e898df397df
SHA1 2d1eb9491c3771318833667db736587ae80216d8
SHA256 0ed4103574793e5eca9711cc1ec760d97b027c771b3f50e2209e4bdb565d596d
SHA512 c35e1ab9022ff8e79db2d6da2ea908116e1da95cf8116fdd6612eb20ed537a2562fa86ed79573643d74cbd4377050f0690ee0632a473403410dda32e32dffb3e

memory/4056-726-0x00000000000F0000-0x00000000001D8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\a0vtjxzp\a0vtjxzp.cmdline

MD5 83abadcd8a6faf2f8da3c4c3ded0b53b
SHA1 3358c2a0691275a5876f82436d76d315607dca68
SHA256 1dac8fcbbbf72b75b03db1e80cf534ab2c73dc2e7f4e2a93c4ff6d96a844da8c
SHA512 99bc645b9d265ed0a76ca2cfec61bd742686d30c3d0b0424c0e1ef283c59c04b7159eeb4637f80d682955b7eb68b71d914cc56136100327476ef97b5c509b222

\??\c:\Users\Admin\AppData\Local\Temp\a0vtjxzp\a0vtjxzp.0.cs

MD5 be0c48fc5057a467514eec58f1b1264b
SHA1 6d656174c6c9ab1e4c3d75cc9270a2aa4079183b
SHA256 8685fc1ef0ff239f59289b26d9aa7134998f4cc4a15b22c9a8922c071bb32639
SHA512 157df2d4ef94906418ea32be5feedc28aac61787033e7473f0eab8e22d32a2a83ddbb5c43c16b0d5f83c8c27f167e1fcf2967df35bdbafca75327dc35ed443f1

\??\c:\Users\Admin\AppData\Local\Temp\a0vtjxzp\CSC46A25D285E6C408199F5F814FD1168CF.TMP

MD5 b18238457e3b85c53bc6f4d128b7d156
SHA1 2160099d8a93d05f8eabf36f6a99fd40f3ed4e9f
SHA256 19743595f2a0a992e5f913729e5253e25a9e6a314a04ab37f2ee05ff50acff19
SHA512 187d177fa7ef0b89934088de8e5217bc7f2f366aadafa150dced7b230eb6ff65c7d47aec51387c234600f65d2e9f556fd9cdcfc52a203f7109b7026fb6029f2a

C:\Users\Admin\AppData\Local\Temp\RES2CB3.tmp

MD5 307bd9d7e417edd5e8312aada929bd92
SHA1 ce41388652e29fc2b59d6086b5b99e128d198968
SHA256 a05778f5edb6a36232367da021e4118a56c9e6ebf89882268587f7b70e184de0
SHA512 b287f6601e1124c42aae6bcbeaa80c46969082aee5c2c68aabd244bcd9ede80a29baaa5dc62b9249fae1fba0b14bc4ecdee0ec5e8fd1f23293ef2f6af75d0f77

C:\Users\Admin\AppData\Local\Temp\a0vtjxzp\a0vtjxzp.pdb

MD5 04a242b7def92171d66458477e613693
SHA1 e3ad1a9e7cd96db70ec910975407a2f577d60c55
SHA256 f57126d811467675727a62e5957e69455f8ba89d5ffecd6d5047d3892465cb64
SHA512 a26a0b2c5e15779fd412196ce5044c93583da4da4a34421b309a1ce6a209e5e58ba06ca483afe23e9b67729ca40ce42a816ffe8ca8bf595f2f108f8c8464fe25

C:\Users\Admin\AppData\Local\Temp\a0vtjxzp\a0vtjxzp.dll

MD5 4adee72db1c56fdf04ba0033cacb5d05
SHA1 9b3cb3b84a2af400f6ff93e81a399d24ef36d3a8
SHA256 48c0510d372dc306079427c0ed304f43e53c1045cf48fcb199cedf5637e4731e
SHA512 2c585fe314bf018d7da2c63f1ebbdd9075919104e5a98c445be21391153e40062b439ecc6e735f7512bd8e87255491ff42f1d36e3d7c5f8b0d776008cb01bcad

memory/4056-741-0x0000000004940000-0x000000000494A000-memory.dmp

memory/4056-743-0x0000000004A00000-0x0000000004A92000-memory.dmp

memory/4056-744-0x0000000004F20000-0x0000000004FF6000-memory.dmp

memory/4056-745-0x0000000004FF0000-0x0000000004FFC000-memory.dmp

memory/4056-748-0x0000000004C70000-0x0000000004D39000-memory.dmp

memory/4056-749-0x0000000005110000-0x00000000051AC000-memory.dmp

memory/1368-750-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/1368-752-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/1368-755-0x0000000000400000-0x00000000004C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8b9771f8e28eacc5a164fe1d69c0522f
SHA1 97058cb32313b5f004fb9184f4b055da737581d8
SHA256 06a2a8637f73cee13902092a3ab0c8c8fd64084f382b32a059bcb904d7b4462b
SHA512 93cb8fb962727d48d8cc8a10b9fe7c0fa1226eca62ad4719bd5ce722d4c41548e64c0759e89f5fe5f73a004db6374402d84055e58b30b720d1c93b18ac0f18a6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ransomware.Unnamed_0.exe.log

