Analysis Overview
SHA256
ea5e0d5f12deeb25573cc7fcade7327945d5e4778c1569e189dc483e96583cbc
Threat Level: Known bad
The file fijewh.zip was found to be: Known bad.
Malicious Activity Summary
Socelars
Pony family
Mimikatz
Pony,Fareit
Socelars family
Socelars payload
Fabookie family
Fabookie
Detect Fabookie payload
Mimikatz family
Detected Nirsoft tools
mimikatz is an open source tool to dump credentials on Windows
Unsecured Credentials: Credentials In Files
VMProtect packed file
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Executes dropped EXE
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
UPX packed file
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
NSIS installer
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Runs ping.exe
Checks processor information in registry
Uses Task Scheduler COM API
outlook_win_path
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:43
Reported
2024-11-09 20:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Mimikatz
Mimikatz family
Pony family
Pony,Fareit
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX5\whhw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | N/A |
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4040 set thread context of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX5\hjjgaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX5\whhw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\fijewh.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\fijewh\412433\" -spe -an -ai#7zMap15012:84:7zEvent25387
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\fijewh\LonelyScreen\" -spe -an -ai#7zMap27052:96:7zEvent5481
C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe
"C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe"
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe"
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp" /SL5="$20324,1223153,733696,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe
keygen-step-4.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX5\whhw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\whhw.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp" /SL5="$50350,1223153,733696,C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX5\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\hjjgaa.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
C:\Program Files\Mozilla Firefox\private_browsing.exe
"C:\Program Files\Mozilla Firefox\private_browsing.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8abe7d5-13c3-4bac-9f56-227d06b88662} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6ece4a4-7077-4fbc-869f-cfeae8d24ef2} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 24665 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a4bd5e-acb3-4d69-a37a-763465a18bce} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 29014 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31597b1b-210c-4118-a5f2-ab00e2c6dbf5} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4776 -prefsLen 29070 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3647019-e360-4e3f-a7d6-ad999848fa49} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27023 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce6d464-e880-4c3a-97cd-9ff74be9ce8f} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27023 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d92de53a-3634-429a-98a0-dbb93ad89497} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5680 -prefsLen 27023 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ab7cccd-9b09-41be-84bd-466c015f80d3} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1304 -childID 6 -isForBrowser -prefsHandle 6132 -prefMapHandle 2364 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9bc8a26-bc91-4611-a12a-0997b6d262b9} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-4.exe
