General Info

URL

https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Cryptowall/Ransomware.Cryptowall.zip?raw=true

Full analysis
https://app.any.run/tasks/f92e8d6d-894f-424a-a98e-20ae2a1e5455
Verdict
Malicious activity
Analysis date
14/01/2022, 21:11:19
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

trojan

ransomware

cryptowall

Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • cryptowall.bin.exe (PID: 1632)
  • cryptowall.bin.exe (PID: 2896)
Writes to a start menu file
  • explorer.exe (PID: 3232)
Drops executable file immediately after starts
  • explorer.exe (PID: 3232)
Changes the autorun value in the registry
  • explorer.exe (PID: 3232)
Uses SVCHOST.EXE for hidden code execution
  • explorer.exe (PID: 3232)
Starts BCDEDIT.EXE to disable recovery
  • explorer.exe (PID: 3232)
Deletes shadow copies
  • explorer.exe (PID: 3232)
CRYPTOWALL was detected
  • svchost.exe (PID: 508)
Connects to CnC server
  • svchost.exe (PID: 508)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3036)
  • explorer.exe (PID: 3232)
Checks supported languages
  • WinRAR.exe (PID: 3036)
  • cryptowall.bin.exe (PID: 2896)
  • cryptowall.bin.exe (PID: 1632)
Reads the computer name
  • WinRAR.exe (PID: 3036)
Creates files in the user directory
  • explorer.exe (PID: 3232)
Application launched itself
  • cryptowall.bin.exe (PID: 1632)
Checks for external IP
  • svchost.exe (PID: 508)
Starts Microsoft Office Application
  • WINWORD.EXE (PID: 3132)
Checks supported languages
  • firefox.exe (PID: 880)
  • firefox.exe (PID: 3904)
  • firefox.exe (PID: 2808)
  • firefox.exe (PID: 868)
  • firefox.exe (PID: 2404)
  • firefox.exe (PID: 3424)
  • firefox.exe (PID: 3872)
  • explorer.exe (PID: 3232)
  • vssadmin.exe (PID: 3644)
  • svchost.exe (PID: 508)
  • bcdedit.exe (PID: 3696)
  • bcdedit.exe (PID: 3536)
  • WINWORD.EXE (PID: 3132)
  • CLVIEW.EXE (PID: 3980)
Reads the computer name
  • firefox.exe (PID: 3904)
  • firefox.exe (PID: 868)
  • firefox.exe (PID: 3424)
  • firefox.exe (PID: 2404)
  • firefox.exe (PID: 2808)
  • firefox.exe (PID: 3872)
  • explorer.exe (PID: 3232)
  • vssadmin.exe (PID: 3644)
  • svchost.exe (PID: 508)
  • CLVIEW.EXE (PID: 3980)
  • WINWORD.EXE (PID: 3132)
Application launched itself
  • firefox.exe (PID: 880)
  • firefox.exe (PID: 3904)
Reads CPU info
  • firefox.exe (PID: 3904)
Creates files in the program directory
  • firefox.exe (PID: 3904)
Reads the date of Windows installation
  • firefox.exe (PID: 3904)
Checks Windows Trust Settings
  • firefox.exe (PID: 3904)
  • svchost.exe (PID: 508)
Creates files in the user directory
  • firefox.exe (PID: 3904)
  • WINWORD.EXE (PID: 3132)
Manual execution by user
  • WinRAR.exe (PID: 3036)
  • cryptowall.bin.exe (PID: 1632)
  • WINWORD.EXE (PID: 3132)
Reads settings of System Certificates
  • svchost.exe (PID: 508)
Reads Microsoft Office registry keys
  • CLVIEW.EXE (PID: 3980)
  • WINWORD.EXE (PID: 3132)
Reads internet explorer settings
  • CLVIEW.EXE (PID: 3980)
Reads Microsoft Outlook installation path
  • CLVIEW.EXE (PID: 3980)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
62
Monitored processes
17
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe cryptowall.bin.exe no specs cryptowall.bin.exe no specs explorer.exe #CRYPTOWALL svchost.exe vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs winword.exe no specs clview.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
880
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Cryptowall/Ransomware.Cryptowall.zip?raw=true"
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\program files\mozilla firefox\firefox.exe
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll

PID
3904
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Cryptowall/Ransomware.Cryptowall.zip?raw=true
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
Parent process
firefox.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wshtcpip.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\wintrust.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\ntdsapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winnsi.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\avrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\nlaapi.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\windows\system32\netprofm.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\pnrpnsp.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\wbemcomn2.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\wbem\fastprox.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winsta.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\wpc.dll
c:\windows\system32\audioses.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mscms.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msimg32.dll
c:\program files\mozilla firefox\nssckbi.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\webio.dll
c:\program files\mozilla firefox\softokn3.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\actxprxy.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\cscapi.dll
c:\windows\system32\imageres.dll
c:\windows\system32\srvcli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\slc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\wshext.dll
c:\windows\system32\msisip.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\urlmon.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sxs.dll

PID
2404
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.0.499002023\258823247" -parentBuildID 20201112153044 -prefsHandle 1144 -prefMapHandle 1136 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 1216 gpu
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\crypt32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\xul.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\user32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\evr.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\avrt.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dwmapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dxva2.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\devobj.dll

PID
868
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.6.2122202073\9987182" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 3016 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\wintrust.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\msasn1.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\xul.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\avrt.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wtsapi32.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\wpc.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\userenv.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\samcli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\sspicli.dll

PID
3424
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.13.843543187\270927113" -childID 2 -isForBrowser -prefsHandle 2212 -prefMapHandle 2232 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 2168 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wintrust.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\wpc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wshqos.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\profapi.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\winrnr.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\lpk.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\nsi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\avrt.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\netutils.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dnsapi.dll
c:\program files\mozilla firefox\freebl3.dll
c:\program files\mozilla firefox\softokn3.dll

PID
2808
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.20.1615068559\870576500" -childID 3 -isForBrowser -prefsHandle 3480 -prefMapHandle 3472 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 3512 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ole32.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\iphlpapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\nsi.dll
c:\windows\system32\avrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\user32.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\wldap32.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gdi32.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winnsi.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\usp10.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\shlwapi.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\samlib.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wpc.dll
c:\program files\mozilla firefox\softokn3.dll
c:\windows\system32\samcli.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\netutils.dll
c:\windows\system32\sspicli.dll

PID
3872
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.27.604004350\685509159" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 1692 -prefsLen 7638 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 3792 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\version.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\napinsp.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wintrust.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\ole32.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\pnrpnsp.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\shell32.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wshtcpip.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\avrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ntmarta.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\sspicli.dll

PID
3036
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.Cryptowall.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.91.0
Modules
Image
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\setupapi.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imageres.dll
c:\windows\system32\profapi.dll
c:\windows\system32\riched20.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\slc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\samcli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntshrui.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\drprov.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\winsta.dll
c:\windows\system32\winmm.dll
c:\windows\system32\duser.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\dui70.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll

PID
1632
CMD
"C:\Users\admin\Desktop\cryptowall.bin.exe"
Path
C:\Users\admin\Desktop\cryptowall.bin.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\cryptowall.bin.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll

PID
2896
CMD
"C:\Users\admin\Desktop\cryptowall.bin.exe"
Path
C:\Users\admin\Desktop\cryptowall.bin.exe
Indicators
No indicators
Parent process
cryptowall.bin.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\cryptowall.bin.exe
c:\windows\system32\rsaenh.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ole32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\user32.dll

PID
3232
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
Parent process
cryptowall.bin.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\powrprof.dll
c:\windows\explorer.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\version.dll
c:\windows\system32\lpk.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\bcdedit.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\vssadmin.exe

PID
508
CMD
-k netsvcs
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\webio.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wship6.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\svchost.exe
c:\windows\system32\oleaut32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wininet.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\schannel.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\winrnr.dll

PID
3644
CMD
vssadmin.exe Delete Shadows /All /Quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft� Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\user32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vssadmin.exe
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\imm32.dll

PID
3696
CMD
bcdedit /set {default} recoveryenabled No
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\bcdedit.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3536
CMD
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcdedit.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll

PID
3132
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\universitystatement.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\program files\microsoft office\office14\gfx.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\devobj.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\sxs.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\msxml3.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\slc.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\program files\microsoft office\office14\clview.exe
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\netutils.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\oleacc.dll

PID
3980
CMD
"C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE" "WINWORD" "Microsoft Word"
Path
C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Office Help Viewer
Version
14.0.6015.1000
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\clview.exe
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\program files\microsoft office\office14\msocf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\userenv.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\davclnt.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\help\hxds.dll
c:\windows\system32\winspool.drv
c:\program files\common files\microsoft shared\help\msitss55.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\1033\clvwintl.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\system32\webio.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\d3d10warp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dxgi.dll
c:\program files\microsoft office\office14\msostyle.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mlang.dll
c:\windows\system32\propsys.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll
c:\windows\system32\jscript9.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\mssprxy.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\slc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
18392
Read events
0
Write events
320
Delete events
61

