Malware Analysis Report

2024-11-30 02:17

Sample ID 241103-rxqdfswjas
Target boobee.txt
SHA256 35dcb543ce32c17153d4401abc5da15d8c8db7b16d72c6e6dfe993eabcc87f86
Tags
rhadamanthys defense_evasion discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35dcb543ce32c17153d4401abc5da15d8c8db7b16d72c6e6dfe993eabcc87f86

Threat Level: Known bad

The file boobee.txt was found to be: Known bad.

Malicious Activity Summary

rhadamanthys defense_evasion discovery persistence stealer

Rhadamanthys family

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Downloads MZ/PE file

Sets service image path in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Probable phishing domain

Suspicious use of SetThreadContext

Drops file in Windows directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 14:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 14:34

Reported

2024-11-03 14:54

Platform

win10ltsc2021-20241023-en

Max time kernel

1200s

Max time network

1153s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 868 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 1720 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 224 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 5776 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 4964 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 5072 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 2212 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 896 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 3252 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 6124 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 5284 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 1740 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 1516 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 4732 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 5028 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 5916 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe
PID 4228 created 2676 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
File created C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
File opened for modification C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\Desktop\Procmon64.exe N/A
File created C:\Windows\system32\Drivers\PROCMON24.SYS C:\Users\Admin\Desktop\Procmon64.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS" C:\Users\Admin\Desktop\Procmon64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Procmon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\Procmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Desktop\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Downloads\processhacker-2.39-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
N/A N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Probable phishing domain

Description Indicator Process Target
HTTP URL https://sourceforge.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8dcd282cf82a94ab N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5504 set thread context of 868 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1716 set thread context of 1720 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2244 set thread context of 224 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5124 set thread context of 5776 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5456 set thread context of 4964 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5100 set thread context of 5072 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4928 set thread context of 2212 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 444 set thread context of 896 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 712 set thread context of 3252 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5944 set thread context of 6124 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5344 set thread context of 5284 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 3876 set thread context of 1740 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1556 set thread context of 1516 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 836 set thread context of 4732 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1456 set thread context of 5028 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5756 set thread context of 5916 N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 5936 set thread context of 4228 N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Process Hacker 2\is-DPLLP.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-DQ8LR.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-5V3H8.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-8NFIO.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\x86\plugins\is-DF8D6.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-4ROS5.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-VR85G.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-GMF3E.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\x86\is-FAF1L.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-QLO2B.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-GJDM2.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-EP98K.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-CNNSS.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-KDU1I.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\ProcessHacker.exe C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\peview.exe C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-949FG.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-R6I3C.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\UserNotes.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-SLJFH.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-IO5TG.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-DODU0.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-TD8RC.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\Updater.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-N29EF.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-4PGJF.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-TL3UB.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-ROKOK.tmp C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Procmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\processhacker-2.39-setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\DefaultIcon C:\Users\Admin\Desktop\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Desktop\\Procmon64.exe\",0" C:\Users\Admin\Desktop\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File" C:\Users\Admin\Desktop\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Desktop\\Procmon64.exe\" /OpenLog \"%1\"" C:\Users\Admin\Desktop\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\shell\open\command C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\shell C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\shell\open C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1 C:\Users\Admin\Desktop\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\.PML C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1 C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\.PML\ = "ProcMon.Logfile.1" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Desktop\\Procmon.exe\",0" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\.PML C:\Users\Admin\Desktop\Procmon64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\.PML\ = "ProcMon.Logfile.1" C:\Users\Admin\Desktop\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\shell\open\command C:\Users\Admin\Desktop\Procmon64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Desktop\Procmon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Desktop\\Procmon.exe\" /OpenLog \"%1\"" C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Misha Video.rar:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\ProcessMonitor.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
N/A N/A C:\Users\Admin\Desktop\Procmon64.exe N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Procmon64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Procmon64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\Procmon64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 928 wrote to memory of 1680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1680 wrote to memory of 4388 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\boobee.txt

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97743326-3ae3-4086-b239-8672e3e11a69} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa99851f-588f-4057-a009-449194cb5879} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9f0be9-e5c9-4157-a4c7-19c8df1d5052} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3968 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3944 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45501ca5-4a1e-401b-b817-915efc2e8041} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4852 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8764989-a056-48cb-94da-9be20702cf82} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5344 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac34c5f2-a3a4-431a-9935-845bff043b32} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1592ed22-a3ab-4b85-b8c6-867119072d7b} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79aaada9-1f41-4853-9965-f37d7cd32d7f} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6224 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c65a60fa-3931-441b-9473-f5ff160b8dbc} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2720 -childID 7 -isForBrowser -prefsHandle 4500 -prefMapHandle 3528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da860103-5366-4e5a-bcae-3e43259be624} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x458

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6703:80:7zEvent28020

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MacOS\instructions.txt

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap17092:80:7zEvent13002

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3540 -childID 8 -isForBrowser -prefsHandle 6464 -prefMapHandle 3532 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d044258-2763-4354-bcf7-a6b83e827b29} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6196 -childID 9 -isForBrowser -prefsHandle 6464 -prefMapHandle 5748 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {605397ae-01f0-41ad-ac4d-9bd32267dfbe} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 10 -isForBrowser -prefsHandle 5216 -prefMapHandle 4608 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d88eed5e-4035-4455-bc45-a4c337135352} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\logo.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -childID 11 -isForBrowser -prefsHandle 5344 -prefMapHandle 6732 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5ebb07c-9224-4c88-8d72-1d007795207e} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7388 -childID 12 -isForBrowser -prefsHandle 6748 -prefMapHandle 6504 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccfb2077-38af-4b95-b7ff-9cfe539708c4} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7600 -childID 13 -isForBrowser -prefsHandle 7340 -prefMapHandle 6976 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {561ae058-d0b2-4190-99b8-638425508245} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 868 -ip 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 868 -ip 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 552

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 504

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 476

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5776 -ip 5776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5776 -ip 5776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 476

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 532

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 476

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 14 -isForBrowser -prefsHandle 5912 -prefMapHandle 7076 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec401e99-ef7e-441d-9b0d-9d9df5933ac5} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7512 -childID 15 -isForBrowser -prefsHandle 7516 -prefMapHandle 4860 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c56cec5-dd09-422a-9aca-dd45ae7d67ef} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4504 -childID 16 -isForBrowser -prefsHandle 2720 -prefMapHandle 7280 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {957b393a-3a04-46bb-86b3-1c68d5e4973b} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 17 -isForBrowser -prefsHandle 5556 -prefMapHandle 7152 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f985afd6-e34b-4d52-9197-ef06ee36a9e7} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11512:86:7zEvent31275

C:\Users\Admin\Desktop\Procmon.exe

"C:\Users\Admin\Desktop\Procmon.exe"

C:\Users\Admin\AppData\Local\Temp\Procmon64.exe

"C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\Desktop\Procmon.exe"