MD5 490705bcedf5640060c84ef04ce8571f
SHA1 d754f63c4d4cab1d5a3125785ae22f83ede4ade7
SHA256 0f9fb39b915e7d09766243da0a7fb51fd5903d046b558bfd06f17523cbc51cb8
SHA512 e8308d44432ce336b18b41dd10067845c7dc4c6abb1a97a8b36620ac45eca62d2735900e3c7dcced919e9b7449535d6a12d3a963909ac7f669d91ffdf08592e1

\??\c:\Users\Admin\AppData\Local\Temp\nnz4w4rg\nnz4w4rg.cmdline

MD5 98efa6b8f8a529ef070573a83eb9e820
SHA1 270a4850fd4d6efd7f4bb82baa75a318c7e8a52e
SHA256 baf9874e9cd44fff550de22645f5765fa3b09ad35d1d56d6f4595aff1efb771c
SHA512 746aa3a04c8d84bbebeb200632756610de78e8180cfb9db34061c20778833ef696966bc2070ee21a4ca7832f26ca7973f647b11b4bf61e5ad9711e44de48a6bf

\??\c:\Users\Admin\AppData\Local\Temp\nnz4w4rg\CSC71CCFC2293344A01B6C965FE5CC24046.TMP

MD5 d9557a4e309726849b6885b0c5cec232
SHA1 3ac8d44e34c28a87e223b1430d71667c1d6e6f00
SHA256 f09d7030dbe0eb4cb8cac49b7b68989dc7b75a2208bcfb5d37cce8ebaec265d0
SHA512 89dc360cd1a5bd77391dff7851f7a17e81f3c359c97c3eed019e6ac041df73fa2c74dc7a2e2512d4234d30a8680aee1f349f8c234c86c96a569cc4c12b5ca1f2

C:\Users\Admin\AppData\Local\Temp\RES54EC.tmp

MD5 4fe32fa3435ecc8104fe302c7009a877
SHA1 1783f964943afd6dbe04fa1fb75c7030c0f83a2c
SHA256 c88c1b1ca11811db0830de243479547f6b65a6649f9acf9d2a88441c19c40a55
SHA512 e7ee9ad893ea3c4d854bc619a08355030ac4632eb7321c80b4fbc595f522132acccdf94b19fc2b0558ed12b66fc6a4899d94b4cb54a4a9a59e811363530d0d75

C:\Users\Admin\AppData\Local\Temp\nnz4w4rg\nnz4w4rg.pdb

MD5 b129511ff38cea50cae8400d5389ae7b
SHA1 ebab550a94ee2753f7fa4c4e3d76f6654dfef3c7
SHA256 5bab55a427af3bf95a42658bece54f98c93648e9a201f072f39b9b3bbae089e7
SHA512 47100adda99a6e486957339cb5dafa2747ad87ffda065e45c01f68e0a75573ab39f79a37c5e2b84105ffe285e825c8fdfe05363766f04c8c23ce3a25bedd94c4

memory/3520-780-0x0000000001260000-0x000000000126A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nnz4w4rg\nnz4w4rg.dll

MD5 1afc90f195c2621f9239da55958678d8
SHA1 9369244cae6d73d73be0e4702b7dea1f48ad3ff7
SHA256 6cda6a8f5b1fd8c3271672663e97eb5ddd3bb5c2b950f37f58330e0ea3a13a82
SHA512 fc8f36188a7ea503bd9de1607a6d7a679f69944d00b6e49e5d5d2ae73bbe60b9cad42534eb6f13baf317cd71038aa7184dcf70e781a466356d73813ce87639c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rTErod.url

MD5 9603b6e118964288bcb3dfe2c5609dde
SHA1 204f614dc5fbd692b55ec8056cd4d063d96f38ae
SHA256 11bbb92e7c2aff55aa4d1a6cff600fd1fd3d8ee4219b689a4f7c24de75a70f01
SHA512 fd1b6d4995c99831d7a90954c0593788c073fd5490adf86d0f13edb4fa9cfb6bc4aa425f37aa7d59e93c2b3de655887af098fc70d7b4387f7548e77d5467ee2b