Modification events

PID
Process
Operation
Key
Name
Value
880
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
CABCBA075D010000
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
C:\Program Files\Mozilla Firefox\firefox.exe|Browser
EDC4BA075D010000
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|DisableTelemetry
1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
C:\Program Files\Mozilla Firefox\firefox.exe
0
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|ServicesSettingsServer
https://firefox.settings.services.mozilla.com/v1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
0
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent
0
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash
97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3904
firefox.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3904
firefox.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\WinRAR\WinRAR.exe
WinRAR archiver
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
1DFFAB4C8B09D801
3904
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
1DFFAB4C8B09D801
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3036
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
2
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Ransomware.Cryptowall.zip
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000007401030000000000160000002A0000000000000002000000
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000700103000000000039000000B40200000000000001000000
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF56000000BD00000016040000B2020000
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000780103000000000016000000640000000000000003000000
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3036
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3232
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
*6695237
C:\Users\admin\AppData\Roaming\46695237.exe
3232
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
4669523
C:\46695237\46695237.exe
3232
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
*669523
C:\46695237\46695237.exe
3232
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
46695237
C:\Users\admin\AppData\Roaming\46695237.exe
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
C812345C8B09D801
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDetectedUrl
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
C812345C8B09D801
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A864A5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
1DFFAB4C8B09D801
508
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
508
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3132
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(default)
3132
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
(default)
3132
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\172740
(default)
3132
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
(default)
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
w;
777F3B003C0C0000010000000000000000000000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
3C0C000012E920C78B09D80100000000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
a ;
61203B003C0C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
} ;
7D203B003C0C000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
g!;
67213B003C0C000006000000010000006E000000020000005E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C0075006E0069007600650072007300690074007900730074006100740065006D0065006E0074002E00720074006600000000000000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D5410467DC1B80][O00000000]*C:\Users\admin\Desktop\hilaw.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D8098BC7CA2ED0][O00000000]*C:\Users\admin\Desktop\
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 3
[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D55791F2DF0D00][O00000000]*C:\Users\admin\Documents\canoneither.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D6DEEB8B0C4000][O00000000]*C:\Users\admin\Documents\publishingcommittee.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D4F9328C06D180][O00000000]*C:\Users\admin\Desktop\originalcompany.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 2
[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D8098BC7CA2ED0][O00000000]*C:\Users\admin\Desktop\universitystatement.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D301515BE64700][O00000000]*C:\Users\admin\Desktop\offersreplies.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D317DEE6C97200][O00000000]*C:\Users\admin\Documents\isafter.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D588D643AF8A80][O00000000]*C:\Users\admin\Desktop\titlem.rtf
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\172740
172740
040000003C0C00002E00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0075006E0069007600650072007300690074007900730074006100740065006D0065006E0074002E007200740066001700000075006E0069007600650072007300690074007900730074006100740065006D0065006E0074002E0072007400660000000000010000000000000000FC731FF975D201402717004027170000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
~#;
7E233B003C0C000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
n#;
6E233B003C0C000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
?#;
3F233B003C0C000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
9$;
39243B003C0C000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
h$;
68243B003C0C000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10022400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1058
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10010400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1025
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10065400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1110
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10091400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1049
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10030400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1027
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10061400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1046
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
SpellingAndGrammarFilesExp6_1042
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100F1400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1055
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10001400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1040
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100D2400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1069
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10031400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1043
3132
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage
SpellingAndGrammarFiles_1031
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A0063309006000C000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101020101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
164
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
ZoomApp
0
3132
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
164
3980
CLVIEW.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CLView\Resiliency\StartupItems
(default)
3980
CLVIEW.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CLView\Resiliency
(default)
3980
CLVIEW.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer\MessageMap\1:WINWORD
(default)
3980
CLVIEW.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ClviewFilesIntl_1033
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer
CLViewMTTT
8C0F0000423070C98B09D80100000000
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CLView\Resiliency\StartupItems
k~<
6B7E3C008C0F0000010000000000000000000000
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
3980
CLVIEW.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer\MessageMap\1:WINWORD
(default)
D2010600
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer\Applications\WINWORD
Left
427
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer\Applications\WINWORD
Width
425
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer\Applications\WINWORD
Top
58
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer\Applications\WINWORD
Height
575
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer
CLViewMTTA
3
3980
CLVIEW.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\HelpViewer
CLViewMTTF
3