C:\Users\Admin\Desktop\Procmon64.exe

"C:\Users\Admin\Desktop\Procmon64.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7368 -childID 18 -isForBrowser -prefsHandle 5376 -prefMapHandle 7264 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30cfe69b-76a6-4327-b41d-c2d33c8e88cd} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7216 -childID 19 -isForBrowser -prefsHandle 4672 -prefMapHandle 6592 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3229e9c5-ef52-4666-86ef-2f9c14f0a95f} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7340 -childID 20 -isForBrowser -prefsHandle 6592 -prefMapHandle 7064 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd076b55-fbc6-494c-932d-83558a4df83e} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7740 -childID 21 -isForBrowser -prefsHandle 7660 -prefMapHandle 7668 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a47ea70-88ba-4fce-9c4f-46197295d5fb} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2588 -childID 22 -isForBrowser -prefsHandle 5568 -prefMapHandle 6820 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8e4db0a-5897-48e5-8dd3-5fe4763435da} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7120 -childID 23 -isForBrowser -prefsHandle 7080 -prefMapHandle 5268 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bf8c7d4-d645-4201-a990-456c84e1646e} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8556 -childID 24 -isForBrowser -prefsHandle 8596 -prefMapHandle 8580 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {561d18bf-fb24-4850-97a9-e1026a67c1f5} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8708 -childID 25 -isForBrowser -prefsHandle 8524 -prefMapHandle 8516 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc25f9be-fb24-4736-8aea-f26bf4601f88} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8344 -childID 26 -isForBrowser -prefsHandle 8532 -prefMapHandle 7204 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b93f6bd7-43b9-4516-8b25-cf98663a3173} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Users\Admin\Downloads\processhacker-2.39-setup.exe

"C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp" /SL5="$504B0,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8544 -childID 27 -isForBrowser -prefsHandle 8612 -prefMapHandle 7256 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb4ade47-2cfe-4ff3-a29b-1f3c465e453f} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7144 -childID 28 -isForBrowser -prefsHandle 8856 -prefMapHandle 5280 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2a079bf-d0c6-42da-a57d-0ec856ab6d5d} 1680 "\\.\pipe\gecko-crash-server-pipe.1680" tab

C:\Program Files\Process Hacker 2\ProcessHacker.exe

"C:\Program Files\Process Hacker 2\ProcessHacker.exe"

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 460

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 896 -ip 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 896 -ip 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 520

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 476

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6124 -ip 6124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 6124 -ip 6124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 480

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5284 -ip 5284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5284 -ip 5284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 508

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1740 -ip 1740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1740 -ip 1740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 456

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1516 -ip 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1516 -ip 1516

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 480

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 476

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 476

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5916 -ip 5916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5916 -ip 5916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 348

C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\1 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe

