hxxp://github[.]com/TheDarkMythos/windows-malware

Resubmissions

27-06-2024 16:53

240627-vd7eeasgpq 8

27-06-2024 16:46

240627-t9xz6ssfjn 8

Analysis

max time kernel
142s
max time network
387s
platform
windows10-2004_x64
resource
win10v2004-20240611-de
resource tags

arch:x64arch:x86image:win10v2004-20240611-delocale:de-deos:windows10-2004-x64systemwindows
submitted
27-06-2024 16:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://github.com/TheDarkMythos/windows-malware

Score

8^/10

discovery exploit persistence privilege_escalation

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 14 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

INSTALLER.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeINSTALLER.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

5364 takeown.exe
5380 icacls.exe
Executes dropped EXE 5 IoCs

Processes:

Bonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exe

pid process

5188 Bonzify.exe
4840 INSTALLER.exe
4056 AgentSvr.exe
4316 INSTALLER.exe
5352 AgentSvr.exe

pid	process
5364	takeown.exe
5380	icacls.exe

pid	process
5188	Bonzify.exe
4840	INSTALLER.exe
4056	AgentSvr.exe
4316	INSTALLER.exe
5352	AgentSvr.exe

Loads dropped DLL 16 IoCs

Processes:

INSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeINSTALLER.exeregsvr32.exeregsvr32.exeBonzify.exeAgentSvr.exe

pid	process
4840	INSTALLER.exe
5460	regsvr32.exe
2624	regsvr32.exe
5492	regsvr32.exe
4252	regsvr32.exe
5532	regsvr32.exe
5552	regsvr32.exe
3064	regsvr32.exe
4316	INSTALLER.exe
6076	regsvr32.exe
6076	regsvr32.exe
4628	regsvr32.exe
5188	Bonzify.exe
5352	AgentSvr.exe
5352	AgentSvr.exe
5352	AgentSvr.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

5380 icacls.exe
5364 takeown.exe

pid	process
5380	icacls.exe
5364	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

INSTALLER.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

104 raw.githubusercontent.com
105 raw.githubusercontent.com
106 raw.githubusercontent.com
107 raw.githubusercontent.com

flow	ioc
104	raw.githubusercontent.com
105	raw.githubusercontent.com
106	raw.githubusercontent.com
107	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

Processes:

INSTALLER.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SET80B9.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SET80B9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Drops file in Windows directory 64 IoCs

Processes:

INSTALLER.exeINSTALLER.exeexplorer.exe

description	ioc	process
File created	C:\Windows\msagent\SET7E48.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET7E5B.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SET7E6D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SET80B7.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET7E48.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	explorer.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	explorer.exe
File created	C:\Windows\fonts\SET80B7.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	explorer.exe
File opened for modification	C:\Windows\INF\pci.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File opened for modification	C:\Windows\help\SET7E5D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File created	C:\Windows\INF\SET80B8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\volume.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\SET7E59.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File created	C:\Windows\msagent\SET7E5C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SET80A7.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	explorer.exe
File created	C:\Windows\msagent\SET7E45.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET7E46.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File created	C:\Windows\msagent\SET7E46.tmp	INSTALLER.exe
File created	C:\Windows\help\SET7E5D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\input.PNF	explorer.exe
File opened for modification	C:\Windows\INF\umbus.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\SET7E44.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET7E44.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET7E5C.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET7E6E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\monitor.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	explorer.exe
File created	C:\Windows\INF\SET7E5B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET80A6.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET80A6.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET7E43.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SET7E6D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	explorer.exe
File opened for modification	C:\Windows\INF\acpi.PNF	explorer.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	explorer.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET8095.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET7E5A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET8095.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET7E47.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	explorer.exe
File opened for modification	C:\Windows\INF\swenum.PNF	explorer.exe
File opened for modification	C:\Windows\msagent\SET7E45.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET7E5A.tmp	INSTALLER.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3240 6840 WerFault.exe taskkill.exe
5936 4064 WerFault.exe 000.exe

pid	pid_target	process	target process
3240	6840	WerFault.exe	taskkill.exe
5936	4064	WerFault.exe	000.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6728 taskkill.exe
5328 taskkill.exe
6840 taskkill.exe

pid	process
6728	taskkill.exe
5328	taskkill.exe
6840	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeexplorer.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