Files activity

Executable files
4
Suspicious files
173
Text files
110
Unknown types
32

Dropped files

PID
Process
Filename
Type
3232
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46695237.exe
executable
MD5: 47363b94cee907e2b8926c1be61150c7
SHA256: 45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
3232
explorer.exe
C:\Users\admin\AppData\Roaming\46695237.exe
executable
MD5: 47363b94cee907e2b8926c1be61150c7
SHA256: 45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
3232
explorer.exe
C:\46695237\46695237.exe
executable
MD5: 47363b94cee907e2b8926c1be61150c7
SHA256: 45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
3036
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb3036.35218\cryptowall.bin
executable
MD5: 47363b94cee907e2b8926c1be61150c7
SHA256: 45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
3132
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AF2A3AF2-0A28-4A6C-9510-4C9A5E675ECA}.tmp
binary
MD5: 34625924c24fcd33857e1f8c83f34086
SHA256: 7e79927fc4c0a3b0e15e2648711cf61dc0dcd5b6679cfd5b9d88498d4e590c51
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\BROWSE0.WINWORD.xml
xml
MD5: c6b250833c801ff8337ab2ccaaf23408
SHA256: 0c4e4c2aac391920fcc5c10c222b448dd2d419dc79b56fec3a923f47b14b39f9
3132
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D39EA45C-88D0-444B-832A-607683D857EA}.tmp
dbf
MD5: 914ff99c60aac282483fa3699238eca8
SHA256: 1af0042f94d79da4475a1b666688345c035bdbe12b9731e7db8e040bbfc1f454
3132
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1620E1D5-A650-4A5D-8CB2-B39D4A1636AD}.tmp
smt
MD5: 5d4d94ee7e06bbb0af9584119797b23a
SHA256: 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\back[1].gif
image
MD5: 5cf4fe788eab2fe10b0dbfd8fa99d9df
SHA256: 21f6f9e91fffa6a49ee14d778c71ca9e96dbd8ae73d8974947ed2c1242e4c38c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\back2[1].gif
image
MD5: 3e0b845d2f15589538b84fa5f3eeca9f
SHA256: 25a8c6f761aef8378b470f420035b03362ba4d6761264969d506d8db288b9fd8
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\back2.gif
image
MD5: 3e0b845d2f15589538b84fa5f3eeca9f
SHA256: 25a8c6f761aef8378b470f420035b03362ba4d6761264969d506d8db288b9fd8
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\bulletl.gif
image
MD5: 9f9dd2eec107ffbafbcb68a305909024
SHA256: 1aeeb99732bd228eba7090192d57ab9ec437f61caf2dda53412f1b53ffd8992a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\errexcl.gif
image
MD5: 9455f749e6a5eecc8a69067f91f9066f
SHA256: ef8dcfc6cadabb2eeed276034ae253f3be651ab73bd8bc9039300ea16cc73e62
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\back.gif
image
MD5: 5cf4fe788eab2fe10b0dbfd8fa99d9df
SHA256: 21f6f9e91fffa6a49ee14d778c71ca9e96dbd8ae73d8974947ed2c1242e4c38c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\bulletl[1].gif
image
MD5: 9f9dd2eec107ffbafbcb68a305909024
SHA256: 1aeeb99732bd228eba7090192d57ab9ec437f61caf2dda53412f1b53ffd8992a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\help[1].gif
image
MD5: fca4caf9ca84107ca5bb207e4abfed0c
SHA256: 88451b88037c920e3c79b61d835687fca63c9a07fc44644fe5068b20d91b7f2a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\help.gif
image
MD5: fca4caf9ca84107ca5bb207e4abfed0c
SHA256: 88451b88037c920e3c79b61d835687fca63c9a07fc44644fe5068b20d91b7f2a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\errexcl[1].gif
image
MD5: 9455f749e6a5eecc8a69067f91f9066f
SHA256: ef8dcfc6cadabb2eeed276034ae253f3be651ab73bd8bc9039300ea16cc73e62
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\helpid.xsl
xml
MD5: d80d85131913452aa40de729acfe41d1
SHA256: 19f8d955ff19b356d55be12d7c71dfc8b5105302472f8fba7ccb158b13af339a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\next.gif
image
MD5: 1dbc173789364e0c18a646d67bfb4a3c
SHA256: 1c48ab0770ad29146b5305f18eb3207d18faf62368ea4f18238dfe205f6ace23
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\logo.gif
image
MD5: fb0dcad6d2967876a6176446726210d9
SHA256: 4f8b829ab7d1b65f9533c50e95f277283b604f1924d4deaac6ad10906788ab0c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\message[1].xsl
xml
MD5: 3cd6a3b27d59d49440d1be68af38e14c
SHA256: 8b847a3c27a450ffa78f23fc152d0040efd60e0b873887c2217fd51670c8ce08
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\logo[1].gif
image
MD5: fb0dcad6d2967876a6176446726210d9
SHA256: 4f8b829ab7d1b65f9533c50e95f277283b604f1924d4deaac6ad10906788ab0c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\helpid[1].xsl
xml
MD5: d80d85131913452aa40de729acfe41d1
SHA256: 19f8d955ff19b356d55be12d7c71dfc8b5105302472f8fba7ccb158b13af339a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\message.xsl
xml
MD5: 3cd6a3b27d59d49440d1be68af38e14c
SHA256: 8b847a3c27a450ffa78f23fc152d0040efd60e0b873887c2217fd51670c8ce08
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\content.css
text
MD5: 7ed65d8078c0dccac3e54bea090394ce
SHA256: 889bce80f4b3f32389cd76c9073ac682db2ef7f5d2981cdbb85c72154a04a844
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\next2.gif
image
MD5: 1a586c9b5fe5a58a3d6c86a63e64baef
SHA256: acca99d3ac329e36c2f8a9c19cf3e3b4594f6d86b6385eb1a376af73b24b8eb7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\next[1].gif
image
MD5: 1dbc173789364e0c18a646d67bfb4a3c
SHA256: 1c48ab0770ad29146b5305f18eb3207d18faf62368ea4f18238dfe205f6ace23
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\next2[1].gif
image
MD5: 1a586c9b5fe5a58a3d6c86a63e64baef
SHA256: acca99d3ac329e36c2f8a9c19cf3e3b4594f6d86b6385eb1a376af73b24b8eb7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\online[1].gif
image
MD5: 03313506c488bd93bae4bf9078fdc69e
SHA256: 94395510c9c773cf366874d4bcb8a2b8e347192e02cce9cc8b498c39e8d8e581
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\ont.css
text
MD5: 10e040bce37fdb924886805eb78faef6
SHA256: 197478a22616fea54e6f20323facc28084ee7a3495bb2fe0669ebc3a6948c7aa
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\Office12.js
text
MD5: 5ef7364647d148ca222e947d70ecc341
SHA256: eb0f0a1184f9437b9a1cb1dfa14d8d28d343f7c2cd2b2ce4bd818373ea3ad7e4
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\online.gif
image
MD5: 03313506c488bd93bae4bf9078fdc69e
SHA256: 94395510c9c773cf366874d4bcb8a2b8e347192e02cce9cc8b498c39e8d8e581
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\tbgradient.gif
image
MD5: e577f384f3be48606eb24de490ef7470
SHA256: dce6c88acc7db94066218d591568e2c01f5460ae3d749fe0ea2f5cb18b508e39
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\tbgradient[1].gif
image
MD5: e577f384f3be48606eb24de490ef7470
SHA256: dce6c88acc7db94066218d591568e2c01f5460ae3d749fe0ea2f5cb18b508e39
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\script.js
text
MD5: e72eebc1eb449513d28447f352406330
SHA256: e78f14923030e2e817fab024e72482d72aa14f3dcaef66f3a2c6825d6a29b305
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\ont[1].css
text
MD5: 10e040bce37fdb924886805eb78faef6
SHA256: 197478a22616fea54e6f20323facc28084ee7a3495bb2fe0669ebc3a6948c7aa
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\content[1].css
text
MD5: 7ed65d8078c0dccac3e54bea090394ce
SHA256: 889bce80f4b3f32389cd76c9073ac682db2ef7f5d2981cdbb85c72154a04a844
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\toc[1].xsl
xml
MD5: 26de67342be3c52d20d0c152fae1f843
SHA256: 5e65cb6e32a25b91b80b19317d93d76ce5222b565f8f495a01149e82a90beef7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\toc.xsl
xml
MD5: 26de67342be3c52d20d0c152fae1f843
SHA256: 5e65cb6e32a25b91b80b19317d93d76ce5222b565f8f495a01149e82a90beef7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\contentHXS.css
text
MD5: 3dd88748d642732883bd0f9009262482
SHA256: 93658d8161827e3b7c6839986fb1e051da7a00a93de0bb5942b490973f5bec8a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\search[1].xsl
xml
MD5: 94574c45fb7908aa78702728d51ca4b3
SHA256: 13a507594749624c1db987ed7148b5a8ae75666b0a54ef9eaf875597e44e2265
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\search.xsl
xml
MD5: 94574c45fb7908aa78702728d51ca4b3
SHA256: 13a507594749624c1db987ed7148b5a8ae75666b0a54ef9eaf875597e44e2265
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Office12[1].js
text
MD5: 5ef7364647d148ca222e947d70ecc341
SHA256: eb0f0a1184f9437b9a1cb1dfa14d8d28d343f7c2cd2b2ce4bd818373ea3ad7e4
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\script[1].js
text
MD5: e72eebc1eb449513d28447f352406330
SHA256: e78f14923030e2e817fab024e72482d72aa14f3dcaef66f3a2c6825d6a29b305
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\contentHXS[1].css
text
MD5: 3dd88748d642732883bd0f9009262482
SHA256: 93658d8161827e3b7c6839986fb1e051da7a00a93de0bb5942b490973f5bec8a
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\clvtitlebg[1].gif
image
MD5: e99ebd19aca961126a7991dffff33f31
SHA256: 6d34432f68e973af539c5afcb87194ad2acbdf3cc4bc6f20458954662ff3ca03
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\clvtitlebg.gif
image
MD5: e99ebd19aca961126a7991dffff33f31
SHA256: 6d34432f68e973af539c5afcb87194ad2acbdf3cc4bc6f20458954662ff3ca03
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\clvgraybg.gif
image
MD5: 1c2755961e32314ce6208921a25bca9b
SHA256: 39dbf2623931b0e690531baace75d890108ee81f6c95a872b0b1f9b27f3e8196
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\clvImagePaneMedia.jpg
image
MD5: 98da261f629b05e637a715445ac87f3e
SHA256: 322ddbf086a222d8c13c862ec9891a7d4eb45f03b5dc8baa5f6b65923b350c19
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\offlineclientviewer.xml
xml
MD5: 6602f1daef541d6eee3f2fe07e9fdc2a
SHA256: 37e4710d6a762194b9b6aa9b053bff5df90c05bb675002944510c725f428c661
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cvglobal[1].xsl
xml
MD5: 048efa38358f297327024f7f90928ee5
SHA256: 9004e1b028764e0e482fb273c16649d3282be74e9212e6332be10b294eca3312
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\offlineclientviewer[1].xsl
xml
MD5: 6173d86d395f0ea99aff338f8be58421
SHA256: d37c79c15a8c782eacbf4e7fca1646af7c42cfb235f198f68ce69df353f06a9b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\cvglobalstrings.xml
xml
MD5: 3548b520874395a9cbce22d15e9068d8
SHA256: 31f2fa759ed6862569f7c68aed874053ebcfb4e27c74476a0fd3aa1e3af818d6
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\cvglobal.xsl
xml
MD5: 048efa38358f297327024f7f90928ee5
SHA256: 9004e1b028764e0e482fb273c16649d3282be74e9212e6332be10b294eca3312
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\clvbluebg.gif
image
MD5: 97d012557e39e76fdcc67f1b193b83d5
SHA256: 8d0fee06920d3cec3a073496d49b6bfd99bb6b22d748221f64e742935aba89cb
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\clvgraybg[1].gif
image
MD5: 1c2755961e32314ce6208921a25bca9b
SHA256: 39dbf2623931b0e690531baace75d890108ee81f6c95a872b0b1f9b27f3e8196
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\offlineclientviewer[1].xml
xml
MD5: 6602f1daef541d6eee3f2fe07e9fdc2a
SHA256: 37e4710d6a762194b9b6aa9b053bff5df90c05bb675002944510c725f428c661
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\cvglobalstrings[1].xml
xml
MD5: 3548b520874395a9cbce22d15e9068d8
SHA256: 31f2fa759ed6862569f7c68aed874053ebcfb4e27c74476a0fd3aa1e3af818d6
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\clvbluebg[1].gif
image
MD5: 97d012557e39e76fdcc67f1b193b83d5
SHA256: 8d0fee06920d3cec3a073496d49b6bfd99bb6b22d748221f64e742935aba89cb
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\offlineclientviewer.xsl
xml
MD5: 6173d86d395f0ea99aff338f8be58421
SHA256: d37c79c15a8c782eacbf4e7fca1646af7c42cfb235f198f68ce69df353f06a9b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\clvImagePaneMedia[1].jpg
image
MD5: 98da261f629b05e637a715445ac87f3e
SHA256: 322ddbf086a222d8c13c862ec9891a7d4eb45f03b5dc8baa5f6b65923b350c19
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\bullet.png