keygen-step-4.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-3.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX9\whhw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\whhw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oldhorse.info | udp |
| US | 8.8.8.8:53 | freekzvideo.cloud | udp |
| US | 8.8.8.8:53 | www.ipcode.pw | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.nicekkk.pw | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | by4s6fngn.2ihsfa.com | udp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.194:443 | www.bing.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freekzvideo.cloud | udp |
| US | 8.8.8.8:53 | 133.251.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.128.123.92.in-addr.arpa | udp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | www.ipcode.pw | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.nicekkk.pw | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| N/A | 127.0.0.1:58507 | tcp | |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 1.97.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 65.204.21.100.in-addr.arpa | udp |
| N/A | 127.0.0.1:58516 | tcp | |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | by4s6fngn.2ihsfa.com | tcp |
Files
C:\Users\Admin\Desktop\fijewh\412433.zip
| MD5 | a803f82431678efa91e202dfc4e59dfa |
| SHA1 | aac1594ee4bc7d91b640c2d5b66c64e7b7671cc3 |
| SHA256 | 6b2816073c1bd747fe54b0e1876ef261a93af763bc4e8754d389d265afda1b04 |
| SHA512 | 4f2965a6f7edbd23d4aa317b66fc4aa2bf46e5a0905cd48fa63920c7e859f46aba0bc3759fcde66c523e4b615a367e789857349d6d8a029e5ffe746cbaa01053 |
C:\Users\Admin\Desktop\fijewh\LonelyScreen.zip
| MD5 | 34cbb7645c079ba403250edea20ad34e |
| SHA1 | feebf5bd2332cd26ae6bc3770725987da19befba |
| SHA256 | 4fc6b36e62dd4619193a22c3aa43dd905895d5bd2c8aa8ebf5098958dbef988e |
| SHA512 | 80d64d20a119d1bbf83c8a417216e6171eb8c786cb7f0d03ab5da41ae76f57486c1ac5fed01a0751ae19be8dfd661e25c3ac4da9873c840ed06c4e1f4ae30367 |
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
| MD5 | 48c356e14b98fb905a36164e28277ae5 |
| SHA1 | d7630bd683af02de03aebc8314862c512acd5656 |
| SHA256 | b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c |
| SHA512 | 278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
| MD5 | 362a98ff358cee4c06aedf4c8e6f8770 |
| SHA1 | 376b001129e2e64ecee89e27a343195f50c196a3 |
| SHA256 | c02a8b5cd85868da0523b58370bc5b6f8c24fa5ac8e59d874f8ba1c21f4ef158 |
| SHA512 | d60822a56650f91b3e108b9053558ca3367ce008b3972707e68986c874a856137efce7578def798248cea0852b664f429581e66c3ef67bb0e338e91501c76ab9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
| MD5 | 65b49b106ec0f6cf61e7dc04c0a7eb74 |
| SHA1 | a1f4784377c53151167965e0ff225f5085ebd43b |
| SHA256 | 862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd |
| SHA512 | e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
| MD5 | 20f5a9440a46acd791f3e14a51168709 |