"C:\Users\Admin\Desktop\2 Video Missha example promouting full hd 1080 view colloboration niv.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4228 -ip 4228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4228 -ip 4228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.11.108.188:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:49786 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 140.230.185.54.in-addr.arpa udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
N/A 127.0.0.1:49796 tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
US 8.8.8.8:53 eu.static.mega.co.nz udp
US 8.8.8.8:53 13.127.203.66.in-addr.arpa udp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 lu.api.mega.co.nz udp
US 8.8.8.8:53 lu.api.mega.co.nz udp
US 8.8.8.8:53 15.125.203.66.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
US 8.8.8.8:53 gfs302n113.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs208n139.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs204n146.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs270n121.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs214n139.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs262n333.userstorage.mega.co.nz udp
CA 162.208.16.23:443 gfs302n113.userstorage.mega.co.nz tcp
CA 162.208.16.23:443 gfs302n113.userstorage.mega.co.nz tcp
CA 162.208.16.23:443 gfs302n113.userstorage.mega.co.nz tcp
CA 162.208.16.23:443 gfs302n113.userstorage.mega.co.nz tcp
US 8.8.8.8:53 gfs302n113.userstorage.mega.co.nz udp
NL 185.206.24.74:443 gfs204n146.userstorage.mega.co.nz tcp
NL 185.206.24.74:443 gfs204n146.userstorage.mega.co.nz tcp
NL 185.206.24.74:443 gfs204n146.userstorage.mega.co.nz tcp
NL 185.206.24.74:443 gfs204n146.userstorage.mega.co.nz tcp
US 8.8.8.8:53 gfs204n146.userstorage.mega.co.nz udp
DE 94.24.36.43:443 gfs262n333.userstorage.mega.co.nz tcp
DE 94.24.36.43:443 gfs262n333.userstorage.mega.co.nz tcp
DE 94.24.36.43:443 gfs262n333.userstorage.mega.co.nz tcp
DE 94.24.36.43:443 gfs262n333.userstorage.mega.co.nz tcp
US 8.8.8.8:53 gfs262n333.userstorage.mega.co.nz udp
FR 185.206.26.49:443 gfs208n139.userstorage.mega.co.nz tcp
FR 185.206.26.49:443 gfs208n139.userstorage.mega.co.nz tcp
FR 185.206.26.49:443 gfs208n139.userstorage.mega.co.nz tcp
FR 185.206.26.49:443 gfs208n139.userstorage.mega.co.nz tcp
US 8.8.8.8:53 gfs208n139.userstorage.mega.co.nz udp
LU 89.44.168.181:443 gfs270n121.userstorage.mega.co.nz tcp
LU 89.44.168.181:443 gfs270n121.userstorage.mega.co.nz tcp
LU 89.44.168.181:443 gfs270n121.userstorage.mega.co.nz tcp
LU 89.44.168.181:443 gfs270n121.userstorage.mega.co.nz tcp
ES 185.206.27.49:443 gfs214n139.userstorage.mega.co.nz tcp
ES 185.206.27.49:443 gfs214n139.userstorage.mega.co.nz tcp
ES 185.206.27.49:443 gfs214n139.userstorage.mega.co.nz tcp
ES 185.206.27.49:443 gfs214n139.userstorage.mega.co.nz tcp
US 8.8.8.8:53 gfs270n121.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs214n139.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs204n146.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs262n333.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs302n113.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs214n139.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs270n121.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs208n139.userstorage.mega.co.nz udp
US 8.8.8.8:53 74.24.206.185.in-addr.arpa udp
US 8.8.8.8:53 181.168.44.89.in-addr.arpa udp
US 8.8.8.8:53 43.36.24.94.in-addr.arpa udp
US 8.8.8.8:53 49.27.206.185.in-addr.arpa udp
US 8.8.8.8:53 49.26.206.185.in-addr.arpa udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 23.16.208.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 23.55.161.185:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5ednd7.gvt1.com udp
DE 74.125.162.104:443 r3.sn-4g5ednd7.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5ednd7.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.162.125.74.in-addr.arpa udp
US 8.8.8.8:53 185.161.55.23.in-addr.arpa udp
DE 74.125.162.104:443 r3.sn-4g5ednd7.gvt1.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.204.81:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 216.58.204.81:443 csp.withgoogle.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 81.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com udp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 74.125.34.46:443 ghs-svc-https-c46.ghs-ssl.googlehosted.com tcp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 46.34.125.74.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.187.195:443 www.recaptcha.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.187.195:443 www.recaptcha.net udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 recaptcha.net udp
US 216.239.34.36:443 region1.google-analytics.com tcp
GB 142.250.200.3:443 recaptcha.net tcp
US 8.8.8.8:53 recaptcha.net udp
US 8.8.8.8:53 recaptcha.net udp
US 216.239.34.36:443 region1.google-analytics.com udp
GB 142.250.200.3:443 recaptcha.net udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 eu.static.mega.co.nz udp
LU 66.203.124.37:443 eu.static.mega.co.nz tcp
LU 66.203.124.37:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 37.124.203.66.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 lu.api.mega.co.nz udp
US 8.8.8.8:53 13.125.203.66.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.180.3:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 216.58.204.81:443 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 216.58.204.81:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.180.3:443 id.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.200.22:443 i.ytimg.com tcp
GB 142.250.200.22:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.200.22:443 i.ytimg.com tcp
GB 142.250.200.22:443 i.ytimg.com tcp
US 8.8.8.8:53 2.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 2.22.5.214:443 learn.microsoft.com tcp
US 8.8.8.8:53 e13636.dscb.akamaiedge.net udp
GB 2.22.5.214:443 e13636.dscb.akamaiedge.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 e13636.dscb.akamaiedge.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 214.5.22.2.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 8.8.8.8:53 s-part-0037.t-0009.t-msedge.net udp
US 13.107.246.65:443 s-part-0037.t-0009.t-msedge.net tcp
US 8.8.8.8:53 s-part-0037.t-0009.t-msedge.net udp
US 13.107.246.65:443 s-part-0037.t-0009.t-msedge.net tcp
US 8.8.8.8:53 65.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.26:443 browser.events.data.microsoft.com tcp
US 20.189.173.26:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 onedscolprdwus19.westus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdwus19.westus.cloudapp.azure.com udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdneu12.northeurope.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdneu12.northeurope.cloudapp.azure.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 185.199.111.133:443 camo.githubusercontent.com tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 onedscolprdneu12.northeurope.cloudapp.azure.com udp
US 8.8.8.8:53 download.sysinternals.com udp
US 152.199.19.160:443 download.sysinternals.com tcp
US 152.199.19.160:443 download.sysinternals.com tcp
US 8.8.8.8:53 cs22.wpc.v0cdn.net udp
US 8.8.8.8:53 onedscolprdneu12.northeurope.cloudapp.azure.com udp
US 8.8.8.8:53 cs22.wpc.v0cdn.net udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdwus22.westus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdwus22.westus.cloudapp.azure.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdcus06.centralus.cloudapp.azure.com udp
US 8.8.8.8:53 onedscolprdcus06.centralus.cloudapp.azure.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 id.google.com udp
GB 216.58.204.81:443 csp.withgoogle.com udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.187.195:443 id.google.com udp
GB 142.250.187.195:443 id.google.com tcp
GB 216.58.201.106:443 ogads-pa.googleapis.com udp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
GB 142.250.187.195:443 id.google.com tcp
GB 142.250.187.195:443 id.google.com tcp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 processhacker.sourceforge.io udp
US 172.64.150.83:443 processhacker.sourceforge.io tcp
US 8.8.8.8:53 prwebsecure.sourceforge.io.cdn.cloudflare.net udp
US 8.8.8.8:53 83.150.64.172.in-addr.arpa udp
US 172.64.150.83:443 processhacker.sourceforge.io udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 sourceforge.net udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 172.64.150.145:443 sourceforge.net tcp
US 8.8.8.8:53 sourceforge.net udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 sourceforge.net udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 172.64.150.145:443 sourceforge.net udp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 145.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 172.64.150.145:443 sourceforge.net tcp
US 172.64.150.145:443 sourceforge.net tcp
US 172.64.150.145:443 sourceforge.net udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.18.94.41:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.18.94.41:443 challenges.cloudflare.com udp
US 104.18.94.41:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 41.94.18.104.in-addr.arpa udp
US 8.8.8.8:53 a.fsdn.com udp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 8.8.8.8:53 a.fsdn.com.cdn.cloudflare.net udp
US 8.8.8.8:53 a.fsdn.com.cdn.cloudflare.net udp
US 104.18.40.209:443 a.fsdn.com.cdn.cloudflare.net udp
US 8.8.8.8:53 d.delivery.consentmanager.net udp
US 8.8.8.8:53 cdn.consentmanager.net udp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
US 8.8.8.8:53 d.delivery.consentmanager.net udp
GB 89.187.167.39:443 cdn.consentmanager.net tcp
US 8.8.8.8:53 1376624012.rsc.cdn77.org udp
US 8.8.8.8:53 d.delivery.consentmanager.net udp
US 8.8.8.8:53 c.sf-syn.com udp
US 8.8.8.8:53 1376624012.rsc.cdn77.org udp
US 8.8.8.8:53 c.sf-syn.com udp
US 104.18.33.97:443 c.sf-syn.com tcp
US 8.8.8.8:53 c.sf-syn.com udp
US 104.18.33.97:443 c.sf-syn.com udp
US 8.8.8.8:53 209.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 76.98.230.87.in-addr.arpa udp
US 8.8.8.8:53 39.167.187.89.in-addr.arpa udp
US 8.8.8.8:53 97.33.18.104.in-addr.arpa udp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 analytics.slashdotmedia.com udp
US 8.8.8.8:53 j.6sc.co udp
US 8.8.8.8:53 ml314.com udp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
US 8.8.8.8:53 analytics.slashdotmedia.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 ml314.com udp
US 8.8.8.8:53 e212585.b.akamaiedge.net udp
US 8.8.8.8:53 analytics.slashdotmedia.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 ml314.com udp
US 8.8.8.8:53 e212585.b.akamaiedge.net udp
US 104.22.74.216:443 btloader.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
GB 2.16.34.66:443 e212585.b.akamaiedge.net tcp
US 34.117.77.79:443 ml314.com tcp
US 34.117.77.79:443 ml314.com udp
GB 142.250.200.34:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 ad-delivery.net udp
US 8.8.8.8:53 ad-delivery.net udp
US 104.26.3.70:443 ad-delivery.net tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 8.8.8.8:53 9.38.105.216.in-addr.arpa udp
US 8.8.8.8:53 216.74.22.104.in-addr.arpa udp
US 8.8.8.8:53 66.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 79.77.117.34.in-addr.arpa udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ad-delivery.net udp
US 8.8.8.8:53 dpm.demdex.net udp
US 8.8.8.8:53 idsync.rlcdn.com udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 ps.eyeota.net udp
US 8.8.8.8:53 b.6sc.co udp
US 8.8.8.8:53 c.6sc.co udp
US 8.8.8.8:53 ipv6.6sc.co udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 idsync.rlcdn.com udp
US 8.8.8.8:53 dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 ib.anycast.adnxs.com udp
GB 2.16.34.66:443 ipv6.6sc.co tcp
GB 2.16.34.152:443 ipv6.6sc.co tcp
US 8.8.8.8:53 e212585.dscb.akamaiedge.net udp
US 8.8.8.8:53 ps.eyeota.net udp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 idsync.rlcdn.com udp
US 8.8.8.8:53 dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com udp
US 8.8.8.8:53 ib.anycast.adnxs.com udp
US 8.8.8.8:53 e212585.dscb.akamaiedge.net udp
US 8.8.8.8:53 ps.eyeota.net udp
US 130.211.23.194:443 api.btloader.com tcp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 api.btloader.com udp
US 130.211.23.194:443 api.btloader.com udp
IE 54.170.25.213:443 dpm.demdex.net tcp
US 35.244.174.68:443 idsync.rlcdn.com tcp
US 3.33.220.150:443 match.adsrvr.org tcp
NL 185.89.210.180:443 ib.adnxs.com tcp
DE 3.125.70.222:443 ps.eyeota.net tcp
GB 2.16.34.66:443 e212585.dscb.akamaiedge.net tcp
GB 2.16.34.66:443 e212585.dscb.akamaiedge.net tcp
US 35.244.174.68:443 idsync.rlcdn.com udp
US 8.8.8.8:53 90275cf3bf55170aab19e9f67b1aa022.safeframe.googlesyndication.com udp
US 8.8.8.8:53 pagead-googlehosted.l.google.com udp
GB 216.58.213.1:443 pagead-googlehosted.l.google.com tcp
US 8.8.8.8:53 pagead-googlehosted.l.google.com udp
US 8.8.8.8:53 70.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 152.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 68.174.244.35.in-addr.arpa udp
US 8.8.8.8:53 180.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 150.220.33.3.in-addr.arpa udp
US 8.8.8.8:53 213.25.170.54.in-addr.arpa udp
US 8.8.8.8:53 194.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 222.70.125.3.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 216.58.213.1:443 pagead-googlehosted.l.google.com udp
GB 172.217.169.33:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.169.33:443 tpc.googlesyndication.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 33.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 cdn.ampproject.org udp
GB 142.250.180.1:443 cdn.ampproject.org tcp
GB 142.250.180.1:443 cdn.ampproject.org tcp
US 8.8.8.8:53 cdn-content.ampproject.org udp
GB 142.250.180.1:443 cdn-content.ampproject.org tcp
GB 142.250.180.1:443 cdn-content.ampproject.org tcp
GB 142.250.180.1:443 cdn-content.ampproject.org tcp
US 8.8.8.8:53 cdn-content.ampproject.org udp
GB 142.250.180.1:443 cdn-content.ampproject.org udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.180.1:443 cdn-content.ampproject.org tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 downloads.sourceforge.net udp
US 204.68.111.105:443 downloads.sourceforge.net tcp
US 8.8.8.8:53 downloads.sourceforge.net udp
US 8.8.8.8:53 downloads.sourceforge.net udp
US 8.8.8.8:53 105.111.68.204.in-addr.arpa udp
US 8.8.8.8:53 netix.dl.sourceforge.net udp
BG 87.121.121.2:443 netix.dl.sourceforge.net tcp
US 8.8.8.8:53 netix.dl.sourceforge.net udp
US 8.8.8.8:53 netix.dl.sourceforge.net udp
US 8.8.8.8:53 2.121.121.87.in-addr.arpa udp
US 104.18.40.209:443 a.fsdn.com.cdn.cloudflare.net tcp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
US 8.8.8.8:53 d.delivery.consentmanager.net udp
GB 2.16.34.66:443 e212585.dscb.akamaiedge.net tcp
US 8.8.8.8:53 e212585.b.akamaiedge.net udp
US 8.8.8.8:53 snap.licdn.com udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
DE 2.19.11.122:443 a1916.dscg2.akamai.net tcp
US 8.8.8.8:53 f3b7f027d76f639d27bfaca2f6c15634.safeframe.googlesyndication.com udp
US 8.8.8.8:53 px.ads.linkedin.com udp
GB 216.58.213.1:443 f3b7f027d76f639d27bfaca2f6c15634.safeframe.googlesyndication.com tcp
US 13.107.42.14:443 px.ads.linkedin.com tcp
US 8.8.8.8:53 l-0005.l-msedge.net udp
GB 216.58.213.1:443 f3b7f027d76f639d27bfaca2f6c15634.safeframe.googlesyndication.com udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 122.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 wj32.org udp
US 162.243.25.33:443 wj32.org tcp
US 8.8.8.8:53 processhacker.sourceforge.net udp
US 172.64.150.145:80 processhacker.sourceforge.net tcp
US 172.64.150.145:443 processhacker.sourceforge.net tcp
US 172.64.150.83:443 processhacker.sourceforge.io tcp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.243.107.34.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 41.94.18.104.in-addr.arpa udp
US 8.8.8.8:53 209.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 216.74.22.104.in-addr.arpa udp
US 8.8.8.8:53 70.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 150.220.33.3.in-addr.arpa udp
US 8.8.8.8:53 105.111.68.204.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 onedscolprdcus16.centralus.cloudapp.azure.com udp
US 52.182.143.213:443 onedscolprdcus16.centralus.cloudapp.azure.com tcp
US 8.8.8.8:53 onedscolprdcus16.centralus.cloudapp.azure.com udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\85c0e6b7-f943-47bf-b649-fd575499d9bc