image
MD5: 647b27d7825531915bf109b8e2338fa0
SHA256: f23974592a4f5f7742471a13330c6b9b648c05cf8b38c4fd270c03ec2c876712
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\bullet[1].png
image
MD5: 647b27d7825531915bf109b8e2338fa0
SHA256: f23974592a4f5f7742471a13330c6b9b648c05cf8b38c4fd270c03ec2c876712
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\clv14titlebarbg.png
image
MD5: e1528816607c20d004f081ce0caa4de4
SHA256: 74a2750233670cf7a18201903dea1d9d2db38e1a31fee7f04f96467abc34ab28
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\page-rsd[1].png
image
MD5: 4ee71d30a4448209806d492e0500f015
SHA256: 49c3884026013ec0096c2233b3c5669491cb9e986ad3e61717bd8cb06e9a6a64
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\page-lsd[1].png
image
MD5: 59cb6dd93db7b9bf6b2839b2204189e4
SHA256: 0014b20aaf60f6e8289ed2048df986e3130c64f3aa63ebbe08978b7814263be1
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\page-lsh[1].png
image
MD5: 097c14cc1ae33c7b834179534136438d
SHA256: d4909df5bf7dfe0cea1f83caacff9135549e7c18c669f7b275cfe56c42062ef7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\page-lsd.png
image
MD5: 59cb6dd93db7b9bf6b2839b2204189e4
SHA256: 0014b20aaf60f6e8289ed2048df986e3130c64f3aa63ebbe08978b7814263be1
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\clv14titlebarbg[1].png
image
MD5: e1528816607c20d004f081ce0caa4de4
SHA256: 74a2750233670cf7a18201903dea1d9d2db38e1a31fee7f04f96467abc34ab28
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\page-rsd.png
image
MD5: 4ee71d30a4448209806d492e0500f015
SHA256: 49c3884026013ec0096c2233b3c5669491cb9e986ad3e61717bd8cb06e9a6a64
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\LOCALHELP.TXT
text
MD5: 75a4845736220763a3b0e11b0e435ee1
SHA256: 7a54a17f7c898525312c52ba0472a829348dbbb9cf71a6da65f30675b67c4008
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\page-lsh.png
image
MD5: 097c14cc1ae33c7b834179534136438d
SHA256: d4909df5bf7dfe0cea1f83caacff9135549e7c18c669f7b275cfe56c42062ef7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\page-rsh.png
image
MD5: a6426d2e1904574838be4f3b7e1ee900
SHA256: 2869275993df28609bb2148ef4debad1b483a82d23170bb1015e68ca772679f7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\ontrtl[1].css
text
MD5: 40ffa4ddfb84e269b6e1df260a101346
SHA256: 8bf6ad48b445bf9badec45e765e10ed98eec74f6f70f23c8e34b5b290459ace4
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ClientViewerSettings[1].xml
xml
MD5: 88fbdbf0b8ed30038abb141e26ad42b6
SHA256: 63a2227b104139265e9d2f43e5e4c8c61aabcd92ffee838fbbe18e987e911c68
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3343.tmp
binary
MD5: d2c8a91c6cfa65d102d18daa01b329a6
SHA256: 88dbf0342a5e9552610f858cec705aa2fae47c02d865aa42045e5676e96cc04b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\ontrtl.css
text
MD5: 40ffa4ddfb84e269b6e1df260a101346
SHA256: 8bf6ad48b445bf9badec45e765e10ed98eec74f6f70f23c8e34b5b290459ace4
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\LOCALHELP[1].TXT
text
MD5: 75a4845736220763a3b0e11b0e435ee1
SHA256: 7a54a17f7c898525312c52ba0472a829348dbbb9cf71a6da65f30675b67c4008
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\page-rsh[1].png
image
MD5: a6426d2e1904574838be4f3b7e1ee900
SHA256: 2869275993df28609bb2148ef4debad1b483a82d23170bb1015e68ca772679f7
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3355.tmp
binary
MD5: 21c8f635048e241ccd9553b65ab0c0d6
SHA256: 68b10f90cf097df4f9307e6c0665e126daaf1dc0188730c250c3cfeb5c3d93d2
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft Help\MS.WINWORD.14.1033_1033_MValidator.Lck
text
MD5: b485167c5b0e59d47009a16f90fe2659
SHA256: db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3354.tmp
binary
MD5: e8daf3fddf971584bbcf09aa7ef9db63
SHA256: 5f21467ea3ebe75db7c6ed42ef2203de523e481467f049ce70602b4968f6a69c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3341.tmp
binary
MD5: b7df64b4bdb508d01eb61872e771f5e4
SHA256: ed437c5090346d7d984ccb6ddd602a59245de5565719c7b338907bdab71318d9
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH3356.tmp\ClientViewerSettings.xml
xml
MD5: 88fbdbf0b8ed30038abb141e26ad42b6
SHA256: 63a2227b104139265e9d2f43e5e4c8c61aabcd92ffee838fbbe18e987e911c68
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT333F.tmp
binary
MD5: e187e0d7dafe0cfcf7991382765d13b0
SHA256: 437df79cdf5127a052bcf459faf16d99784c850344470551aca1d870b9c206fc
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3340.tmp
binary
MD5: d088686475dd5691892cb587efb53b77
SHA256: e490db90666d039e63370f960fb695c831474a70bf90af0ec12fa17d992912c2
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3344.tmp
binary
MD5: 78154ebf041950eb52e605af3b03863a
SHA256: 9aae50b35c3fa1790a5d9012be8f2012fa4637bcc7553535da52610fb008d76c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft Help\MS.WINWORD.14.1033_1033_MValidator.HxD
binary
MD5: dfce5bf1d74008ce31ac5055a88a8ab6
SHA256: e35a9b9562d7583e0b63887547681e651256193faba40d0e527684ed28999927
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT332C.tmp
binary
MD5: 453fdb783008b8e22e87ff071a71860c
SHA256: 58b421a26f4af76da1282fd12de11f60c37e3edd2067c4308be874de0d750f12
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3317.tmp
binary
MD5: 4bd1eb83bb26a0192fe6465187600f4a
SHA256: 375732431d8ab7b81ad6ba6f53fbb291bba95614171a52b4ba281b628a69e061
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT333D.tmp
binary
MD5: 7e8b24eecb300b45b19f534eff40ad54
SHA256: daa96ddb007d4387e35263890f76f3ce91ee276d6ae85b0bbf1d9bcb97fcf85b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT333E.tmp
binary
MD5: 244a447b9438a40d8f83e1d975d44ce8
SHA256: 903c9f354180fe84a34e8a68492a58eaafe67310a8a3557e3080d4c85e36be6e
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3342.tmp
binary
MD5: a581aa98f1d5e35d26eaa3c02cdba788
SHA256: 128116fbbc70ae26ddd8608d45394a306ac180b2940113df63ce69ef46e06eed
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft Help\MS.WINWORD.14.1033_1033_MKWD_K.HxW
binary
MD5: ac9da98e6ad7dcd051d8d58129e2ffba
SHA256: a1ed34fb8b0406a7bf52acb87062dac03f851abafa0cf2e189510812e8a3c97e
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT332B.tmp
binary
MD5: 4be2aedda24e0539c95564b48ca9d8ba
SHA256: e4d153f74ac21d4212a83fe030ee7a407b5fdfe2d3a8145f3e826532bd796893
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3328.tmp
binary
MD5: a3aa898fc8f45b5ac2ce22a259b8a2da
SHA256: de7c898ce562a155f6bd4489a96b8a8c6eba27d6a58983bd95c813d462b6aa98
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3329.tmp
binary
MD5: 5dd0a38ba50a5c7561e641657e3c2c62
SHA256: 6324534378a2d1efc9b72a6de4cf4aa67dd3ac05f00c5ef79e0026ed1b621f9d
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3302.tmp
binary
MD5: 453fdb783008b8e22e87ff071a71860c
SHA256: 58b421a26f4af76da1282fd12de11f60c37e3edd2067c4308be874de0d750f12
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3318.tmp
binary
MD5: 49e95551499c77d4f195296861492d17
SHA256: fba926816e0c58e636dd60da4b3277fbfab6620e276560ec225838b5c32700de
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3313.tmp
binary
MD5: 7e8b24eecb300b45b19f534eff40ad54
SHA256: daa96ddb007d4387e35263890f76f3ce91ee276d6ae85b0bbf1d9bcb97fcf85b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT332A.tmp
binary
MD5: 73e5f16aa352d7188e7266c6c20eaaf1
SHA256: 57408d0184c465a18379caaf84030c6835b480bc644804f5670a02b985e84a0c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3316.tmp
binary
MD5: d088686475dd5691892cb587efb53b77
SHA256: e490db90666d039e63370f960fb695c831474a70bf90af0ec12fa17d992912c2
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3314.tmp
binary
MD5: 244a447b9438a40d8f83e1d975d44ce8
SHA256: 903c9f354180fe84a34e8a68492a58eaafe67310a8a3557e3080d4c85e36be6e
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3315.tmp
binary
MD5: e187e0d7dafe0cfcf7991382765d13b0
SHA256: 437df79cdf5127a052bcf459faf16d99784c850344470551aca1d870b9c206fc
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft Help\MS.WINWORD.14.1033_1033_MKWD_F.HxW
binary
MD5: 894f3a43b2fc4d37c6d51dd83b00ccdc
SHA256: 0b9d33d197428051b1380011487af3f72f35d844ea3674d549ad6305c98f42f0
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3300.tmp
binary
MD5: 73e5f16aa352d7188e7266c6c20eaaf1
SHA256: 57408d0184c465a18379caaf84030c6835b480bc644804f5670a02b985e84a0c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT3301.tmp
binary
MD5: 4be2aedda24e0539c95564b48ca9d8ba
SHA256: e4d153f74ac21d4212a83fe030ee7a407b5fdfe2d3a8145f3e826532bd796893
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32FF.tmp
binary
MD5: 4602a04016a7c85a82bd26892db13114
SHA256: e47cf986c12c819b7ecf9799338b16f1e91fd26419a26a3c07a939606d0b8e0d
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32EE.tmp
binary
MD5: e8daf3fddf971584bbcf09aa7ef9db63
SHA256: 5f21467ea3ebe75db7c6ed42ef2203de523e481467f049ce70602b4968f6a69c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32ED.tmp
binary
MD5: 87ed3ecc3dfa9a77e0205f7cb604b65e
SHA256: bcef43ce080b112dc9a5f43531a2df87e584913d1f2571f40681ba87ae5702ed
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32D6.tmp
binary
MD5: 73e5f16aa352d7188e7266c6c20eaaf1
SHA256: 57408d0184c465a18379caaf84030c6835b480bc644804f5670a02b985e84a0c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32EC.tmp
binary
MD5: 4bd1eb83bb26a0192fe6465187600f4a
SHA256: 375732431d8ab7b81ad6ba6f53fbb291bba95614171a52b4ba281b628a69e061
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32EB.tmp
binary
MD5: d088686475dd5691892cb587efb53b77
SHA256: e490db90666d039e63370f960fb695c831474a70bf90af0ec12fa17d992912c2
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32C2.tmp
binary
MD5: c8c857de0806922bd007f137445ed0a4
SHA256: 22f336326f06abf312a6c723a7c1103cc49232ea5d244ad858cca8052c5e4234
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32D8.tmp
binary
MD5: 453fdb783008b8e22e87ff071a71860c
SHA256: 58b421a26f4af76da1282fd12de11f60c37e3edd2067c4308be874de0d750f12
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32D7.tmp
binary
MD5: 4be2aedda24e0539c95564b48ca9d8ba
SHA256: e4d153f74ac21d4212a83fe030ee7a407b5fdfe2d3a8145f3e826532bd796893
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32C3.tmp
binary
MD5: 8bf2147c1c4d9ffd3a8c2f24956a4385
SHA256: 5a924a7366eaad685eef564b1f47f711b6e901d5637862a4e494fe9b3cd05564
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32B1.tmp
binary
MD5: 244f5bf7c311b71baca300bfb020d6ea
SHA256: c48ff4e04c4f6fba75600635fd7c57076fcf278f35c784fe12fda0cf8f8b6af8
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32C5.tmp
binary
MD5: 0f8819de57077b637a620d75682f9172
SHA256: 1c6d8a86f133b054e44a947cbc844998e93484659da566bb347a634342ce739b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32DA.tmp
binary
MD5: 244a447b9438a40d8f83e1d975d44ce8
SHA256: 903c9f354180fe84a34e8a68492a58eaafe67310a8a3557e3080d4c85e36be6e
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32D9.tmp
binary
MD5: 7e8b24eecb300b45b19f534eff40ad54
SHA256: daa96ddb007d4387e35263890f76f3ce91ee276d6ae85b0bbf1d9bcb97fcf85b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32C4.tmp
binary
MD5: 1ad9b1d504a5e2394fb569536abbc434
SHA256: 811a1614024eb0055ab662347e059d506f80678aa75617e24decce4e959cadaa
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Microsoft Help\MS.WINWORD.14.1033_1033_MTOC_WINWORD_COL.HxH
binary
MD5: 8385baff789342d38d126a431a0ff3bf
SHA256: 1010270c0294c610971d829795e4b90a11cb173001147b7ff88d74bc098faaa5
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32EA.tmp
binary
MD5: e187e0d7dafe0cfcf7991382765d13b0
SHA256: 437df79cdf5127a052bcf459faf16d99784c850344470551aca1d870b9c206fc
3132
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR2357.tmp.cvr