| SHA1 | 6228ed232ea25299e4ec54654bed013d8022c6ee |
| SHA256 | 838b3a60041cef51e5e5ef385c9753d3526fcb0429c322374bb14d08512683a3 |
| SHA512 | f847f68789c9d02b14fadb6f0f6d402d2aaf6f866a56a1837d100c17eb1006f47b0f2a2f9e68e106fd420d0279e542679816182b2c9181be87b83ae4e20bc812 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
| MD5 | 5152124e9780ce8fdaffdb2ecf01f147 |
| SHA1 | fd5c673082d3c82f84cdc9ef9aa3ebf167588170 |
| SHA256 | 70d612145ca07e3f272a8c4ca5f5bdc1c2e52fe5833c537d9d1d437e746c7c65 |
| SHA512 | 087790afa61f8d384185b5febeaca93a836d6ec9159282a328f47810a2c2cf6fde2c8bf27817748501cc37e3beacf618fb330b4d7e5f2d3d447b021e84da51bc |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
| MD5 | 2fb5455dab77dd4d793aafa3df21b013 |
| SHA1 | 453ef895e9edc4b22cddd9d4881afa19295ad2c0 |
| SHA256 | 160785406249aae0e5f2bd62dd5daf64a15ce9bbb36c57a6f8f5c1ddb6390d9b |
| SHA512 | 2e5d7eb6a881b8e7d8309dd2cbe8c57c06c2acc2e2a50004717a9354b372a694d511bd197730d8528b4d4fc446134fa95fc0ae496feab33c854e14e9c8574c0f |
memory/2420-83-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
| MD5 | 7d72db8aaceccd5cab82e0f618ce9d81 |
| SHA1 | c690d1e3a90499ce1b63ee9388dfaec786751e1e |
| SHA256 | a8374f4efacd0d4ace4f78a781baf7a1e0913edaceb8feddcb82d07b68a1bcab |
| SHA512 | 88ff9256d7bfe8d724e42f59be08e51e70244d546ac8ef6466864d2466e52aac5d84acb0ea552168701e5e1d1eceee0696a0e3a40de2d83ab720e0e69de0d6d2 |
memory/2420-93-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2420-95-0x0000000000400000-0x0000000000983000-memory.dmp
memory/3736-99-0x0000000000400000-0x0000000000531000-memory.dmp
memory/3736-100-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2420-101-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2420-102-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2420-103-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
| MD5 | d9ec2bce43693cd8c042abda75cc2f82 |
| SHA1 | fb270d5ccecdd9f18b01438b371e1caf72548fb4 |
| SHA256 | 61271188de7b7dc646c38eb9aff1e5582b7d8981f19af2c8684ca12902bc3454 |
| SHA512 | d5bb890b4e344e090023bc100778fe557b8972a3640b3c2a5528523c44de26b5524523dbad3ba1bf05b1a3154f5c5d6f98411f2866e66368794427d0ca2127c9 |
memory/2420-116-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2420-117-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2420-118-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat
| MD5 | 0bdd93df3b5ee96569a2f22f9d617b8e |
| SHA1 | 7f8704c83cf599bb2e739698766f05089f70a5e2 |
| SHA256 | c1d3be98c494f08e6de80f6e38ab94368cd33b199700ee5bd62e9d6d15063d1b |
| SHA512 | 483714eff806aec59033e326b887a9f1cd7256cf49e88ca873a014fe95d564b0b29d18bab47f788be09d6bfe520f14e09c8c682d3275825c4145f833c72a7a9d |
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.zip
| MD5 | 5aaa5c6788ccdc89c2d393ae139a1479 |
| SHA1 | d176526637cabd9af128ae485363731c73016b97 |
| SHA256 | 47e2d401491fa349aff65afd36809607588a13555a4353b32fc37ba812ce553f |
| SHA512 | 88fd03792c8e3c3c89f5ad82a99ed5a90175969b7c90bb82c57887d49c2781b2b0aa7954e3e252fbfa46440de17d44f88cdaeffec79c311bf7525067da7d8651 |
memory/3392-126-0x0000000010000000-0x00000000100E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
| MD5 | e818a2384a90a03d8314cc4cf1cad1e0 |
| SHA1 | a28e0df0e8853596db4508925e9b93f4b8e2e902 |
| SHA256 | 0585a29ddcdb6a4f0d23d4d09304768877ef1ae500c9664af9c21a6aff9d330c |