AgentSvr.exeSearchApp.exeregsvr32.exeregsvr32.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeregsvr32.exeexplorer.exeSearchApp.exeregsvr32.exeStartMenuExperienceHost.exeregsvr32.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeSearchApp.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputPropertiesEx"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}	AgentSvr.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Flat File Provider 2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\ProgID	AgentSvr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0\win32\ = "C:\\Windows\\msagent\\AgtCtl15.tlb"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0	AgentSvr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2\CLSID\ = "{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0\win32\ = "C:\\Windows\\msagent\\AgentSvr.exe\\2"	AgentSvr.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ = "IAgentCtlUserInput"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.acs\ = "Agent.Character2.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\ = "Microsoft Agent DocFile Provider 1.5"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentDP2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server\ = "Microsoft Agent Server 2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ = "IAgentCtlCharacterEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.acf	regsvr32.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\000.exe:Zone.Identifier firefox.exe
File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Bonzify.exe

pid process

5188 Bonzify.exe
5188 Bonzify.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4852 explorer.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe

pid	process
5188	Bonzify.exe
5188	Bonzify.exe

pid	process
4852	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exetaskkill.exeAgentSvr.exeAUDIODG.EXEexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3544	firefox.exe
Token: SeDebugPrivilege	3544	firefox.exe
Token: SeDebugPrivilege	5328	taskkill.exe
Token: 33	5352	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	5352	AgentSvr.exe
Token: 33	5328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5328	AUDIODG.EXE
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	536	explorer.exe
Token: SeCreatePagefilePrivilege	536	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	5404	explorer.exe
Token: SeCreatePagefilePrivilege	5404	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe
Token: SeCreatePagefilePrivilege	4212	explorer.exe
Token: SeShutdownPrivilege	4212	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exeAgentSvr.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
5352	AgentSvr.exe
5352	AgentSvr.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exeAgentSvr.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
5352	AgentSvr.exe
5352	AgentSvr.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
536	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
5404	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
5352	AgentSvr.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
4212	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe
5408	explorer.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

firefox.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
5188	Bonzify.exe
4840	INSTALLER.exe
4056	AgentSvr.exe
4316	INSTALLER.exe
5352	AgentSvr.exe
5220	StartMenuExperienceHost.exe
6052	SearchApp.exe
3980	StartMenuExperienceHost.exe
6132	StartMenuExperienceHost.exe
5760	SearchApp.exe
5924	StartMenuExperienceHost.exe
1700	SearchApp.exe
5356	StartMenuExperienceHost.exe
5468	SearchApp.exe
5164	explorer.exe
5164	explorer.exe
5232	StartMenuExperienceHost.exe
3144	StartMenuExperienceHost.exe
5128	SearchApp.exe
5404	StartMenuExperienceHost.exe
3704	StartMenuExperienceHost.exe
1208	SearchApp.exe
5296	StartMenuExperienceHost.exe
372	SearchApp.exe
544	StartMenuExperienceHost.exe
4684	SearchApp.exe
6000	StartMenuExperienceHost.exe
5712	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3844 wrote to memory of 3544	3844	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 2112	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe
PID 3544 wrote to memory of 4472	3544	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://github.com/TheDarkMythos/windows-malware"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://github.com/TheDarkMythos/windows-malware
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.0.1467642598\1172179236" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6d243c5-a13f-413e-ad24-89ddb37aa6d3} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 1844 208eb404758 gpu
3⤵
PID:2112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.1.490535423\1104128737" -parentBuildID 20230214051806 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5af665c-3662-4d3a-8975-7163d3faaa1b} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 2492 208de886958 socket
3⤵
PID:4472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.2.708342463\1990236870" -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6db870be-24c7-4d82-87b2-e55fe5173bdd} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 3232 208de877e58 tab
3⤵
PID:5084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.3.930527400\1254538319" -childID 2 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1162acbe-65ac-4e62-bb0d-4ebdf1348d92} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 2988 208efef1258 tab
3⤵
PID:1944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.4.1570247434\1514203048" -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 4940 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b42b6abb-b6fd-41ee-aa4f-63cef45ee0ff} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5152 208f19bbe58 tab
3⤵
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.5.43369879\345690921" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d7f57b4-e94d-4ab0-8551-9a5c9435bece} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5168 208f19bac58 tab
3⤵
PID:4552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.6.1487762433\1021934070" -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f5f6656-a3b3-4a28-95b5-170e44495ac8} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5168 208f1a37a58 tab
3⤵
PID:1552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.7.1874656650\1028985395" -childID 6 -isForBrowser -prefsHandle 4940 -prefMapHandle 5568 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0af7e729-9730-4e81-b08d-7db2e378007b} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5292 208f2b8fb58 tab
3⤵
PID:400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
2⤵
PID:5296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5364