––
MD5:  ––
SHA256:  ––
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32B0.tmp
binary
MD5: 4bd1eb83bb26a0192fe6465187600f4a
SHA256: 375732431d8ab7b81ad6ba6f53fbb291bba95614171a52b4ba281b628a69e061
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT329B.tmp
binary
MD5: 4be2aedda24e0539c95564b48ca9d8ba
SHA256: e4d153f74ac21d4212a83fe030ee7a407b5fdfe2d3a8145f3e826532bd796893
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32AF.tmp
binary
MD5: d088686475dd5691892cb587efb53b77
SHA256: e490db90666d039e63370f960fb695c831474a70bf90af0ec12fa17d992912c2
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32AB.tmp
binary
MD5: 453fdb783008b8e22e87ff071a71860c
SHA256: 58b421a26f4af76da1282fd12de11f60c37e3edd2067c4308be874de0d750f12
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32AC.tmp
binary
MD5: 7e8b24eecb300b45b19f534eff40ad54
SHA256: daa96ddb007d4387e35263890f76f3ce91ee276d6ae85b0bbf1d9bcb97fcf85b
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32AD.tmp
binary
MD5: 244a447b9438a40d8f83e1d975d44ce8
SHA256: 903c9f354180fe84a34e8a68492a58eaafe67310a8a3557e3080d4c85e36be6e
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT329A.tmp
binary
MD5: 73e5f16aa352d7188e7266c6c20eaaf1
SHA256: 57408d0184c465a18379caaf84030c6835b480bc644804f5670a02b985e84a0c
3980
CLVIEW.EXE
C:\Users\admin\AppData\Local\Temp\IMT32AE.tmp
binary
MD5: e187e0d7dafe0cfcf7991382765d13b0
SHA256: 437df79cdf5127a052bcf459faf16d99784c850344470551aca1d870b9c206fc
3132
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\universitystatement.rtf.LNK
lnk
MD5: 84828bb61c1dfcc79704417d70f3bd40
SHA256: 322ece759c26e5930b8c60ab4b2318489ad440bc9c5a680d5fab79cb9b992b01
3132
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
ini
MD5: f15c03fedfa72d1087397980e0b3a607
SHA256: cd34a876a7da82d90e7c8c2347d3b280a99a15f3fa8dfc498991043d740c67b9
3132
WINWORD.EXE
C:\Users\admin\Desktop\~$iversitystatement.rtf
pgc
MD5: 7f244b315f8e241959e259a35de9d35a
SHA256: 635093f486dbb11d16b2bfc9f12f6092b7a3e96da1155beda6912711c8eb85c1
3132
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: 9a29dee7cd423c1399787c33614f2c85
SHA256: 14c6ee236c4f9a5b9c45b24707e53d8dde24d6d614669dcc015f71e87464db79
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\19CB7CB85F3C1BAA0B50740305CB83A0_E82339634BA2CD03EAD3AF4785D65A60
binary
MD5: a4beeacba3d6e60f08e0f93592af0ad1
SHA256: 7f94e87c838165c69126406986045f159aca088d6ed0ad6ba2686d2261f50820
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
der
MD5: 2663bed1f902bed00647b84fabbf8dea
SHA256: 7a3c6a8be401f6de91999c00919ea0f3bdcf80d06eb0e8a15d801f8f9a465de9
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
binary
MD5: 6525493572225de26e12c136e17fe6fc
SHA256: 7b193530e80cd34f660ff84b69dcc82a197b0e9db96aafa9ad103a294a2fca76
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\19CB7CB85F3C1BAA0B50740305CB83A0_E82339634BA2CD03EAD3AF4785D65A60
der
MD5: 7d03c2314ddee15e692c6f06352d507b
SHA256: 99a72ed97cec95f4bfac988b4def745b0d68e84ba3bb9732d4499c6bccfde2ce
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13
der
MD5: 34615e035f22e0f62abb877ef4e65b52
SHA256: 77da562e421b1004406ebda1a1e2576b3b04d6d6e62bbdff40b8c67e0a3c6486
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13
binary
MD5: a97f6ad564002c391aa0015f8282f15d
SHA256: 5031a0d8e51aa4bfd8a1138b2de395930a002be6da820d99681b11da94df3237
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
binary
MD5: 23a656e0c0c2aaa354f58bd239121f77
SHA256: 9a350adda863cb063026addb53716bbcc5640d5cc34a33fb6ac0d8f497ed3d53
508
svchost.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
compressed
MD5: f7dcb24540769805e5bb30d193944dce
SHA256: 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642194713162.01ffefed-a065-48d7-a375-8b17bd8399e7.main.jsonlz4
jsonlz4
MD5: d71b851d61edff5a3497f9cccb048057
SHA256: 7caa0b1d4f98b06739da0052b6369aee8e84fcf7c114e6fada61c91ec24f504d
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642194713162.01ffefed-a065-48d7-a375-8b17bd8399e7.main.jsonlz4.tmp
jsonlz4
MD5: d71b851d61edff5a3497f9cccb048057
SHA256: 7caa0b1d4f98b06739da0052b6369aee8e84fcf7c114e6fada61c91ec24f504d
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\aborted-session-ping
text
MD5: a0cf249a2656c08c0950831deb4bc1ea
SHA256: 3079db0968ce1ca1303f63b69d1c461502862e8a7265d9f3f3fe0f858a4fb78b
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642194713162.7eb68eed-3bef-4604-9845-4cb3f4efefd3.event.jsonlz4.tmp
jsonlz4
MD5: 00313a6744cffd7e632373c3777472f9
SHA256: 7efa3b7344f6f9fb3b847f158bea5be6aa437e09b0abcbfcec4beea8d40f2b09
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642194713162.7eb68eed-3bef-4604-9845-4cb3f4efefd3.event.jsonlz4
jsonlz4
MD5: 00313a6744cffd7e632373c3777472f9
SHA256: 7efa3b7344f6f9fb3b847f158bea5be6aa437e09b0abcbfcec4beea8d40f2b09
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\aborted-session-ping.tmp
text
MD5: a0cf249a2656c08c0950831deb4bc1ea
SHA256: 3079db0968ce1ca1303f63b69d1c461502862e8a7265d9f3f3fe0f858a4fb78b
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json
binary
MD5: 46e1c057b25e31ca62ea8d2569a5eebc
SHA256: 6e282a1f091d2d884bbffd729d114720e60b79c55e6f9dea0c45fe7af2b8440b
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.tmp
binary
MD5: 46e1c057b25e31ca62ea8d2569a5eebc
SHA256: 6e282a1f091d2d884bbffd729d114720e60b79c55e6f9dea0c45fe7af2b8440b
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
binary
MD5: c6a6145dc08faf45de8ceda3066a36d4
SHA256: c1f0c44ccf6281859d5399f892c7e71a144150eb0abc205da42271908391223a
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
sqlite
MD5: 0c61f48e3582e8bfc96296abb05afcb4
SHA256: 91c134af9987520a536f5fec0f5b7b26963ff4bd91e68a21741b539d4c642098
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite
sqlite
MD5: af5141d860a1cee0802de1b7ae36c51c
SHA256: a80bed32ab70d2033b38a87b3983725cda27bdef739d5e713afb8409483f2196
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
binary
MD5: 4974ea4c64f2a5281af72cc7d85f003f
SHA256: 129479a9a9479e619ea863774e81b8f39ac4fc9e12bf6ce123b38d522a656bcc
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.tmp
binary
MD5: b35a798338c2335edf7bc42654562094
SHA256: 14c0a45c4ddae9f8247f60dbeca09b2fd7a9e516e7b6a1d10ec90fc475fe4bbb
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
binary
MD5: 1c797e5da57e2cc02021262fcb20040f
SHA256: b316d3cacd54b35ee7ad3531fb984e70c811eb723938b67cddd8455c9d301ad3
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-wal
sqlite-wal
MD5: 4565b00853ce7e49f58c2127077a778d
SHA256: d74642072109d4b83b82c57e253d72100e58633a739ce65cff027fa530ade00e
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json
binary
MD5: b35a798338c2335edf7bc42654562094
SHA256: 14c0a45c4ddae9f8247f60dbeca09b2fd7a9e516e7b6a1d10ec90fc475fe4bbb
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-shm
binary
MD5: aef8f66f98d8518dfb572cbe8b7a148b
SHA256: 0b161c804637e72b084bd850489d059140ce05dca8ddbe060ea6c62b807f7c0a
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
binary
MD5: 948a7403e323297c6bb8a5c791b42866
SHA256: 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\protections.sqlite
sqlite
MD5: ab6932ff3cd41882d7d1f3933a7bfe4d
SHA256: fad412d51d25447605a54611f2cd2b3c3dd4ac188f6f3da8533f496ac8717fb9
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt
text
MD5: 5e73c6e7bd658a695f08301988bb4950
SHA256: 261635fc5d211d8a05c64113678bec237865e35286f2c874211270b9a2da9bd5
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\startupCache.4.little
binary
MD5: 5ac8e11091dd130d88c06878550a5af8
SHA256: 109a020c83d45fb676688488d064f53580d96bb836ce19ba11409011be8e09dd
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json
binary
MD5: 948a7403e323297c6bb8a5c791b42866
SHA256: 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
text
MD5: 5e28c75ed8a17919fb13b448eb79b7bb
SHA256: 1e7be6e6fc14059d96312aae1a531eddb872340f9abb6ece21573c96d92a5b23
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
text
MD5: 5e28c75ed8a17919fb13b448eb79b7bb
SHA256: 1e7be6e6fc14059d96312aae1a531eddb872340f9abb6ece21573c96d92a5b23
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\protections.sqlite-journal
binary
MD5: 32287eb2227a0f4b58cb85686754e6d7
SHA256: d5c94ab2f48db3c30b37b45b3dd8d8e18ea9fdadb069d48683984a15b6c2bf7d
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4
jsonlz4
MD5: 01042a236ad9c099fa3e74d391d53cf3
SHA256: a235cca43c11b8f3adc3a507ad0532f71ad10c0c7a42d2cb3dc232e436993add
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.tmp
jsonlz4
MD5: 01042a236ad9c099fa3e74d391d53cf3
SHA256: a235cca43c11b8f3adc3a507ad0532f71ad10c0c7a42d2cb3dc232e436993add
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-cryptomining-track-digest256.vlpset
binary
MD5: 7d532b89a987d92def1d7aabbaad62ab
SHA256: 7cb574be3e783d6876740dbca525d868677307a52dddd67ac84665ccfaae895e
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore
binary
MD5: 58fbc7f7687cc8798aea35b7066eb198
SHA256: 3a2035ad8446c71242daa9eaf3818b87f673d0429e4f5334621905b47a1c3df5
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstore
binary
MD5: b9556d03aff392142ad5691d2f867310
SHA256: cfd3909b41c1ee3cbcb8b7d2b1378065e7d3b543fff1f2fb7a4f25c5ff41722c
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset
binary
MD5: 3303aa4bcb02d27f1a8b6aff30c1dd9c
SHA256: 6f33ccfcf9767b612657242c2819c325cfdf17b8d92224db588a886f7ec2d26e
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore
binary
MD5: 373411cebf6e3bcb89d8bfa632409bf1
SHA256: c1d5b95b18ff02514bda0ec7865d9468c3a89e5c3ba2ebd3d4284fd8fcd463d4
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore
binary
MD5: 3b11b562807fef504fe671ded4d0e8ce
SHA256: 9bf05adc119cdd219347572787a9b7e18308c4465a8f440c34c697b2f5cd479f
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset
binary
MD5: 35d8fd43d868d7bba7041362eb8101b3
SHA256: 104c2467e4f7bc7cac0ce0e456d5abd8c192c2c8c44f7c9a38412a59abdd1772
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset
binary
MD5: 86b1acdbf1fc7201d0eb7c85ee75f5af
SHA256: a0f4c83316cd66525f663cd72a2dc8bd1b2aa2e40d599b8b6f334d61c5d03098
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.vlpset
binary
MD5: 40165280ff1345b5241ec2a9d1da2af0
SHA256: f80bdd5341d8b1ee946e344e258ef2d35c3c0bb6b13eb7b3e6a77467dfa8b97f
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore
binary
MD5: daa7abdb5ed1dbf8877f4028092e32f6
SHA256: b8f20b14ad5291b4528df859129b301f367a9885f417f9807821d5a386352530
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-cryptomining-track-digest256.sbstore
binary
MD5: d6c5c2e242df3ec5ff8e17dd8ee15f73
SHA256: f0c6512e42f2732b3aa401f9ab4df84c0a89c9755968b158796706a48b9f492a
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashsubdoc-digest256.sbstore
binary
MD5: 22698b4cf784dbbae2d583f00491d43d
SHA256: 3849563088ae0677d61702a1310fde26de5ddd846d53037222d3efe012197bf5
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashsubdoc-digest256.vlpset
binary
MD5: 0c0d67875bd75a0227c02dd8529ba01a
SHA256: 614be0169ec36e67223eb9645a98da66dbfde5dfbb89bb064f428aaeabdd9d97
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset
binary
MD5: fa7667eeed0b53973506278ece958e62
SHA256: 0d55a21e6694fce19f366f9e5351a02d215d378541dbc38df68645b63b56d8bf
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.sbstore
binary
MD5: d5d6b4d59b4ae4e2de4b40d0da083571
SHA256: 000e3a78c72a210ca3b5417a3cdd294fbce2a31661601c9d594c75cf2800571c
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.vlpset
binary
MD5: de0d88480c24350c59e1e9a3583de0d1
SHA256: 01ba9f0b913e04ed10bd7166796483dd4f72005f249d6ee68b12117be4b5d3c7
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google-trackwhite-digest256.vlpset
binary