MD5 2a67ae2bb066032e72cb37397776d94c
SHA1 d3b68425e25817bed6ae2b78ea889bed9c300730
SHA256 c306b419705cc130174b7eeb4f049007c4b6445c512edc2bd846275dc4b51e0f
SHA512 040f94f36d2d0f38f4ff9efd4cf5d2af8806ec80c60023046c60d2944dfc9f65fc83e8673366a3fa410ee18d65c849f7e48cefade31dba177e3aeec5843bfc8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\ce3bc226-3450-40f6-a414-96c89ac70256

MD5 c76e3fa036cb67fbc0aa268c6d80a9dd
SHA1 9d37e22eaa27f62d8388387a8502ea8aafcc91c6
SHA256 2149c8c770818464d0e548e506848a567c5aad29b76ac58cd1b7bc89baa59ae7
SHA512 814c0cba40a39a8c838b38f41e9c30a171187649abd2b8a6c2a91a94ac6528f11ab84a80f80ce8e5043975add068fe3de5beacc99f801f4e8f940e3680f2b978

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\2283a9fc-91e5-44cc-be37-a68cd5fe525a

MD5 78784cc8fc72006a31f595c5eb9fd78e
SHA1 0e984b0eff857278aa38a6ac212e4b07897d4bb6
SHA256 910af1b81c189ba2c93fe15743c02e2e579a2a19270d95a230ad5308c45f90eb
SHA512 8eb14ef6d959d908c7217d64084dfd6dae364a3676d93a0c9b2f5472532afbc265c0f983c67dcd8c919322b6158f1323d6d494e5957058578eaf10c07e17e30b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

MD5 efcdf94e9d6e1526507ede035f4b831f
SHA1 9f043a45dab9f44c9239a461836381fb22b509f9
SHA256 c96b3c61520129f7a6899c459549df7d86ecaffa2bbd3312729e66ed20fc02cc
SHA512 fecef6bff7ea9823672ebda2203566aa122bbe599c92155fb1d0e97ce181022137b55add2b413aadaa2eeca89d5393041fbbc5de40f6a96cb95b645a596ea862

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

MD5 9e3f76f7e13a702d50e9eda039fa2e50
SHA1 0026baf4c7ff5db65fb96a27e1c64f35e797c80e
SHA256 436db702e88362920d2782e97d9c4b7a965daa8945d15f85cb944f674dbaa8b7
SHA512 b48128ef8550b7e12cf09817544ac2429c88415a4f3a87b2cb8d40c6b09c518b40401d77a1ba29cb9f2e0689ae9e48c21c080b7288d997de1bf319cd0e39b035