C:\Users\Admin\AppData\Local\JesYXqkYNx\cfg

MD5 560e63ad721ff461b61a43cfc54ef909
SHA1 9829fdeea6877667280bbcc9f9a8252d6338fddb
SHA256 0c5fc323873fbe693c1ff860282f035ad447050f8ec37ff2e662d087a949dfc9
SHA512 d2bfd22ec8c2ec9e69d0954ba241999e8e58e3be2abc5601e630593462c31c1a3cb628c45b0fe480ab97e0e06b4572980a7ea979c33d56a5ce1c176842cb7fb6

memory/4072-790-0x0000000000400000-0x00000000004C9000-memory.dmp

C:\Users\Admin\AppData\Local\JesYXqkYNx\cfgi

MD5 e00a3c7526b6953ebd8aae3a22d9a6f8
SHA1 61252c6ab7b0b5580538f3999a650c07db6581d0
SHA256 ec7e7fbb31e509612cdc456346c7e02ae07b8a5018c0f6309b494b05437ce1ff
SHA512 8afdd52415d94e1249ff2639eec240a87c29bef08a9ae93e71503315060ae46ed3f4c2ab8598d1dac0b54d7b103b52d3ad361913e99d9945ea04b977f0d290f7

memory/4072-785-0x0000000000400000-0x00000000004C9000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\jumpListCache\mzp5WKIhjSljr2N1l92zCQ==.ico

MD5 6b120367fa9e50d6f91f30601ee58bb3
SHA1 9a32726e2496f78ef54f91954836b31b9a0faa50
SHA256 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512 c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

memory/5244-806-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-805-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-804-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-803-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-810-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-809-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-808-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5244-807-0x00007FFE01F20000-0x00007FFE01F30000-memory.dmp

memory/5284-811-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-812-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-814-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-813-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-815-0x0000000000680000-0x00000000006B0000-memory.dmp

memory/5284-816-0x00000000053A0000-0x000000000589E000-memory.dmp

memory/5284-817-0x0000000002870000-0x000000000287A000-memory.dmp

memory/5284-823-0x0000000007A40000-0x0000000007BB1000-memory.dmp

memory/5284-822-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-821-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-820-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

memory/5284-819-0x000000006F7A0000-0x000000006F7B0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ocwz4hsv\ocwz4hsv.cmdline

MD5 17e0707debad6c202730a5cdece7712b
SHA1 03fc3038ba76c639415fa344a39938c37fd0dd13
SHA256 8e96effaeb91d35e6563096143f39a43f4f58a4613e193fa8718de43886f5a08
SHA512 551cffce586bcf7e2f2d3abd1b5ca9cde13a094074ab9844bc5e142321f62a98d9ebab3c2be74267bbd1fb3ccb493079c258830b508212e6ca16de2c9004d864

\??\c:\Users\Admin\AppData\Local\Temp\ocwz4hsv\CSCB25914F9833F46E68BF6811562C1980.TMP

MD5 7ad08892232af68d86ee88719cf2acbb
SHA1 b24d02c4b3fa11b0f4906b1d171da0633c7be1b8
SHA256 49c1ccc80efebdf39a90efc5467177fc421ea32caacec9a6b287d99d5f10e385
SHA512 6d4b4007f87f1ec97aa9b163a5e5344047194c08b6088cc2a35015fd55fdfdf124617426f61d377c8121019069e5116fa9c4b6406514b7ebe62ec54fef5741f5

C:\Users\Admin\AppData\Local\Temp\RES8E5B.tmp

MD5 d3aebd5edf3e61683301724c2bb07d90
SHA1 70cb19c8f98349b9169826dbad56b2beae9d686f
SHA256 0883780d90f9cfe2a1a52674319bcc5ed80b9f1406248f8fc3668dd9a22cf133
SHA512 39a8c8a7a96a5dae6b7d3cec9106f84c31a088e05a3de6fc07c1b6db7c8f4adbb35f3c7949a7f98f921050aa09e4d3e1ee4f366c007cbe7ac0aae08a44fa3d1c

C:\Users\Admin\AppData\Local\Temp\ocwz4hsv\ocwz4hsv.pdb

MD5 f8ed1fc77dc8ba947594edd078aa7841
SHA1 8993f01b8684f661f30b860fcc5c9312bc3e7b1d
SHA256 711434fc463d6fd10579440c9bdca5918f397b1a8ea195c54217e1fd602a621d
SHA512 e50c7780c005b53510c8b626a3775335b869add918fde2bb757a6e7e09c999524784ffef1234ff267718dd9ea2bde039d18bb2a7ea92e6984118365fd04b8eff

memory/5516-838-0x00000000010D0000-0x00000000010DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocwz4hsv\ocwz4hsv.dll

MD5 14de988197ca9a2ab88feb9faa6a5c3e
SHA1 5429032a7c1b8c83d79d4fa2e2b92a887f7192eb
SHA256 9da6509306bcf96e453ba3b697ba7561411bc2c479dacf0f020d3ed98ddb6329
SHA512 95b130109c974b5329cfd3da6c63aa2ffce35db1bad47a7172f1ca9f502daba048081ab728e49ca417a0dca05b3e074be856bfca622239e1c9a7d765ff8425ef

memory/5680-848-0x0000000000400000-0x00000000004C9000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\DBB1D200AAA5C0E8FECF3BF2C49AAADAD31FFE96