MD5: e54e5b84194eee15e64d2a03f1136bb7
SHA256: 07707b589be3dba3bb0bdac67760a2b180ea3531e9d7976b73e4c1d8df9dbb1e
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.vlpset
binary
MD5: c2994d388f8780c87d35c352d9582985
SHA256: 7ed09f7d2bd632f70077a4ae4f2bd2f3fb654b03cd72652f51678b0c7d027f25
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstore
binary
MD5: 9f6b331aa1e070dcfeed473e76ce56c3
SHA256: 7dbbea2dd387eeb85e1f56e02fc9989acde570cd43bfef2c2a827093ba87da6d
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashallow-digest256.sbstore
binary
MD5: dd0458514c9a922b45da6a8bebe47320
SHA256: d27d5b27030f4725249377951beb89e84a90a0e8241f0d5fd80ea59c1606e761
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.sbstore
binary
MD5: dd0458514c9a922b45da6a8bebe47320
SHA256: d27d5b27030f4725249377951beb89e84a90a0e8241f0d5fd80ea59c1606e761
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-phish-proto.vlpset
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashallow-digest256.vlpset
binary
MD5: 7194b6bff691a056852a51e2e06ce8fe
SHA256: cbe2dc6abfe25bead60f4dfaf419fc0f441ff8a8dd4a2febf5553be1cbd90c49
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.vlpset
binary
MD5: 130b9ac2beec5ada274561105d81ae36
SHA256: 7d99fec08182a5b95d18d1569edaa2c60c2aafbd15a56d8882f22f3b395e6460
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-track-digest256.sbstore
binary
MD5: 59d2d3a9ff42621ae974078bcaabd9bc
SHA256: 7371e8534c31c4bff73e340413d77c988593a0e559418b0f2a5b34b9c82dddd2
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\ads-track-digest256.vlpset
binary
MD5: 38f55098ab1772e8a7b90a05cb33cfae
SHA256: fd44a8121e20cf102d8fd79d6ee45d55ccb0d92893907091bb7587ed3b274244
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google-trackwhite-digest256.sbstore
binary
MD5: fec9bc354a7ee92c6feefe63e6b0fa26
SHA256: 258ef8e6994a09ffb54bd0d5afec97c13c31f2eefb7fe90a2a4c487c87817519
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore
binary
MD5: 92a93e4c81027f5788873296c6e2875b
SHA256: 4358b8f0af157cf2ef36a3a8bd152a528d32cfe98a2e0ae66207dbdb1d943efa
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-track-digest256.vlpset
binary
MD5: e1edde17e24b61c5b26d7b76ba039463
SHA256: c2c4612b7b9545751f37b302ee345abd0f22170c7cc2497320897b385d508b7f
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\analytics-track-digest256.sbstore
binary
MD5: ae706abfaecfd90d67e5c965091e004e
SHA256: 13cbf8a5389a33a562e6dd10660f68e8964313536a109aa80acfd8838bf45e73
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\ads-track-digest256.sbstore
binary
MD5: a03e51212ad01cfe7eb3a87c8ce51744
SHA256: 2328a7569ab3d1e0c8638282e09860c82db28edd1c1be75caad91fc7015e966c
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset
binary
MD5: c8663695a49bb5fb5a301d1a7233db6c
SHA256: 498d10d381ed91be12cff65292813bcccd676176bcf614534ab7ba0e5536306e
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\analytics-track-digest256.vlpset
binary
MD5: 1e1c0442f3fe16b185d5db74f0e91fce
SHA256: 43acc2d047c7988e9073ecf32ac619de0d080c45b061d441d1d671d305bb4f08
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\content-track-digest256.vlpset
binary
MD5: 897401403f6a9bbc2727bf8acfa8bbaf
SHA256: 75157865105c44c1220c337aeff723e7b2e4aef506ce7db00e2621d5ceaf45b8
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozplugin-block-digest256.vlpset
binary
MD5: fcc9c2c9b611a3264b68ebe180eb4248
SHA256: 6ecd378a537eefe350b45cfa353741383f407d99d776bf23155a7825dc5dd2bc
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\content-track-digest256.sbstore
binary
MD5: 2be5027a476efb5fe011ae8257e6b428
SHA256: 26d0ef7103dbc0516add2da8029ca43567b98bda1ef8d8e4cda42f09aa9a4b36
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozplugin-block-digest256.sbstore
binary
MD5: 519beb1b01fc355bb388f1f75be997fd
SHA256: ffe2d3077b81ae6f51b220c1c661b276c823fa67dad1d64fc5f17249fc54bdc0
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-malware-proto.metadata
binary
MD5: 65403d282dbaa3490c8df41c724176df
SHA256: ff7d57882044d38158c6d7ee570c7fefd092722a8adffb56040de0a37bf6cf47
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-unwanted-proto.metadata
binary
MD5: 4ad6310cd7e11ab05505d86dba9cb04e
SHA256: 42e34f509617dc95087021123f11e0ec2b10e170b22b10e9f9b09cc502ef889d
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-phish-proto.metadata
binary
MD5: f68417a49e51386ee49cef397a3bc4bd
SHA256: dbd9426e2340cc5524eb963b12f1608c1761dd60f4b5cb53d0bcb435612a7667
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
binary
MD5: 061e09479343d1e751ce34eb9f6c82f0
SHA256: 01a1c4a51aec963defed0dacb7a4377dee2f47891bb4ffbeb5c4d237fbfe2528
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-phish-proto-1.vlpset
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.metadata
binary
MD5: e955d6961f441526736f793258b6b309
SHA256: 0fcf255af3e197272986fe94471008a9c89d0e93f7011f78453246b22bdd00f1
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata
binary
MD5: dc6938568b6dd7673ad033919fcbfab6
SHA256: 86f423e55f67ed58a2ead5dde02f589074f76d57919f075e52edf364616ff028
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
binary
MD5: 709932582087d562e80d4b8d1fb40f54
SHA256: 6da74c1649d313af098397d774784eacc29a3bb8664d400005da560fbb9b3a09
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache.bin
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-new.bin
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset
binary
MD5: b77ba6ff031432682c04744977c82188
SHA256: 75ba7ad2967d59d6cb17c1c434bf019e664686b14e08afb0d28d68d183423dba
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto-1.vlpset
binary
MD5: b0272f5cf9f56f11c856155dc5f40be1
SHA256: 74ab81a1929a8806d559a13140947f076caba52bf882364c416ef4d8e9b155f4
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-unwanted-proto.vlpset
binary
MD5: 667c29ee5d360a46dcb89b13c9fb1802
SHA256: aef6e561b71f3511baa5133dac8df5a1f0ee821868f9b71c70d6c42d1371e15a
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-malware-proto-1.vlpset
binary
MD5: f39cbb6f2eda75910a1e9fb89baecc22
SHA256: b8fa8e362434ec772f804afeb021fdf35546e8f06f397766e03b66e59c1a1363
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset
binary
MD5: b0272f5cf9f56f11c856155dc5f40be1
SHA256: 74ab81a1929a8806d559a13140947f076caba52bf882364c416ef4d8e9b155f4
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset
binary
MD5: b77ba6ff031432682c04744977c82188
SHA256: 75ba7ad2967d59d6cb17c1c434bf019e664686b14e08afb0d28d68d183423dba
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset
binary
MD5: 667c29ee5d360a46dcb89b13c9fb1802
SHA256: aef6e561b71f3511baa5133dac8df5a1f0ee821868f9b71c70d6c42d1371e15a
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-malware-proto.vlpset
binary
MD5: f39cbb6f2eda75910a1e9fb89baecc22
SHA256: b8fa8e362434ec772f804afeb021fdf35546e8f06f397766e03b66e59c1a1363
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child.bin
binary
MD5: 4e388086be2c26be16cbe6e9e65d3d65
SHA256: bb214dc2220d62b0a428af7a02246b7ce1886e95d334918220e0ebc0ed3b6e6a
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-new.bin
binary
MD5: 4e388086be2c26be16cbe6e9e65d3d65
SHA256: bb214dc2220d62b0a428af7a02246b7ce1886e95d334918220e0ebc0ed3b6e6a
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-new.bin
binary
MD5: a479565837a356457a8cf6ce1cd85390
SHA256: 9ca6b458344f3fa7f7ccc8330b84caea762e21d9cd93e56dd873d87852518fcd
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache.bin
binary
MD5: a479565837a356457a8cf6ce1cd85390
SHA256: 9ca6b458344f3fa7f7ccc8330b84caea762e21d9cd93e56dd873d87852518fcd
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\broadcast-listeners.json
binary
MD5: 9496f48bef11babdd49ccf2a72ac3b16
SHA256: df14636b6aae0ca3af230cb811871616b34270443cd3676969457e4ed57804b8
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\broadcast-listeners.json.tmp
binary
MD5: 9496f48bef11babdd49ccf2a72ac3b16
SHA256: df14636b6aae0ca3af230cb811871616b34270443cd3676969457e4ed57804b8
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\Ransomware.Cryptowall.zip
compressed
MD5: 8710ea46c2db18965a3f13c5fb7c5be8
SHA256: 60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_ZtCUeDDseOvVzBR
mpg
MD5: f54ff81e5cf2c65040d87f6916b6a02b
SHA256: 75977f4cb220f7a783fd47fd911325490b60ffbeb206948125a9dcd923691433
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\recovery.jsonlz4.tmp
jsonlz4
MD5: 638dc0288e101eea1b77ea9fd6d9afe2
SHA256: d1b7165071ddc3661874fc853f0e196d09c9efcc702935336d3a0aebe52d351a
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_H6Hxn8Y6ITgHg3s
binary
MD5: 93c067d89ccbcd8c65e67a2eafb15a45
SHA256: 8dc061012cd392a4537c6f90ace019eb5f2cae8fad35ec298a3694da671cd63e
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_Ny4dmd1nTiZBjlr
binary
MD5: 4803116892e82c8f8dad2c5b2b42d918
SHA256: d7a0e5a9a5db316af92c0716cc782d213ef3866e422e5a8748f74019139b4669
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_rNaShhaN2sEmh6I
binary
MD5: 73e91b090a6f4af28b392ff9449a04fb
SHA256: 3ef36e586c64bf7da67b9951641ac542c415cb02a5ee8b0b60863d38e1389870
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4
jsonlz4
MD5: 01dae35763819ee4c2bd72553b33c337
SHA256: 674e499ccf7e955deffeb21b94c092de0a8ea1dd308c426dcf04bc84dbdfa377
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\1
binary
MD5: b4ddf33e1dc200be3ffe7ba3a6fd9f3c
SHA256: d148685ce5590081b04dc0014a8f5b074ae16e65c5728afcfde5757896a37550
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\zS20FTwf.zip.part
compressed
MD5: 8710ea46c2db18965a3f13c5fb7c5be8
SHA256: 60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_vWEWpOj8kWLhnb4
binary
MD5: 18dc4fdc637b03efff1363a76856eb6a
SHA256: 27decefe2067660e93dcdb19f9d1d58f051c4cd715bb3b749f213620df2fecd2
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\recovery.jsonlz4
jsonlz4
MD5: 638dc0288e101eea1b77ea9fd6d9afe2
SHA256: d1b7165071ddc3661874fc853f0e196d09c9efcc702935336d3a0aebe52d351a
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.tmp
jsonlz4
MD5: 01dae35763819ee4c2bd72553b33c337
SHA256: 674e499ccf7e955deffeb21b94c092de0a8ea1dd308c426dcf04bc84dbdfa377
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl.tmp
text
MD5: 3625f1dda6d119478ad89d13950c9aca
SHA256: cb40f6a8d58901d612a86690a41d4e273f24936fc926e98f82c0918cbef4fc64
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl
text
MD5: 3625f1dda6d119478ad89d13950c9aca
SHA256: cb40f6a8d58901d612a86690a41d4e273f24936fc926e98f82c0918cbef4fc64
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_ahQS2zA6bNtVyNq
binary
MD5: 5d3b0936fbcd5c9e6c4701bb7a4ca153
SHA256: 5a3c3617f4448f0b9bb62d0cd21406d3656748211d3a7b911bb2b2f927b85007
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-wal
sqlite-wal
MD5: 539ff2080730e4e5f41876a3cacabd2b
SHA256: ed3c85e8c4c1a750ca863e93d66757c90db9d424a3420717d1b67b82c2d9ad3e
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
––
MD5:  ––
SHA256:  ––
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
3904
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_hYpRifUULnavPMG
binary
MD5: 33ea878f52612bc48470bd6a19770b4d
SHA256: cb7fb6ca811dc7872f2feddfa43cad4eb87bb7dc20e1ca98f53cca0555bae88e
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4
jsonlz4
MD5: b17f8d93b0c43d6b72dc03752c20a2d9
SHA256: ada0f70d374223fb63c2f19471fab45d986a681e2485692e63f00f5071f19d76
3904
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
jsonlz4
MD5: b17f8d93b0c43d6b72dc03752c20a2d9
SHA256: ada0f70d374223fb63c2f19471fab45d986a681e2485692e63f00f5071f19d76
3904
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin
binary
MD5: 994a33896bb41a278a315d0d796422b6
SHA256: 54ec50a20fff8cc016710e49437cf6a11d3fe5ee7b28c185e4a9aafee2908b63