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

MD5 a100c407b79b61ba699b3c3b104f21a7
SHA1 f8eab58146953cf180796a76a9b3942e1d8d058d
SHA256 27a39c7f86ca0544cc3c6b796cbaefe62be1553d6f3299c1dcd848f97f7bc089
SHA512 7e4e54c8ee9d4cc7ccf8d52964ae1fe4d00e375bcb02f7d5d828f6e164a2d01cd2bd9a679090e5f685081987b03a8ad841ba532afd190a0b7b4e49fe176f7c00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\storage\default\https+++mega.nz\cache\morgue\66\{6881ee85-50d2-43c3-9d99-889a9e61b942}.final

MD5 3efa9abd92666265dd81c4f4311a96f9
SHA1 41b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA256 5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA512 5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

MD5 2e2b8477ebb5cf5b621aaef5b478b715
SHA1 74c4c008e99d5f7a0f55d071276a7f46ca42f71d
SHA256 ba2e48f74764339ed12d59a9085a46fbddb8fa8a2fa5e73bd91960ff03a42d0c
SHA512 c8c8586137a9d65e7d0d2270e329de463565af16604e49eb1382687343e3361fd44b1b8434fc1123ae03d1aeed7c6dc35e17ed5abe7bf47f5f1009a85a846fc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 15ded9fc23c75572c2eb4868ce879b33
SHA1 c9390bcd2c7ac0726cfde5402c8b684e25e3893a
SHA256 c9c8ad6169867b82c6b74ace9ebb5e4368124821df34d2223714d75a4fcf6e70
SHA512 9256af202705af7de875e374cbf8726269e690b1c3b9edc95fddfa7ed5cb5161419be0d0b15d9b28f85dbfe17b933f6f72a0fbf1da2e67b4bf7bfd056392d197

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

MD5 83bb31288b16390a60930c6bf7224c61
SHA1 7bf3c54cfa7bb44a02a225114857c54c5eb8ca28
SHA256 c768c52f60a6fa6be780f2d871ccb070302b7e2b5108fafa5fc3478c6dddc4f6
SHA512 f7b1b5ec234d665d07654d262275117be094e9ee0e231fd81fc11d20cdb50b9772483023f8e2518f011a16d44738025761d3edbe829f9b51613055c1cbda7529

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\AlternateServices.bin

MD5 86415766758c6867fabd26409f7e1103
SHA1 aaf6baea47b4d1b871e87e375e44506551b2bf8a
SHA256 bb3cdda091f3793c2d12fec034d21cb895ad2e25c9e1b3d9388bd45a38a0986e
SHA512 47ec140766ceb037f0b1615d33b94ecc7b062dc448806aef3cc8122fa688cd5500bc1670def120cec558fff1c8f3e04a221f036fc6e5161f64509988d0cb4e69

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 5fed14c7fbec2d90db31c66457ef1486
SHA1 6a126ac507dd7871d257e60e0873257109a62a09
SHA256 385694655eaccca7b2f8a0b512b2cb558bd4a5d1a4a237fb81ebb660472a0099
SHA512 410d26c30ec88e01aa1dd8bd36d74222602848edcf7f038044c11175c57cf97696b4243d38f2520670b818fc0a4866f9f4a66f1fb97c931b972e067597f5c62d

C:\Users\Admin\Desktop\info.txt

MD5 dbe5d4bc9d3108d88253a132728f66f6
SHA1 c84ce29e50152cbd89b9d94a300274a99b11f09c
SHA256 b78994027dee73ba47f6311cd364bbd320c20d6058ca852ba72dddcec7728354
SHA512 d0459b1ef99bf1433f51df24c907787440b49ea9c33f7d405f822b2b7dc538b08b7a0b1d541f7c93173457bacdf9aaaabf0e9087902568b5bdcb3d05e1d57db4

C:\Users\Admin\Desktop\Contract Missha.html

MD5 91e913aceefadf8cd7b9f0fa2069401e
SHA1 2bc4c5a228f6193de3b0b562bf23ac2d2b4c8aa2
SHA256 52b1906a7dbcea34c0dc900095984d3b00190cbc3e1e5f48e8efc44f23af3fd8
SHA512 b6629887cbfb9cefc30d5158fc01abb47682949ec0a2bb6cfb00ae18a9427a2a507ff54d45c3fef87c9becacaf9bc90cc51b119405fe9acc1a4c4ce1e7fc5d1f

C:\Users\Admin\Desktop\logo.png

MD5 9acefc5b8ae72c8ef5cacde426efde6d
SHA1 9ef3d93c17a9cf3448a432f46ccb93132e8d5bc4
SHA256 ad02285ad9342d05e3efd0dc3eb40267efc89930d6d7f480c7ccbc8f0360ca80
SHA512 358cbd54aade8e0e89280ad76825f7617eabbb6e491b40101269ed27aef70b5fdb838d5051eefa3c59cf4fabe0ee9468164be8a96bda0f7fc7fbe6b5e3e6a7d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 0f44c9640277abe082de3dc464457565
SHA1 e3f56ece4dce946412c4b2eff7ec0c456b575b9f
SHA256 05e88fdd808294688575806f004a1ff576c5a21c56f121223bc6e4ba95d98846
SHA512 5b715c0cf2e6c35633ebeadfce3f3fc88ba0552773f59d3f38fa51bdf9f6c3af436b53861d21718798dede6aa62d2103e061493837af4390298cbe14f1ba52ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\storage\default\https+++www.virustotal.com\cache\morgue\99\{dd8c65b1-75fc-4378-a9b6-d9be778e0763}.final

MD5 3bd181fab15a3ff79f4ec6203e8c11d8
SHA1 ce265e4838dec0ab068ef5f3db78dbc0dc00a1e0
SHA256 dda66a6bf5e20e27e7738723bb7db889b624066c7b4063b4398c401ec674902b
SHA512 da8824488efa0247f01c7532b52d42f29f2cc27f57b76c505b829c7eab0877ec1b9875f7d3d60e2b135199f2ec19ed829baf7f380337b485658201148700c728

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\serviceworker-1.txt

MD5 a289d72038983aa2a35a211ff4b39fd7
SHA1 2dfd899ef5c5d659ca57156234c6d95477a77847
SHA256 855b2b58d7cb22b3745cafe6a4a07e04ddb5195df52f41e0a6b122cc4163ac6e
SHA512 df32ea374705c33e124ee7fe3359246bb92c03e350066d9a45877aec199b3acd2874e7613fd1202fe02655ce94bdd33670434bb782ce8e5994a2cb9d99e7a226

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\serviceworker.txt

MD5 1485ac39a6ae858ecc09b0a9890ce862
SHA1 a78678757bf88cc98198fe8c8729806b10676a5e
SHA256 06e4caeb7bf82e184a255e840687c59a757021a80507078fab8832bcc5528267
SHA512 dcf76c8adcb5cd27b7cd7d46c354ba21d1f9d9f60fc137bca8b991810d0bc9527a3161e600297f763ecce626eaf363fca5da69fdd8dea3e8af5dbe7fe4a21726

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 7c62b2d3f51d293041a115ad9ad0062c
SHA1 e8094e60e693005de1a135140ec838d2de530705
SHA256 6e05e8ecc605f495cb3e5b5df8ac2aee90c00ee6818c083cc61428c3966edb30
SHA512 c565ba2384494b3f10c5b9e67dd7d3a8918869fd0874063bf7b2c7e9817f214495305e98561a06a170b505eb42bcea886ae54d719dfea305b40c9eac9a4ba7c6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\doomed\10003