MD5 2f1dd343299fa76b837e298548688ba3
SHA1 3fce40b6191cea14f69054d862132f99e944e0d8
SHA256 1ebe8925b194be5989a005b2e876f3e663ce80e3277ea4f71eb0b71cceb91204
SHA512 24f4bd84ac7cefa2de709c2121c0a2f97676a871bb2e60240e2dd0b84455a9975e3a53f11729ebc82226827dc99ede7864817fd49deac6d21502d6ded7abdd8c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

MD5 82b50a0fe2f0aaeb8312ad944b8cf3c1
SHA1 147f5eb354bc4ba68ea80a5569344913cc47e527
SHA256 1ae55a458fa57e81d3fa1eab496d06499288719e4fa6bb0c385c64823261f3bb
SHA512 660a2e31b7efa2ccde0b3822ba76b69e4622d8e91d8990d06e4d0afaf6715dc15289defc2ab4a8ccf3ff1c88dd7ef0c9499ef3aff1077da70e358747d0cbb798

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

MD5 b71328fdfad50f11b3103e45f45c3d1d
SHA1 643006c3d0a67bc1c6ffae1a6c116e0abe4dbcf3
SHA256 0c3c109a6d130b093fbae605e9f746cdf8f1c67241e991a818f3e6ba41842157
SHA512 09aff982666c23aa12e3e638c5c7c2903447a04fd250675e494bbfa30ffc810d9793b8102e2ad7a36fecfbfe1a4cce8ff6730481cc2e8f41728a528d33e42093

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\3E7E9068A2591650CBF7FC97D887AE5BC841BA21

MD5 195ed866a499c60232550f13a8bc3979
SHA1 847a3bb979eeb169b1487c120ec713809c790919
SHA256 3bc50e59d2d0489abcbf13063aa5bdd93b503e1f4356f25df797c9575f7fcbfb
SHA512 c6cca5833e9265e63b95ddf90c4ea150336a3c52397802a78665ba61dc4f4356b1fbb36686933fcb8e9edcedfa4ad9eebc2b81c316783b9e092f6492feedf1c3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\23076

MD5 fe01d76ab91d005277d077a8f5256952
SHA1 eef9d0cf1b95bcb4e6e50b663220425f17b38eef
SHA256 44ff35f856fd6bdb2858d3ee07270d4b2c1773a45142bbbc7c47304e27661868
SHA512 77a75cb16dfd3a6e65922884862a705962c34f1e0288abaddeebf3e753a6a157a1dbcfca941bef1db35a07d3c57bcc217f0aa54455466459d855e9c23212e2ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c3625ec97f5df939d929acae7aebdc05
SHA1 7554e128a25be1fb23aa36aa0da9817c09f45cd8
SHA256 38d0b69b98e02d54756220880783a581f2df41ee22e96faf8db6fe9dfc171300
SHA512 040ac8187e0439f3c407db9fad7bef2b4c2e6df1153984c611f9533278a3d5ceb30ba93200e49be3eb86b499cc0f70572676ad0ec1759b641965ac073a00b5cb

C:\Users\Admin\Downloads\aX2M8h4O.zip.part

MD5 3ad6374a3558149d09d74e6af72344e3
SHA1 e7be9f22578027fc0b6ddb94c09b245ee8ce1620
SHA256 86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
SHA512 21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier

MD5 dce5191790621b5e424478ca69c47f55
SHA1 ae356a67d337afa5933e3e679e84854deeace048
SHA256 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512 a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a825fd69b8b339a40c768f79a7ba69ed
SHA1 f56a3fbabe1c96ab448c2ab05c911ebb09832083
SHA256 03b456aecf60fe8a6af576bbe1e473196ecffb8263d94e7b58c9a05232566726
SHA512 7383a11c63cca892190a5d79b0ce7ab18c533b0bce48c19d4f5c0be5f511ea5c8a7f01276700b50534e99ef50c1dee970035cdcd4e547c28ebb891b48c2259d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d52659e6f9a64e88fd75b56b16c13829
SHA1 9d48f38ef617f14ea335d41f55ea12df9936ddd7
SHA256 956209275717e4a810e76164a01f9a0d94c3bd063741d1edde6276457fa0c4c4
SHA512 ccbcef6ef96bdf47ff1c0a69c3bb435483f5b22d22e7e04b35d57b6d9fc2944b5e08d1c313d395a70e0c4d73ba60eed2552cf66c4550c58c766e289bc8af4175

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\41EC50669FDC2584229785DF61A01D6345DCF71D