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5380

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:5460

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2624

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
3⤵
- Loads dropped DLL
PID:5492

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:4252

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:5532

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
3⤵
- Loads dropped DLL
PID:5552

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
3⤵
- Loads dropped DLL
PID:3064

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
3⤵
- Loads dropped DLL
PID:6076

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:4628

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:6108

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5760

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:5408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:2552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3784

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
PID:3404

C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
3⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
4⤵
PID:6936

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 660
6⤵
- Program crash
PID:3240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
5⤵
- Kills process with taskkill
PID:6728

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
5⤵
PID:6520

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
5⤵
PID:5612

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
5⤵
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 4440
4⤵
- Program crash
PID:5936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2116

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6308

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1896

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4692

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5732

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3648

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4692

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6840 -ip 6840
1⤵
PID:4440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4064 -ip 4064
1⤵
PID:7016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3d34055 /state1:0x41c64e6d
1⤵
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize
471B

MD5
ca2d563291396b433a5eb6ab508eb395

SHA1
d70ebd8b890b20e744fee6628fdc7debbfbe66ba

SHA256
1331b80fc1338b8ad7b3774bb4dd33edd7ca0102066bddbbd6ab7c99f8666732

SHA512
d7d236a0919fef9bb11c196d0e1e865b3d2a98143d70df8104e901ebe4a6abbede80e06350949df2ad6ccfc213e48de9ae939829ae976ea798ec93b36cc1c041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize
420B

MD5
2394ce8994ef110498082742a96ffcfd

SHA1
3f940dc9f99f2de6de8cf5d802dfb5bef9cebec8

SHA256
91c629ad2fc9a861973fc319a375fc03069865d826143e3dd8671a7c6b155a70

SHA512
8539c0e7ec66cb7d6499820f471f028894302e8450b3edca6976343e02bdc0fab2e8b4d9bbf412f32ba3d406bea9f577dac30fc52ce32d9f43c7f07f71ccc6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
13a944885c444d8ab454cde2e3c93b28

SHA1
52c687ab6d1018d3c8ffe4ec22ddf240beefc68f

SHA256
66f7a7e3a55fb9caf24558b2b6ae080c4843eb1a8be91364d495462f776063fa

SHA512
b4fc24dbf0739bd1218879b84ab16416c473bf3f53a16d4741000d3b2ac1c6b19e8c54f472e24b50c22a36c3b6ed5c19cc8f746c528919ee95b1bfcef8c60d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
e9d9c9cb2b946899f54194e9efc12d43