MD5 5d8df8cac01818558eb647bfef1ae235
SHA1 03fa115d42f0814cc58e68bc5b9aeb759bec5b56
SHA256 c755985c79b986e5001dd7e10062bdde7f9702511e878d0666e08540dbad3c9d
SHA512 5961eed67f54e8ebdb0ee45c833b3b0b9a82895d3d93e188415faf5e239984a94b1bb49479ba54ac1ad1580dfa778fc5e158b23df57591234e229595df4ecfac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 ce8d909e74981489d8314714d5f39162
SHA1 78c31b8ff8b899d6da2fe78eb82d4ecf3ef16b5f
SHA256 8b61016e0e83954b9bd69f6edc55d1dcd75005b855c197d8c4c308ceb0b8b6eb
SHA512 47dc1bcdbccfb4a932189bec3c6ad11f3c6d1d95a00cde39e250ae774c160bd3615dac92b58bd90a0610bd9ce77ca878009aca2b1db22152b2f2869417cbf496

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\doomed\13262

MD5 88e1f34fc56db1a818fad3b27dc1ccf9
SHA1 377d86c29f6c72883d6c502e4de4c3470ba4d92a
SHA256 9fed36d5a9c671cf61a28f2e935b31624d139adaef817923fe836d8f3d7c7ea2
SHA512 d1b28e5a12ac6b08da3228aeacd515c5e48dce8abc0b70b4c51734e5902f0a135ddfd73721377454fe68af49c15422482c9a695a0e451a1b414f9732ad2377f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 bc6d8fc4ab2891d30543589f9bcbf242
SHA1 cf4da1d820817a80f29756e68e4cc21648cac6d7
SHA256 07c8cd061c2fe447126a1266fff552a5a9e6a25646d6b7032a231fa9a15541ee
SHA512 f8e9c0df4bfa1a54657ce7b2a3260625e52c6f4867c3b81f6a2ee8b5798a3f5127f5f4cb3e82f60627b4337d9a82b8f08125941a433a9ae52a82ec876115c7ef

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\doomed\11145

MD5 3c2dde73c321978357a5f5d14997e73d
SHA1 e25f25fad7b37f87d92df50405967f5b2ce199fb
SHA256 47df647410c6d8a532df8212adfdabf6ba11e7b2f2b2f75a8742b5bcbdb94839
SHA512 9e684c0a2b331c95642a9d4e46d3522652a093f27729ab3c10f59f93338d43172bd273fa403b94516ecc677c55b4bfc8b603ceb04a236f7f3b9ef4f47ac131b0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\doomed\14759

MD5 9c7889e25520eed030852b73154afa4f
SHA1 3c712b262c69da51315597f0fa7482c789343a5f
SHA256 d00294c4fbe2ed5208d294c8e9f4c1c9f2e7506631bcbee10b1adebc7c7314e4
SHA512 08507a96b3b7a352c89ae25bf0bf45ad92fab01b1971b9c77d4bd850ba8715a855d502279b599960b3a8fdb4356d49b64cfc89c8b53ad77d4c515f010fef7b81

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\doomed\29740

MD5 883985f611682eecade694958f354f42
SHA1 b65c65ad9f49d0593063a5e56fefed358d314b7d
SHA256 6fae0a08ccdc1a099a439c29567dd033b893576f85b3c88c52b3db8526efc941
SHA512 be205a61aef6960fb359e1bd2bbb86ce3b6fa674b7edc980ca3c4da111ff95022611b4c96be924576d56a5a3ef42f9db2e07c7870eb4fb59893f071801774d1f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\doomed\28955

MD5 95a3e26cb602bcc0564a7340e187930e
SHA1 b849db675f4629b5d922a3b01bba4e2d440a10cf
SHA256 ceecf74dc03c23329a8e27369995d7c397277a03d2ae70b49f28769cc0bb44ed
SHA512 56fb456bb7ea314ec536448a8ab5888bca81c5138be01b6f2a7b8fc32aed8a7d3eb87a74d6250342b0af0005923902bdebbb93432e9c34fdaa6741be480cf9ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 e1c92a41d45d1372f6d10c9b871180e7
SHA1 bbed64b0d86e2b083aa134f52a8d257b088cc05a
SHA256 fd8f4966022fa2695ae3e13dc408f0948d6529b6e726578f9d1e44fa0f3139f0
SHA512 767a5ba242e6b3c1b0f48fa254fbf248194329bcb7f1b2db611fa7023dfc49a0db76349b8da36733027970c613c8a95d23292f677eab0519e39793ef960104e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 3c9f9520f80705babbb849818759dfa0
SHA1 8b22ed21f5d26c85402079ae4a678bf77be9c984
SHA256 786b8797b0761ebe646b295aa7c57f07f55bfcf1f9f1aa19054682183d5016fb
SHA512 f2cab3656c0760fdb38f8eaff33dd44bb4f555d01b0f71fc490748609e6ab3847d107d14b3bc6bc109952e0cca8e2e9ce59d51edfb5742714c703922b479077b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 5b04f0db2e3acb955c036a0b038062e5
SHA1 08dffd4ef448668e4ac2157fd215338c6bee774a
SHA256 ba40f5c2e06b1a841bcf31b21360f6164804c057ec71c6791e64d0973b05fda4
SHA512 679cdf8d13b628132750393f7195bd2fb07ccfd6a95743e021a6b704bc2ea31f6e98cf7bd426810a9fe3d0854c458f0a0ce3ab2ac94529e0dea979ba306c71d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 bd01770b48e859c21e5f5af8c417661c
SHA1 5e42c59d497fc06da5e78874c812e93e52ba7308
SHA256 efef7801c1b554abedc5733af09bb8411577fdf951798d1013d692f8ef0e0ac7
SHA512 9db29f8d935146caac5e5ad713f898fda739482d488e6d6e9ec07d4c903b6ffa09a29f2ae15e615681e6acff528cf938ad428039f5348ff6eb57996750e59dc8

memory/5504-1180-0x00007FF682BA0000-0x00007FF683BA0000-memory.dmp

memory/4364-1183-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1184-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1185-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1189-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1194-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1195-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1193-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1192-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1191-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/4364-1190-0x000002D66BE90000-0x000002D66BE91000-memory.dmp

memory/868-1201-0x0000000000190000-0x00000000001FD000-memory.dmp

memory/868-1203-0x0000000000190000-0x00000000001FD000-memory.dmp

memory/868-1204-0x00000000034E0000-0x00000000038E0000-memory.dmp

memory/868-1205-0x00000000034E0000-0x00000000038E0000-memory.dmp

memory/868-1206-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/868-1208-0x00000000761F0000-0x000000007642A000-memory.dmp

memory/5208-1209-0x0000000000820000-0x0000000000829000-memory.dmp

memory/5208-1211-0x00000000026C0000-0x0000000002AC0000-memory.dmp

memory/5208-1214-0x00000000761F0000-0x000000007642A000-memory.dmp

memory/5208-1212-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/1716-1216-0x00007FF6CA410000-0x00007FF6CB410000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