MD5 d349b5f9fd222ff314d2fbb52d24cb8f
SHA1 ef655965cf1a8d0bd895298f43473236be574022
SHA256 faefcbfe787f763b4cc6b38caf595d291b224d6cdba49a29f6760c0ec9bd9088
SHA512 ba798c151c75211ec0d847b01c07633423b9adfa22d1c04b69522ba1f5bdcde5f7e4e8a9ce0fdf6a0f9e2f5021b383d27275a7824b79ee94c072b9b10369f900

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\AF53CFF42FEF0E7B1D062270D59DF12108CAF066

MD5 1416225c819133a5e92a73f44eeb5ad6
SHA1 8a56c6e8d79ef328eb4ddebc7cf463dc8c3cfbcb
SHA256 0b01a9dce1c70aa474d93d8498628c597dc2d42cb42012da4008e165b3202b50
SHA512 9ea58edea84e2b3f47aca9f0d0fc6b91ac8e5d87ad2bd4b5465405be5e285988c2467c553a05e9935e4af7d8741895d319bafc8d5f38b208e860031115975978

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\EA726DCDA5B8B23EC1701AEA8E27C4CDBC1142CD

MD5 3dbd06a5f78b6c806f834421f92cb106
SHA1 6d1ea447aa321b5ea3482e1dc13b5fa22aa7ee4b
SHA256 21e75ee1457b092293a92183f73e9638c29e78540f688d55186f08a8b8066fba
SHA512 6832c6bab9e3a88866b6525d92c649bb4ac7668f6783f6e380fc38cb4e3f05c57b2271aa3b027ab52af87acf0174d2c017df2d44aa5bea5ad9cef07da127da79

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0525055122dce6bc32d40e1cef20a238
SHA1 eeabc0e0ee58f9a29445979e82ca726ead154399
SHA256 bc7e07452c35d6641178da44f4dea47058f15a6806ad63768b6d61e8e7f15d6f
SHA512 0016aef03f87c5488cdc367b5dbfd7ee5e5578035ae21041f98721b6381d066ac90663c94f02869b5c8ffc74d6e0be47175c9644e9841b99c0ea6a81386128f8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\38FC69FFB85075959FA78D7D99B2EEE5C0CCE72E

MD5 02003e399c53d92399698d533fe1db1b
SHA1 11e0c4ad466a58d0bcdb84a49c7698419714634f
SHA256 c8833f2346eed4100338ac8a947c8978cb6dc680bc519a67a96d46c929bdffc6
SHA512 d165a7a09f126dd23968fa627defd4ef363fcd5aaa4e8c9c9fb397485d1aebcb4ec8617f24b29b0c97acfe0cd5f4b140ea4b01d65224e46b4f8c14bc83868dfb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\9AE10A08F52D1E85DABBD45B3126CFDD00D06804

MD5 40605ec6a69b012ebea9ffb0e6f3aa75
SHA1 87f7569a91ede978d66979ac0130f7e72da45013
SHA256 7c13cbfd2261f4ebfefea8ba953ac14c37d3f30dbf9395afde6b07ae31a9ec21
SHA512 ee63044b275662d204a62dee9d68dd5ba88b8b494a5b1a841c1421b12dafbf289f78d90e24bbe4bd2d501f492a3ae466baaef5ec31359b5de70ecb901abec385

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\EADD8AD0D19BD56212728537973592A5A83C9F56

MD5 0e35e0fecd7b17228b75aaa2ee1037d3
SHA1 dee4913aa5014dfdecd421e159c687c7c7503411
SHA256 77075a476b7aa985b21abcc4870c8e0f6ba08c7fca5911c226c70a29b332f9a0
SHA512 3ed4e992531703573a85e670d4bf5763affe82176c1959f9d3b582c6218f7f314c0ff8db921dba6faf1cf9be392122febd7662891578d767f89b9a8f5805ced6

C:\Users\Admin\Downloads\Mabezat.exe

MD5 de8d08a3018dfe8fd04ed525d30bb612
SHA1 a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA256 2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512 cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

memory/664-1570-0x0000000001000000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6e3d9d94bd94b29473dc134e533a3527
SHA1 18168fca3547326a3f4e100377ec93cbc4fb5d95
SHA256 ebdf6e1127174879b55500c3e2ee1ebbb99b2b40c30f6248716b3e1d53c6a167
SHA512 befd7d20eed1d212b07d677ce12a77c32908a004b256d9688fc9a64dedd06b42240bf81f69e6c90962058f1032d5affb43dde2a7a08da410fce111222dc6ce2a

memory/664-1582-0x0000000001000000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\1432