| SHA512 | e96d9fe81aff387b7ce844552fba43f20d3833cf75078855d6fa3d15b58a5486b7cec71d7499d82165425dd3ac25a624aa918251cff6044b4df3cfe096a02569 |
memory/3968-143-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp
| MD5 | 2f7b6979529e98725c226681b9431206 |
| SHA1 | 12a2e01e39f79997b1fd71f33da78c672b37b590 |
| SHA256 | 22241dd602bb54f1d16db7723c5033d1bd88b2b8218b7e36eaeef746ad0c9823 |
| SHA512 | 34d380be583b27f39b8aeb93f9944370cbe9857699976535fff230e43883d4c497216ddf3d5501d9daf436aefb8f57b8d88a7e6933e2f243defb45aa476851b1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
| MD5 | 5af346c85e6a347401ebd8798035df35 |
| SHA1 | 036e6513eccaee195ba637e85683744a8dce09c0 |
| SHA256 | e7129b9545ead3dc009bcf40b5368eac467705889478cfac339cfa129631b87d |
| SHA512 | 117338b32f8610facf930748b4d916bb9cc90dba1c72f2059e52219726d19f8dc6314c46505e80e492104ac7b4e5222419036c8ceb9477da12fc9ce32fbdda77 |
memory/1516-165-0x0000000000400000-0x000000000052B000-memory.dmp
memory/1516-175-0x0000000000400000-0x000000000052B000-memory.dmp
memory/440-177-0x0000000000400000-0x000000000067C000-memory.dmp
memory/3968-178-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
| MD5 | 7016ff8fcb9d9451139d7a7541512597 |
| SHA1 | bf20fea9aa80a94531c4c3af8549b3e32bcada77 |
| SHA256 | 97d21bc11812933a88c45cec4bef20e346952fc4a4144c93b19a205d20420a57 |
| SHA512 | b1ceab00b09c6feb716658e19b3021a8fe2d79ff06888b94376652907931aa67a451bb775ed0fc53fbd661f8b3ecaf98b8304604c1341df4ef21e9feac035e99 |
memory/4512-186-0x00000000007E0000-0x0000000000E50000-memory.dmp
memory/3540-193-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/3540-197-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\user32.dll
| MD5 | 634fbe95ea4ef2e799b3d117dd9ec52e |
| SHA1 | 09533551abefbc922b87d1c2553329abd328c387 |
| SHA256 | 1ba4bc4f000dd9263307357ffa42d83eb01f59bf28aec16ef2eb74e24683412e |
| SHA512 | 7d3857623c2d6806ed56e436fba2aa72ee57978ed8261894c3d7bb97a9f747d87866ca1dfaa2bc21ea22de1544fe7daf223565b7f16d894d02219ea9a690b7cf |
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data1
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
memory/3692-285-0x0000000000400000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
| MD5 | c7be3c661dc1ae8c3c5cee7c5463b8b7 |
| SHA1 | 6bc151f7473448fc7ae464443be9e6ca0343bbd3 |
| SHA256 | ffbc54f9854804b7a5b12dda41be1af202b4ee0f39be12ec57e2ab0860d3e1bb |
| SHA512 | 096861535dcfe6dd7420b2139f5b79d46baac47e7aab86d0bdcf3dd9403d34b7da4d98d62aae5e03a8c4ea6536d1581750d944078eb2d30643ae392741f4cd7b |
memory/4348-300-0x0000000010000000-0x00000000100E3000-memory.dmp
memory/4448-314-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\unins000.dat
| MD5 | ee8ec729ed8d9c47837b12eefe91e699 |
| SHA1 | eb5aca5d1ab3924850714f920ff799348b38a09a |
| SHA256 | 921bb19943f8eb02ef6ef5836fb42509b94c2e08f957457e4623bfdce1566745 |
| SHA512 | 187107c6e8481b8af967da57cfb8d7388989b60211527ab4847430edb01765749e4ae3c57329d41d9583d7cc35c81567234599a48051a1bc3eb7b1669656e6f2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\unins000.exe
| MD5 | 37942174e71daee7d2c01d854fb0f099 |
| SHA1 | 828efb5608816121a21291e384c8cf95967214af |
| SHA256 | 8c841a5c438dc26b0249081c0ecc1e2d0a6f25392084b26a0362e0a88b52a37f |
| SHA512 | c0f724ff4c827943b6ef30a66929875c7e7fd9a16d3004da892c8172c3e983754bdc04807019ba5bce430e2ca785d01114ec4f00c014edc4d8f66acf6bf42174 |