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
21
TCP/UDP connections
62
DNS requests
70
Threats
19

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3904 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
3904 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
3904 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
3904 firefox.exe GET 200 34.107.221.82:80 http://detectportal.firefox.com/success.txt US
text
shared
3904 firefox.exe POST 200 142.250.185.195:80 http://ocsp.pki.goog/gts1c3 US
binary
der
shared
3904 firefox.exe GET 200 34.107.221.82:80 http://detectportal.firefox.com/success.txt?ipv4 US
text
shared
3904 firefox.exe POST 200 142.250.185.195:80 http://ocsp.pki.goog/gts1c3 US
binary
der
shared
3904 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
508 svchost.exe GET 308 188.165.164.184:80 http://ip-addr.es/ FR
html
shared
508 svchost.exe GET 302 34.117.59.81:80 http://myexternalip.com/raw US
text
shared
508 svchost.exe GET 200 8.253.204.249:80 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?983ea9d901c8d362 US
compressed
whitelisted
508 svchost.exe GET 200 142.250.185.195:80 http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D US
der
shared
508 svchost.exe GET 200 142.250.185.195:80 http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D US
der
shared
508 svchost.exe GET 200 142.250.185.195:80 http://ocsp.pki.goog/gts1d4/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQDiOJGRlIYAiAoAAAABKkNX US
der
shared
508 svchost.exe POST –– 94.247.31.19:8080 http://proxy1-1-1.i2p/3w4hxy7uoq0lv7 ES
text
––
––
malicious
508 svchost.exe POST –– 94.247.31.19:8080 http://proxy2-2-2.i2p/3w4hxy7uoq0lv7 ES
text
––
––
malicious
508 svchost.exe GET 308 188.165.164.184:80 http://ip-addr.es/ FR
html
shared
508 svchost.exe GET 302 34.117.59.81:80 http://myexternalip.com/raw US
text
shared
508 svchost.exe GET –– 184.106.112.172:80 http://curlmyip.com/ US
––
––
malicious
508 svchost.exe POST –– 94.247.31.19:8080 http://proxy1-1-1.i2p/wtobdk0a3e1izo ES
text
––
––
malicious
508 svchost.exe POST –– 94.247.31.19:8080 http://proxy2-2-2.i2p/wtobdk0a3e1izo ES
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3904 firefox.exe 35.163.137.0:443 Amazon.com, Inc. US unknown
3904 firefox.exe 140.82.121.4:443 US malicious
3904 firefox.exe 44.239.15.106:443 University of California, San Diego US unknown
3904 firefox.exe 13.32.121.113:443 Amazon.com, Inc. US unknown
3904 firefox.exe 13.32.121.84:443 Amazon.com, Inc. US unknown
3904 firefox.exe 13.32.121.7:443 Amazon.com, Inc. US unknown
3904 firefox.exe 142.250.185.195:80 Google Inc. US whitelisted
3904 firefox.exe 142.250.74.202:443 Google Inc. US whitelisted
3904 firefox.exe 185.199.108.133:443 GitHub, Inc. NL malicious
3904 firefox.exe 13.32.121.15:443 Amazon.com, Inc. US suspicious
3904 firefox.exe 34.107.221.82:80 US whitelisted
3904 firefox.exe 142.250.185.110:443 Google Inc. US whitelisted
3904 firefox.exe 52.89.81.52:443 Amazon.com, Inc. US unknown
3904 firefox.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
3904 firefox.exe 18.66.97.89:443 Massachusetts Institute of Technology US suspicious
3904 firefox.exe 13.32.121.96:443 Amazon.com, Inc. US unknown
508 svchost.exe 8.253.204.249:80 Global Crossing US suspicious
508 svchost.exe 142.250.185.195:80 Google Inc. US whitelisted
508 svchost.exe 94.247.28.156:8081 ELB Multimedia SARL FR suspicious
508 svchost.exe 188.165.164.184:80 OVH SAS FR suspicious
508 svchost.exe 34.117.59.81:80 US malicious
508 svchost.exe 34.117.59.81:443 US malicious
508 svchost.exe 184.106.112.172:80 Rackspace Ltd. US suspicious
508 svchost.exe 94.247.31.19:8080 ELB Multimedia SARL ES malicious