MD5 027b484442b27cbf343fdb8101687b72
SHA1 ae8cfed99710a7b0c51267efc7f6105ea8641bf4
SHA256 22b3b471ee5f750c7c1e5ac02c0bc34ec366d1f7b64cfe0979ca832690766830
SHA512 76777c5fe4deba96469cde948ac841c095ed9a354d607ac02b595757db83cc68263c016b52ded98325bea4439eb99bea6d3384346d2f20f611c4b2b9d414b3ed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 0f057cc7b1bc01334951fc83b4fae99a
SHA1 f7f7bf0eda1854946400c2378475a5b1f90ec26e
SHA256 aa528d23533c9d6da88bd4d056b4e3f5ba2068df4b51cffe372203db29266d82
SHA512 122171171c3c1f539dc60a2f42d30420a0ad232513b9b4113e546fae4dd4935d769d3cdaf9a5025ff498edd99da5404f363cd20ccd56626d5a87483a462c88c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1deb4e0f8f05222d137e71187765b80f
SHA1 c8eb99ee5d7b2964d78b64898173c11acab80ecb
SHA256 f08155fc6987c31718eeed29c28a567331dbe45f1ce2cb9d2e3d00203b21d166
SHA512 4b0eea0b95d7ba85866c7b6fba598313c87a3dc4bf71ad542fb957983d5b5cde96b3e7fe6cd8e07f1d6f42360be8bd40de32304d23188175ff82185d62c072c9

C:\Users\Admin\Downloads\ColorBug.exe

MD5 6536b10e5a713803d034c607d2de19e3
SHA1 a6000c05f565a36d2250bdab2ce78f505ca624b7
SHA256 775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
SHA512 61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

memory/2960-1706-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5552-1716-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5672-1718-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5796-1720-0x0000000001000000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6fb55599a3d98ae766f7d7b346837e9b
SHA1 7f2bb79b85c4f5d976fe31eebba3074103c6f762
SHA256 b6829a14cf55a9227de001fea503586d82e5a753ab2cd3c047b19c57ebd19466
SHA512 6be1305108199a3fe7c7713099245e95388ceda1fa203c07477bd98094c55ef1cb5a26df32c37a8e664a0fdbf84fba06d457d264f9f1323f46275e500ab2b381

memory/5816-1730-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\98860fb2-edae-47a4-9cdb-5c16a3c70779

MD5 51a6242993ae5614827c0524c291d41b
SHA1 3d2791507c0b9d815da353f7c5964ef5e7a1bbf3
SHA256 42b8f79bacf643142958c382f4b8320e99a4d611584d50a57e2120b5bacf233a
SHA512 b9812676263233556aa096348a6895fa1317eec3b5edf49115ff9852a515e0bee218c89255f21dad52b67e01b3e7afb2cfa15932dba92ea0eaa8b71a2fa885f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\77fc68f5-bf0d-4bff-acf0-a8dd6eab4bcd

MD5 06e3bd8b281ae12ad03472b3d7676016
SHA1 0bb7f6a25aa7cef5281a8bdd63968cc2a22341cc
SHA256 6bbbebadb557c384b522635bebcbb28bc8842e566cb0a05a645d21709c55ddab
SHA512 d81aecb442136f608050e1fa21c0d4140e1cc6eece9d7dd8ddce090aabc9d280239253ca3521592463554f11a78eab20703b7fe35e92017772f1fa023d8394c0

memory/6104-1752-0x000002271DC20000-0x000002271DC30000-memory.dmp

memory/6104-1768-0x000002271DD20000-0x000002271DD30000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF73CF4BCCF5AE4211.TMP

MD5 2ed6988530c52e757222b9f26b003aa6
SHA1 7c7b97b0601ea749c09a027c8f1d2189d92be65a
SHA256 c09f9ebc1c2ccd3de13d866ca9802834993729303331bee0dd9586dae9f6d2fd
SHA512 ce1f47de580edd1672eca44b51f0a5f81e3aa17fe9cda158a9eab527522269f33589869a095832a73fe828e50e97a88eed563f483982a4265b61a3d073acb375

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\11518

MD5 e59b6cd344ff74a75b7e9a610eee1b58
SHA1 cf52cb97984f4f611bc12c0ba1f5dcf8a1302c62
SHA256 9327a90354deac384c47a370d288e409b3b38e317a7153f45cca2305e6611bf9
SHA512 6b3728e9080e5d4701d0db83b7011fd5efd8f0b201bfbf5882f8ed20cfe16ff37a3f4cd684ec7c52599b972292f27ae794febfd3e92bc57f332d164dff73e3f6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\C6C531D84EAE96E728D75C90CB88801441C3392E

MD5 d248bfd79a68183a4ce6811b9ffdc312
SHA1 16a81665b5c1387a45e99fc9548499a9db4f0f40
SHA256 83dc3d19b6b87cbf39af8988f106fcd7d4f4e57aad4e16378f56b4f86e35caf1
SHA512 bee3a8c90b067863c97cb468954be5ee093919d9fcbfbc0fa15117f6525267ced15757b9a12a788ee6915ca032aa2456e3b953564562660f1a4f2db74e015ef7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\8051