MD5 5deb60c6003427365762869143044b18
SHA1 ec6a6686812087d05c54d63c5b60269fae805b08
SHA256 87ccdc57e1efe65abceceef90a3afed1a22026877336494c0efdfdea68112d29
SHA512 50c23a6c31022bfdce5c6845304e737969234c06be2535955086fce0c954721ea74103fde5d9d71872be6e419d759afd0f27f73202ccdb1999c5a1668c2869c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 805035867be2f2a6bbcb312dceea07a1
SHA1 1ce3fb50d4b2baf50fa44a13b94a14c1d1dd5504
SHA256 dc19f89c3c4d8bd1cf5c773b8ed2513238f21f8fba58436608226c66a90c4397
SHA512 5a20f932145768eb8c594e7285af0e1be9c666671b08e36cdc03c53d1d14d3f2b1cb05d2c62354d7074f29873c03f6052fe870af579ca16045f3c7d7a3b1753a

memory/1720-1239-0x0000000000C60000-0x0000000000CCD000-memory.dmp

memory/1720-1240-0x0000000000C60000-0x0000000000CCD000-memory.dmp

memory/1720-1243-0x0000000003E30000-0x0000000004230000-memory.dmp

memory/1720-1244-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/1720-1246-0x00000000761F0000-0x000000007642A000-memory.dmp

memory/4168-1249-0x00000000026F0000-0x0000000002AF0000-memory.dmp

memory/4168-1250-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/4168-1252-0x00000000761F0000-0x000000007642A000-memory.dmp

memory/224-1276-0x0000000000120000-0x000000000018D000-memory.dmp

memory/224-1277-0x0000000000120000-0x000000000018D000-memory.dmp

memory/224-1280-0x00000000032B0000-0x00000000036B0000-memory.dmp

memory/224-1282-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/224-1284-0x00000000761F0000-0x000000007642A000-memory.dmp

memory/5488-1287-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/5488-1288-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/5488-1290-0x00000000761F0000-0x000000007642A000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5776-1296-0x0000000000B00000-0x0000000000B6D000-memory.dmp

memory/5776-1297-0x0000000000B00000-0x0000000000B6D000-memory.dmp

memory/5776-1300-0x0000000003920000-0x0000000003D20000-memory.dmp

memory/5776-1303-0x00000000761F0000-0x000000007642A000-memory.dmp

memory/5776-1301-0x00007FFDCD6F0000-0x00007FFDCD8E8000-memory.dmp

memory/5476-1306-0x0000000002410000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\AlternateServices.bin

MD5 d36479b26c890ba41b21f824a7fc44b6
SHA1 34d18b7d8ed3b126fd9f0e9a8e3834ecf89b6d98
SHA256 18ebd4aa6623d0165c57b85fcba066e93e5b633ef76ff23728e73e995dfff28f
SHA512 913dad8024797580ea63dff2515a458c558cbcfe89416e986605e73cb5314cbd7fc6271b31b3770b02625156ce6365c613b9ea40df387e622fbc1107f7afc0d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 1a5a9821eada1bc55ec9d1fc613bdb0a
SHA1 b073835f33751ebcc7c3a82f6c6d32d9e5eba8aa
SHA256 092fb72e92c12cad899c32ef735837ee58a21b7f8d68b0ef6980e457a02a2584
SHA512 318f5e6960ae81fa45138ce030faa4a51ea77096e516508ab8961680771f45857a335b5884e50515ba251d12342a5f8bd8f31d0f2286a951a275686a30b693e6

C:\Users\Admin\Downloads\ProcessMonitor.Q_a_rhg5.zip.part

MD5 213d09599b9761a8e78c20b3f8072636
SHA1 815ae249e5dc5bcdd8576ff29d3ec39e20c761f7
SHA256 d4ed579fdc1957fde0124dd41efd8d72af0529254984bfa5a3864ecd8b539252
SHA512 f656e128fcb0269946cfa03adc5392676c17b18f309e0476b2153fe545e4d92641e7849b94743e84fce39366b0b72f04e725b7922ccf513deaba8aef833ad971

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 815cacf50419cea7a10901597ec42b1b
SHA1 bcfb2c33ce7e05933a6094e42ce23d2c0d449aed
SHA256 0d9065e141d925cb9306966d0432f639e746a8efc59e0aa76011ba1898162566
SHA512 d0eb0734973f853c599e3f6462d15c2ad4f47dd6cd14d9a09665e019793116a9667ce144e0d49387f54dcfd1316ef687bd609d3de0ea261c335377c067ddde48

C:\Users\Admin\Desktop\Procmon.exe

MD5 c3e77b6959cc68baee9825c84dc41d9c
SHA1 bc18a67ad4057dd36f896a4d411b8fc5b06e5b2f
SHA256 3b7ea4318c3c1508701102cf966f650e04f28d29938f85d74ec0ec2528657b6e
SHA512 f825521149f4e771c9f51abaa4fa956258a5393754ec7422692dc0c24c120ed9f103dd3953b47b7bb331dd4095b3e97b95fb35c4dfe03ce39574ba4b39b76d7d

C:\Users\Admin\AppData\Local\Temp\Procmon64.exe

MD5 223b222ce387a7f446d49a1ee9b572bb
SHA1 8ed888a02861142e5eb576385568c2ba0ddd8589
SHA256 3e15995894f38b2eead95f7ff714585471f34f3af3d8f50a7f83344781502468
SHA512 037b4787af5fb129a3b1e0ac9565e59d5a55ef26ccf93bc9adf685c08422071ee0d0eb4667cd2ce0d725c7dea0209c1d7d48baf58cd18dfb58de35bf7feef1a2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 6a0bff7ba31f13252cbbf793939a4a54
SHA1 f4c4c1b16c5164606e4c2cf1bdf522c545b4bd58
SHA256 d0fcfec79145a7a04d407bca4e17d290ebb2d135c3417209bd7414c0c5795e96
SHA512 cdb2ddc40df21075445681465bf041879d84679eeda744592167396cb9ab24415e01b1af480533213a0d8c0d869a7fad37904516914a09f80e946d74caded320

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

MD5 e3d1eb9d81ea9f39d37a5bbfaa970640
SHA1 aece1982acd1a637ff57aaac0da6053da5709609
SHA256 d34ff0757b2836d6832f2827bd015f0ea6bab078667eb623af2067e011272b8e
SHA512 99f582c88e892e78119e027b13d0cfc028b39105c53073ed563c38394c54d2d0e9e016c5901745004a3c753a778a109a8f77294e86ae63945df4eee603811dbe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 46ee27e5e9ec40e83f86b0fb85c3dcc7
SHA1 872537c8b975d379a1e97e7efd54a58ce9f9c312
SHA256 d8578ba96cfb73c03f17e42806bd53291519672c5784c7d405c0d7711f2825a6
SHA512 2e437c3621353b6b06bb38eb893fae6fa8cfa727bf46de060ef42c4702769af11d9eba0a9cec3519c96f1d811e3e8d6a7ab4655557edfe41c59ff4510b7fd667