memory/396-336-0x0000000000400000-0x000000000052B000-memory.dmp
memory/2180-337-0x0000000000400000-0x000000000067C000-memory.dmp
memory/4448-338-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3864-344-0x0000000000F70000-0x00000000015E0000-memory.dmp
memory/396-351-0x0000000000400000-0x000000000052B000-memory.dmp
memory/4012-354-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4012-357-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\6e592166-d6da-41c5-affe-6bb8ce6609a9
| MD5 | c7a895997138b293aca452110a961dd4 |
| SHA1 | 99156ca9682a2c29d26d77a069c3ea324dc7014c |
| SHA256 | 5a322d97f1edc59f433c4e24148cba2756ff5161e1a5add050853ee7c8ea0b18 |
| SHA512 | 0cbd7351c509839de35f5041252e0e2c3e5f1023e577f02cc1170768a6cb52c9130f75d16520b967a28526e173ce508026e79217c8442986ea9ce143968ab9d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\a34d9b6b-e9fb-407c-83b2-66f988fd7eea
| MD5 | a867e6365033fb80ccd0967b657205fd |
| SHA1 | 4a298f4a67b9a06f75cb8b9df54514f34b674b10 |
| SHA256 | 92cceade0c6935e4148c8e639e450773f29d03e05bcc206ef73cb40875ed34bf |
| SHA512 | 3201afe111b0d4e3dd78339b0016f52318f9ce4d2f2c258ba53f0d28d34cee28696db380fb26e4bdc34ee1244e3950aa15dba9539ba5a55d58412d632ce6af87 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\c4ddfc07-c826-47c8-adef-6734159ca801
| MD5 | a4ee991a6bb43261a26273d69674f44d |
| SHA1 | ed4e1e9b664e988d0b0d584ef129a3d0d90a9c97 |
| SHA256 | f5d77df364c9d1975b42df24e3d0c713de84aa1e127c0501d98354df14290ea0 |
| SHA512 | 78b8d534c744e573c92f96955f7f3c07811b6ed149527a6789a8859d626ae571431f7c1645b0d1b3f41a5e81dbb5f980b291d911c5eef7de181049ba0faf0316 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | e7c07b62c73089e7921181a87b7f1755 |
| SHA1 | cb989207fa7c2727123b377d57c953836c28c8f2 |
| SHA256 | 58c8c7ff07cb54c6f6c568cba1048367a00502ff40f9a06070a0e7976dbf3a97 |
| SHA512 | 63870100ed91d8c2d028af450b25774a986000f34c81b8a335688b9516d19936c83948e8fd2f1dae41f8111bc747a899c2f41b01abb4a1ee03f0d19127769fe4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
| MD5 | 0fdc1f287a6756d42c95bedd953a5b16 |
| SHA1 | 5cac2a0fc55aa2352625bcdc8aca14a935505b9d |
| SHA256 | 459e3ba8dc3f9bc029cf4c6d7dc97c15c5b60c0f92d3d9620ed03a8fc217e179 |
| SHA512 | 6c186112ff79f1bad1c46ee7e67bb93d435d4420096ae8c450315b78f1aaa59e7923dfa48e61a2ebf29114bc97cac70680676d255b2072c736fb93f961ea0435 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
| MD5 | 9a20e75b4583cbf9c1018d79ffefc7ef |
| SHA1 | ebb4336dff312e65fd15074088d532ad50b6bd54 |
| SHA256 | 4c0743e51f9236c9ccee5e83b709096f51e06a17cb3bc8eb69d88878641abbf5 |
| SHA512 | 5681ae1020b9aa0cf48472eb842ba7a0e573029e1651d821cc7248a1567f8a825bb44aebfe637a1eec5ec0cfe6d2c4fcde08e72afbb987ddc86e9e00112de78b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 1b24142087d59fd4049932d3ba089c63 |
| SHA1 | c91440d73716d347f7086ab0de05eb1c0cf22e42 |
| SHA256 | 68e24ba310b9cd999210900204e12c770b56aabb9ca36efb948a37cbe4b2c457 |
| SHA512 | 5b557ba6dd8d6b1cec00bfc47b557484af855c2962fba7a41b9db2f64e0eb6d2807d4112024892fe473fb5547d955d818e8d3b1303e3e6f25635c2fc13b0e4d0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl.tmp
| MD5 | f99b4984bd93547ff4ab09d35b9ed6d5 |
| SHA1 | 73bf4d313cb094bb6ead04460da9547106794007 |
| SHA256 | 402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069 |
| SHA512 | cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js