MD5 1934fa56664825541881ff2771d38c61
SHA1 621833a8c4323b082bc19c92e481bbfb5476b42a
SHA256 19d78a2a6e4002ebd5e165ea400206a1e98aa661b6ba4eebf92a58de1e806b8f
SHA512 a71c8dff9722a3f3846cee0068cb5e9beaa30c2960ac47cdd70c007c2622fc4d544e4473d358e3a70b25aa6de4d47a850e0ef089cf2a84b81ecfe4c3f02e4137

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\17175

MD5 f70848b73976a8578d98a75d2ae2da46
SHA1 accba916f469a6f9ab1d38915df3099aff6e9988
SHA256 1bef44016c9d336ab1ffb9b606becf214dd3573c0e6f33ea24c8ff125f5ebeac
SHA512 c30d2f96184e3d63cb691780f1fa6b01d9acc8a91fbf38d53ccf1c73733a36b65a85a51783614657d8c60155dce4903b916b32a5c6924862cadd6df68581ed0e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\5710

MD5 45721ac355f3be5bbcc5dd54a032a974
SHA1 088b4f76b58b5c8493f757fcc2ad524a20ead4d3
SHA256 cf680a43d8c802a4b2bc014e456809efc6f823bf9cc3f5bea67a8b2b92d59b6d
SHA512 c157348e03c933e2448936ff296a046e7bb72dfc4b5b4faf467fc0f244d9e85e5c43095ee126682f6b7373cfe2f78e2618246c4b13b7be39adf818d79266f134

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\default\https+++github.com\ls\usage

MD5 f0dafd231a17dbcbb19539c4d67882f4
SHA1 7cbff7bcef4d57dc3eed1ac9cc26be031bdf6ba4
SHA256 04286146e2cb17384ca58e0d5f08c912bbc239d854c5d15159693e11b4f5be35
SHA512 abff056d31052be689d0c4b794b998cfca5f2ae9f401293b0db1c734d1b9c94ef9d2972a88eea5d4190809e739a0c858de740dd76a56ef776f2e012329dbe730

C:\Users\Admin\Downloads\LoveYou.exe

MD5 31420227141ade98a5a5228bf8e6a97d
SHA1 19329845635ebbc5c4026e111650d3ef42ab05ac
SHA256 1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71
SHA512 cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5e143cd82e86d31056f2cbf1f2748ed8
SHA1 f51899198034a9948268294bb4b3484d9f961524
SHA256 a2ec11545cff41bcf5566bcaf8bf232256ded23b678314d06c5b83b61eecd4b7
SHA512 8dad321f1691bca611319fd6da418a543f145b0fb0e8e5c1504ce6c163fe64444fb61097cb0bf10ef6c43c97f132c96f628e62996ddb7a0b4b3c12d5bc54473b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\30787

MD5 9e95ef33eb6f9a9543fa1ec5b16d9ea5
SHA1 29ba9557a6a92fecc9c5cacc319f75024a6d9fc7
SHA256 a8b33e18633654a6604ccc0873e729832ebc9969e946abfad07236c4aca8448e
SHA512 225fe28b6ad97005cfe7d0d37402e35ce630283a65713e68283cff53a46fb71729fc6669e6a0df5c959e3dc9f26024ddf81f1c4f24e59571922f412a054c6036

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8a0005dc2a1a495668e803d31bfe0a9d
SHA1 5599b69ee837c44908be0726d4035839a6c6e6bf
SHA256 ef07a362f913c9f0993820ce6a4a3d9493da77f3ec31eaf99be9cd684360a6a1
SHA512 54b55a1c6dd2d9b90b7b833ab249de09d82df6565a40621114a0b84457863642371d2e20c4036ae88fc00404234de20f6f018a17da5f6424c8d9f77602b1e9b6

C:\Users\Admin\Downloads\IconDance.exe

MD5 7ad8c84dea7bd1e9cbb888734db28961
SHA1 58e047c7abecdd31d4e3c937b0ee89c98ab06c6a
SHA256 a4b6e53453d1874a6f78f0d7aa14dfafba778062f4b85b42b4c1001e1fc17095
SHA512 d34b087f7c6dd224e9bfe7a24364f878fc55c5368ce7395349ca063a7fd9ac555baed8431bfa13c331d7e58108b34e0f9d84482ce2e133f623dd086f14345adb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 092de603b9513a2830c98df919b028c5
SHA1 8e2294eab5fcdc190fcb3b7e0661bfda616651f8
SHA256 e2b259f088a1135e983f6a3033aceba4c5f73cd6d640cf65d2a07b0eaa056634
SHA512 3cb271ea3a9c9380f18361e38919c9c4846fda05f326aa55f0bfefcfde00fe23194fcabebe334588fcee1f42aa0f36e59dd956a74f7562f45e7dad871ddb6378

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\22714

MD5 e2a4d67b7f07872a22a3eab01470ea1d
SHA1 0abbab842b6fc7c8cf0e99c23722dbdc06f89dd1
SHA256 2b44230ce26745855ae7434698984b2d0a9b3f7dab2d0fdb1a723c8fba92d0e1
SHA512 c0fefe9360f1faacb1b3f095660be9bad2d845a4bdec3492638b4b71f23fb93a93d351031f283050748b8bc86e77b9cabcb993f5a94a42ca4882daf7b8540499