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 7295622c39c6bbfd3cb4c22506fd057a
SHA1 30add10550382e27882657bcb529f5c637235eab
SHA256 f965c75ac9092db26a76e7d5d819d923abb2f667a454abf0bfa14742d956d97c
SHA512 a5951c8260d506912e54fb0fa02fce732c468f54fdca8e39b4e97dee3216ce8a464b4147cd4132f3945b2a7009f7925482ce01fedfa07406da1018bc81f6b048

C:\Users\Admin\Downloads\processhacker-2.7PoVSm9l.39-setup.exe.part

MD5 54daad58cce5003bee58b28a4f465f49
SHA1 162b08b0b11827cc024e6b2eed5887ec86339baa
SHA256 28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063
SHA512 8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

C:\Users\Admin\AppData\Local\Temp\is-JQUAK.tmp\processhacker-2.39-setup.tmp

MD5 1c96ed29e0136825e06f037bf10b2419
SHA1 b74a55279474253639bebf9c92f10f947145ff30
SHA256 b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021
SHA512 0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 69d4158fad0458299178a2655a32d8de
SHA1 50aee443586a5c83b9e4d07326fd700daf28dadb
SHA256 e1bee425b42ccfdb03ed67772115824ae3f9bf5b32381119569eb005774cfa3d
SHA512 add8762c36a923d0614398f74a7fca824cdebfb16ec0d38e2ce9e1327d5cbe22b82c51a247ae02c800f8e7f72129f52c81d7bb26c9c7455a9a60389da663f9e6

C:\Program Files\Process Hacker 2\ProcessHacker.exe

MD5 b365af317ae730a67c936f21432b9c71
SHA1 a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512 cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

MD5 be4dc4d2d1d05001ab0bb2bb8659bfad
SHA1 c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e
SHA256 61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795
SHA512 31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

MD5 4858bdb7731bf0b46b247a1f01f4a282
SHA1 de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60
SHA256 5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60
SHA512 41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

MD5 a46c8bb886e0b9290e5dbc6ca524d61f
SHA1 cfc1b93dc894b27477fc760dfcfb944cb849cb48
SHA256 acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00
SHA512 5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

MD5 12c25fb356e51c3fd81d2d422a66be89
SHA1 7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c
SHA256 7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de
SHA512 927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

C:\Program Files\Process Hacker 2\plugins\Updater.dll

MD5 6976b57c6391f54dbd2828a45ca81100
SHA1 a8c312a56ede6f4852c34c316c01080762aa5498
SHA256 0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e
SHA512 54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

MD5 0e8d04159c075f0048b89270d22d2dbb
SHA1 d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22
SHA256 282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a
SHA512 56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

MD5 e48c789c425f966f5e5ee3187934174f
SHA1 96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d
SHA256 fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52
SHA512 efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

MD5 3788efff135f8b17a179d02334d505e6
SHA1 d6c965ba09b626d7d157372756ea1ec52a43f6b7
SHA256 5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab
SHA512 215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

MD5 37cbfa73883e7e361d3fa67c16d0f003
SHA1 ffa24756cdc37dfd24dc97ba7a42d0399e59960a
SHA256 57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b
SHA512 6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

MD5 d6bed1d6fdbed480e32fdd2dd4c13352
SHA1 544567d030a19e779629eed65d2334827dcda141
SHA256 476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e
SHA512 89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

MD5 bc61e6fb02fbbfe16fb43cc9f4e949f1
SHA1 307543fcef62c6f8c037e197703446fcb543424a
SHA256 f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87
SHA512 0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

MD5 b16ce8ba8e7f0ee83ec1d49f2d0af0a7
SHA1 cdf17a7beb537853fae6214d028754ce98e2e860
SHA256 b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9
SHA512 32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

C:\Program Files\Process Hacker 2\ProcessHacker.sig

MD5 2ccb4420d40893846e1f88a2e82834da
SHA1 ef29efec7e3e0616948f9fe1fd016e43b6c971de
SHA256 519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4
SHA512 b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 8fe2e228bfc5b9d6a70ed910f6df8bf4
SHA1 2f3b663c2ce26eef122f0589ce811838f4f21055
SHA256 c9c6fe892195559ce9ae2b99eab9017b412031d9c76d405cec39087361605a88
SHA512 b7514dce99775ce090205364c62078cfb527982a8a25bfd2cec4de882f24dda189c1e14e3a45f37cf7034b84bc4338dc2dbfe64618d411f596385eb542ee4281

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

MD5 dd30552ebaf93841997a3442174818c6
SHA1 9dc2b8f7ed8b05dc139d4c988175788aa3f76c72
SHA256 a5dd8e74c986a0233331ab2652c0474e0c654e758e542d283c38b250ddfe2128
SHA512 20bf042773e25e66583f41818dabe1ee71d1272f35bd1b550a2cc5dd79e054f19f65f4c2acae8ffe26c7950b15e51dca94f7731445cc2b1ca74142af77066be1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 177c7154e7854e63fc20cb414f92e0fb
SHA1 30c2d4bf7daa91fcc72f2b0536407a060aabd2ba
SHA256 ea6c230a7b53d5f345ae9a048f739574acd953faedd4f67bee616d3d6f14ae6c
SHA512 0bf8925d0f34e2427ad0b03f963e8a611b49be5b74810c70c848b7aa84b4287989644b3cc681f5a22761413ff06d3348774b9680c51ff83e75bb91af82fe9e88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 67287c62dfc01805e4f17841a62b3d52
SHA1 1837268c7af6c4297a06bc6d6e7eb161d7ae2760
SHA256 30c3643c31702bda343b0efbfae8f1157137a361127b7413f27f4533c2e8a0e0
SHA512 5095714be3c443d92124eb06ac1707ede7c74ca4931a4f5dfc077d3fe5b4a2fb314aecdeaf83dbb35f3418aeb60b8ebc3e3730094c8a917fec052918e63f56b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\e370a6ff-25f7-4aea-b448-6c66404d416b

MD5 c6a3524f370c63b65139cf0aadb32caa
SHA1 8c041fa3ae84126ff20d600d1d943d0f44c2bf71
SHA256 e2b51f2d5362d8908ae30f0d08a3dd1ca368aeaa30cf83ed8ba6cbc06235226d
SHA512 a700e4d96e114722e5744a4c5dc09622d41e7476c460cfc652f2d4e193ee64dbd029962c1f74970f83b81d898119665c711f3d44af667449a52de2cb30c02103

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

MD5 ff3cb7b20dca826a5bc379ff9b8a063c
SHA1 fae25d23feeb28e5f32adcea024a57f23b17d057
SHA256 76ba4388ebeb612c3650ae07b7e85d148e19f4b3a4b5d55f2f0acd8ffe1719cc
SHA512 b8fd86e952f8ce0a655f1e6351a5bcbae5917749d2d50adcdd747b49bb8441d439f24569abdaa8e6352fddbb97ba3cf8c6df2e4f1a9c755fd60d13f42f1c9c53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

MD5 74909a59866ae0c4159fdddb0ee5b151
SHA1 d493de9b9de96509963273e7326097619229fb01
SHA256 83767f0c63cdee0b31de95b146acc7bc6e2cd696cc33fa4a15dc66fd940c980a
SHA512 65c7cfcbc728da963fd9df564c128e57ac81b4d2477ac8ec88bdba27cc91a965c06ee14278f308c6f020c27bec165d6f5cab831c2620a2c787e4ac2e2a62e70d