DNS requests

Domain IP Reputation
prod.detectportal.prod.cloudops.mozgcp.net 2600:1901:0:38d7::
34.107.221.82
shared
github.com 140.82.121.4
shared
locprod2-elb-us-west-2.prod.mozaws.net 52.89.115.53
52.11.104.45
52.26.7.9
52.42.77.140
35.163.35.154
35.163.137.0
shared
location.services.mozilla.com 35.163.137.0
35.163.35.154
52.42.77.140
52.26.7.9
52.11.104.45
52.89.115.53
shared
cs9.wac.phicdn.net 93.184.220.29
shared
firefox.settings.services.mozilla.com 13.32.121.7
13.32.121.6
13.32.121.96
13.32.121.70
shared
ocsp.digicert.com 93.184.220.29
shared
safebrowsing.googleapis.com 142.250.74.202
2a00:1450:4001:811::200a
shared
autopush.prod.mozaws.net 44.239.15.106
whitelisted
push.services.mozilla.com 44.239.15.106
shared
raw.githubusercontent.com 185.199.108.133
185.199.111.133
185.199.110.133
185.199.109.133
shared
content-signature-2.cdn.mozilla.net 13.32.121.113
13.32.121.118
13.32.121.107
13.32.121.127
shared
d2nxq2uap88usk.cloudfront.net 2600:9000:236e:1a00:a:da5e:7900:93a1
2600:9000:236e:c800:a:da5e:7900:93a1
2600:9000:236e:2600:a:da5e:7900:93a1
2600:9000:236e:2400:a:da5e:7900:93a1
2600:9000:236e:5600:a:da5e:7900:93a1
2600:9000:236e:ea00:a:da5e:7900:93a1
2600:9000:236e:7000:a:da5e:7900:93a1
2600:9000:2240:6600:a:da5e:7900:93a1
13.32.121.127
13.32.121.107
13.32.121.118
13.32.121.113
shared
firefox-settings-attachments.cdn.mozilla.net 13.32.121.84
13.32.121.5
13.32.121.102
13.32.121.24
shared
fennec-catalog-cdn.prod.mozaws.net 13.32.121.24
13.32.121.102
13.32.121.5
13.32.121.84
shared
snippets.cdn.mozilla.net 13.32.121.15
13.32.121.49
13.32.121.112
13.32.121.85
shared
d228z91au11ukj.cloudfront.net 13.32.121.85
13.32.121.112
13.32.121.49
13.32.121.15
whitelisted
ipv4only.arpa 192.0.0.170
192.0.0.171
whitelisted
example.org 93.184.216.34
shared
detectportal.firefox.com 34.107.221.82
shared
ocsp.pki.goog 142.250.185.195
shared
pki-goog.l.google.com 2a00:1450:4001:812::2003
142.250.185.195
whitelisted
www.facebook.com 157.240.27.35
shared
www.ebay.de 2.18.234.244
shared
star-mini.c10r.facebook.com 157.240.27.35
2a03:2880:f107:83:face:b00c:0:25de
whitelisted
www.youtube.com 216.58.212.174
142.250.186.46
142.250.186.78
142.250.186.110
142.250.186.142
142.250.186.174
142.250.184.206
142.250.184.238
216.58.212.142
142.250.185.78
142.250.185.110
142.250.185.142
142.250.185.174
142.250.185.206
142.250.185.238
172.217.18.110
shared
e11847.a.akamaiedge.net 2.18.234.244
whitelisted
youtube-ui.l.google.com 2a00:1450:4001:802::200e
2a00:1450:4001:827::200e
2a00:1450:4001:828::200e
2a00:1450:4001:829::200e
172.217.18.110
142.250.185.238
142.250.185.206
142.250.185.174
142.250.185.142
142.250.185.110
142.250.185.78
216.58.212.142
142.250.184.238
142.250.184.206
142.250.186.174
142.250.186.142
142.250.186.110
142.250.186.78
142.250.186.46
216.58.212.174
whitelisted
www.wikipedia.org 91.198.174.192
shared
www.reddit.com 151.101.1.140
151.101.65.140
151.101.129.140
151.101.193.140
whitelisted
dyna.wikimedia.org 91.198.174.192
2620:0:862:ed1a::1
shared
reddit.map.fastly.net 151.101.193.140
151.101.129.140
151.101.65.140
151.101.1.140
whitelisted
sb-ssl.google.com 142.250.185.110
whitelisted
sb-ssl.l.google.com 2a00:1450:4001:80f::200e
142.250.185.110
whitelisted
shavar.services.mozilla.com 52.89.81.52
34.213.195.39
34.211.175.209
34.216.66.163
54.190.2.244
34.217.152.155
shared
shavar.prod.mozaws.net 34.217.152.155
54.190.2.244
34.216.66.163
34.211.175.209
34.213.195.39
52.89.81.52
shared
d1zkz3k4cclnv6.cloudfront.net 18.66.97.19
18.66.97.122
18.66.97.117
18.66.97.89
shared
tracking-protection.cdn.mozilla.net 18.66.97.89
18.66.97.117
18.66.97.122
18.66.97.19
shared
ip-addr.es 188.165.164.184
shared
myexternalip.com 34.117.59.81
shared
ctldl.windowsupdate.com 8.253.204.249
67.27.158.254
67.27.234.126
8.253.204.120
8.253.95.249
whitelisted
curlmyip.com 184.106.112.172
malicious

Threats

PID Process Class Message
3904 firefox.exe Potentially Bad Traffic ET INFO Terse Request for .txt - Likely Hostile
3904 firefox.exe Potentially Bad Traffic ET INFO Terse Request for .txt - Likely Hostile
508 svchost.exe A Network Trojan was detected ET POLICY Possible IP Check ip-addr.es
508 svchost.exe Potential Corporate Privacy Violation ET POLICY External IP Check myexternalip.com
508 svchost.exe Potential Corporate Privacy Violation ET POLICY IP Check Domain (myexternalip .com in TLS SNI)
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall Check-in
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall CryptoWall 3.0 Check-in
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall Check-in
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall CryptoWall 3.0 Check-in
508 svchost.exe A Network Trojan was detected ET POLICY Possible IP Check ip-addr.es
508 svchost.exe Potential Corporate Privacy Violation ET POLICY External IP Check myexternalip.com
508 svchost.exe Potential Corporate Privacy Violation ET POLICY IP Check Domain (myexternalip .com in TLS SNI)
508 svchost.exe A Network Trojan was detected ET POLICY Possible IP Check curlmyip.com
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall Check-in
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall CryptoWall 3.0 Check-in
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall Check-in
508 svchost.exe A Network Trojan was detected ET TROJAN CryptoWall CryptoWall 3.0 Check-in

2 ETPRO signatures available at the full report

Debug output strings

No debug info.