| MD5 | 51ce66ae2497d368b8ae047989680616 |
| SHA1 | f55c3629ad9ec0d2a4ed9568708b8ddfbd176a6b |
| SHA256 | 23e5940a4cfafe399c4a9525a00dc50ff39958e69273cf5d9edad7b690344ed9 |
| SHA512 | adbf6dd2a0acdb41b62757d794478373cbe2f28c74cde99bbc08c934dbfe32e1f501c7caa41f96da356bc4ea28efd9e07207026055f192005f721de3fdc1a400 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
| MD5 | 8b2c4a7dd08f12aed19ec10998b40d32 |
| SHA1 | aaa7214a19d638ed18a9ad03189a7f3aa58730e9 |
| SHA256 | bb2358fc0baa751568d162bed12ca7f34f2b9abe33821396546bc7dbc509b53c |
| SHA512 | 634df8da027274ad7ee955d5285a4dd17dbf413db5e5b21555722c7b1998f8c0f0ab16210d87bafb9a242487f4fa6d96026e3da0faf46ca3efd9f985e18a915b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
| MD5 | e14cdc1591f60563ff1396c644c3d963 |
| SHA1 | a1d89c88e035b8541d4bc80ee9c5f607dacc9ee4 |
| SHA256 | 988f4f655a4cc2d5ef6f61ce369074dd2139c2f86a03b50c68b2d7f1c50b3c00 |
| SHA512 | f17a243fb5eb8bcc6b30e80c531422035347216f61cd199108d66493a129ea515c70e37e394a44ab54284535ab67e8616c0ffe46afa0a9c5ec408342a011699a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\b35bafc4-52f7-4df2-a06c-dac644858735
| MD5 | dce7201e71cf6fbe3700fcb5dbc3a672 |
| SHA1 | 03b4a2ede47af8f33793926abf1430c40291252e |
| SHA256 | 544357b3f1e2967cd8e5a95e315993cbee324506389e70c1f61552292de82b41 |
| SHA512 | ccaf6ea126a782a1e5b49e8876644ac3b1bb285eeaa2dcc7b951b6e10756d209ff8aefad33564badd6210918965ba544f31793aa160c627dd4451e558f43a6ed |
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Install.exe
| MD5 | 09bea173fb3f7244bfddaa3b110761a8 |
| SHA1 | 5a4a6b0d01643616121cf258c671b22b65c91e1f |
| SHA256 | 674a3e21beb7da6768d1484ffdbddf88a2f7cbebe9355c1e7646e6831795c894 |
| SHA512 | 09cf74fbee32eb13751000868eafb32a0008d469536db9a97ff924191842684de55910b513896d9960e159a06dcd9009631fdac7349ce36735d126c0c6561fb7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX9\lunch.bat
| MD5 | e56df68ac513d0d1bd4e36b6fd24f710 |
| SHA1 | bccae5ce3fae788789115d9963d7dc70598c76db |
| SHA256 | fb2696efa485021c577b6d6966e03e35dc7dd0f3f86825e17328eafd95a3c777 |
| SHA512 | f84e4fed8ee4df08a61c23b5911e13335ca07912ca1011acaafb7bc3756d60a7ff745945663b2f1bc2f267997bfe6ebe5777ca505509f3121e25053e5098b9f4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Full Version.exe
| MD5 | 5eb7d1110a6268092d008d93701a08b5 |
| SHA1 | 6c1d846d8d01ee31f18c3bca5ad0245aa6a056ec |
| SHA256 | b858e24eac464afd49d6bf782557f946b03e5e97431a1987b09b0203b5636c97 |
| SHA512 | 8029b8f196d4030589c8e2ae8de5ff13892ae0619da35f600b028e8ca0c7bb76b9d5c0f623ce97c674d9e6ca5b9e01f6ab6f9b1313d87654797e247eca2fd669 |
C:\Users\Admin\AppData\Local\Temp\RarSFX9\BTRSetp.exe
| MD5 | 6331d170c7c2c06ea9ecf289987a8db2 |
| SHA1 | e938ff9b901d2a51a076688f0a8af8b241433600 |
| SHA256 | b452a777118ad0153b13c0aa7d141c34f9f7c212d082998c071f69ce10f09234 |
| SHA512 | 7ace643fa9e0320c8aeabe57c725868a0ed654130a89e1b799f03de6f19ad0a273c5bafb27ff3afc1dbc438fb37cc304abb188a25a7259e508e70753cf160944 |
C:\Users\Admin\AppData\Local\Temp\RarSFX9\DreamTrips.bat
| MD5 | 7b24665f2db82f311bff238f05eb639a |
| SHA1 | 4001fddab3079c1f50207c6b19e782cfefa059c5 |
| SHA256 | 81c2e1e08984f45a9fcd8a5e54087b5b2160ed553b584bac7ef589c0867e4478 |
| SHA512 | 5cb0ae0a5a5e995adf21975b25b121103e56d6ad2f5bef5759d93e389f00ac62c4a963bdd80aa9e703e285dfe8acc9ca036e03b9b3d445ed516021397467d2a4 |