C:\Users\Admin\Downloads\MrsMajor3.0.exe

MD5 35a27d088cd5be278629fae37d464182
SHA1 d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512 eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

C:\Users\Admin\AppData\Local\Temp\6247.tmp\6248.tmp\6249.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\6247.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/5856-2395-0x0000000000010000-0x000000000003A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/5856-2403-0x000000001D170000-0x000000001D332000-memory.dmp

memory/5856-2404-0x000000001D870000-0x000000001DD96000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3f116d276684493932a21b342549389d
SHA1 57749e2232e89ea5c75d0169276752771beafc61
SHA256 acbb749c1d46f5418c034857ed1b9fef3ea5b29a51318bc094751566ae9c1a4d
SHA512 fcdccde30a6ce56debb11aebb7fd1ad6a9f3303245e1b6f4b91b8a121c9328e89e09585f1a36e43915b5093671a860bb896f37f949b38f7c067d0c87f48ceccf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eulascr.exe.log

MD5 0d24376e070853aeb373fb4efcd9c886
SHA1 5ed08b221c85e2cfcb883f06d9c7151ff81621b9
SHA256 582035d3b58f4c14d8951b45ee83a8843b93bb41c8a77fbc5a092ca116366fc7
SHA512 8d02310103958963d2e9a08b39e31048731fc385c0a66598ae4b35cc3131124092443601473e0632361eb3dcf8aa260c5e4a5b8ffc08a112970dc4619506cede

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a939961507a41cf77ff735af0d166a0a
SHA1 88c54bd9dd00e7969d6fac72a7f8aafa4f9de588
SHA256 5e0c54a1648e48ea49c3ed35829aed84a40cc621917157c2fc599004b1e49e69
SHA512 06ad7d3ee1ff52acdef5db09162c1bcc770a927862c8961600f7407c0cc65da7778921022d69b2523189904d56f32af0129df126c89c3b0b8cbfa3a847bc5f64

C:\Users\Admin\Downloads\000.exe

MD5 f2b7074e1543720a9a98fda660e02688
SHA1 1029492c1a12789d8af78d54adcb921e24b9e5ca
SHA256 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA512 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

memory/6536-2602-0x0000000000D70000-0x000000000141E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windl.bat

MD5 a9401e260d9856d1134692759d636e92
SHA1 4141d3c60173741e14f36dfe41588bb2716d2867
SHA256 b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA512 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/6536-2620-0x000000000CD00000-0x000000000CD38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rniw.exe

MD5 9232120b6ff11d48a90069b25aa30abc
SHA1 97bb45f4076083fca037eee15d001fd284e53e47
SHA256 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512 b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 5fb18cba7537c4e9a17e069b58d28b7a
SHA1 f21aac48e3da59d0e97b42a0713f5808fdd7c75b
SHA256 85211244422447b152a89f3048f9de7d76a7a2be592185083b002a9c51a5f9a5
SHA512 c946e071a2bc4d81651af0374cc21e6ae7145a0a19add0dd6029d0bc319f04129df1d2aef9fc603d0db326e5c7059e4aeafc9cd4a5d8bac2a3dbff70d5c4fee7

C:\Users\Admin\AppData\Local\Temp\text.txt

MD5 9037ebf0a18a1c17537832bc73739109
SHA1 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA256 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA512 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

C:\Users\Admin\AppData\Local\Temp\one.rtf

MD5 6fbd6ce25307749d6e0a66ebbc0264e7
SHA1 faee71e2eac4c03b96aabecde91336a6510fff60
SHA256 e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA512 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp

MD5 c8dc58eff0c029d381a67f5dca34a913
SHA1 3576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA256 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512 b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4

MD5 55f2715ad844c0fb72df9a7d26b719ee
SHA1 c79be787714b3447040316fd338cd4f33741629a
SHA256 ec8e9de18fb37a73dbcfd5950e689f78b8ed48c0e361e8c757f977c06048087b
SHA512 7724f9ec58bee22dc95394ff3d5dbf6227824c9996308600c93b5a97ad214cc99387b2ed20878b2fa598b110b3d9721312cc503c2881c99aa16a590265cc406b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js

MD5 8aa5cc0023fd7a6a4be4caff87123370
SHA1 b82a858d45b22d68c3be483b1cb117d795e8756f
SHA256 5d8299fb8d2ba68173b3a1f6e7928aa9ec939b39a27cdb60672d9131f027c321
SHA512 fce5a48e7c474d08b427c3ab7c15c2944370b6772cfb7052a3587770ad46791f2f9df2429dffa57cd85bf63594ee588f461ada88f54c119d376e58a0006b6655