SHA1
eac9619771bb7a2226f57db20a61528b5d1fa7a9

SHA256
7aa8f77af20f85cad523c8b981b6454eb7f1d004a5557158cd6d13de1d7941f8

SHA512
62f1db4fd710c9761208551ba9066604039e40ab90b2182d276b7914b517d62ae71cbd113ddd5bbfbff404d94e83155dec6232fb299f34a173ed062a0f9f5993

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\23724
Filesize
12KB

MD5
7a5857149219692b6d273565657c96eb

SHA1
c4ae3b03ddbfb9b7a87977626aa9e75431c0b45e

SHA256
7a9c07007929f30df8bd6863b64056369b92d6223e14b342146320b13fa4b23f

SHA512
bf86a4095b178b012f94ff27ad5ef3704618ad7ee5767a88df302dc1c5a16666c9de244087f9a944b6243ee43e1acf53252f76460776a28a198cc1822f0bb144

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\27550
Filesize
12KB

MD5
24283ddbbc58dee5ce46f8bf285178dd

SHA1
00732a89f385d1061db86c4c09b666336270f295

SHA256
07a11b8f28a7b3e7bb8f66b179c82e0f18d83711ee6ba16e09491a1aacd2a732

SHA512
d79d0d729bed459e470da7ce443645f011de1122d0bf4de75cbf37fb5ed10baeb05772a50dc89323340b66a448b8596afc6a7af79b452a76b36de5568b961e37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\3158
Filesize
9KB

MD5
2fc41f805e0c057690cd2a1a13adee03

SHA1
68a0447c2af1313681f9f3349819e553e2323e1e

SHA256
fb06260fdb9d5f14add6f2bcf593a100aad411f7befea65e4cb6bfbc53589956

SHA512
ab3b4dbc80c80b7cb1ee696671194cffa18c81df86276386860fd1ae26368e6d2c52dbe3b03f727d574b8708cc34e50be09dcc44f5a6675e85e2dc08b095bf6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\2B1DFB3BF62868D7BE390097837204DDA6FC828E
Filesize
33KB

MD5
18fa7a272e805c51e19fa61b9ce1ff4e

SHA1
41d7d1042fd113d2dae1a13c1bac3116b1575f84

SHA256
fd89d3db420930e691fd1987e7751788adf4e683111c8a155cc5b71c86ccbf5f

SHA512
75b88ada4eee3c11b76f82b497f0d949052507dfa6faf75543fe8c110036156631f647df6b888435ffaad339d09d9286e6b97a7c064123ad08df02fade6cd50c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize
13KB

MD5
c646b436fdd2da800f66b7349de04960

SHA1
fe1c7fc9e2ec0a5811149f087c973692acbdc648

SHA256
7cedf248fe0920e6789d50cdad8ce3f5e53216fc2b054aa3a10a9dfaa8f1c736

SHA512
37a9b1d9bd853824d2309761cc9839c4018b2602704418f1c6d8cf30e75415ee2a544893b10a839a5710a8813b6014fb1f00f774862b19624ae8c8f710ba9746

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\9C76ED03235B16036B6081E7D29AFDB1DBD86F69
Filesize
65KB

MD5
141b947f8d665b0fc9d5d3a91def23bd

SHA1
5d401a4feb79c119a0b8ee416370a6f6a8ad250a

SHA256
b4ea184e7176c0528270f117d243892441e43d06f32318e0414ced85f0b1b9b5

SHA512
0c306e773269b9824ee7b66c6c4175cad5733153a5e0941d8110c9847271dc7c25b8dcf918eef730f26949955f6905ac8b3747866c691b6cc7500e1ec73ab50f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\9D052D1DC54D0E3995CAC53B82BA9B60130EBB01
Filesize
75KB

MD5
0390d96727a6b2734d99bc6e272f66ee

SHA1
ebe64618bb2a1b2f49f4bb3ed6797f3f49ee3944

SHA256
ace29f55369bd6be9181b44a4c2eb163f79d6115208713e5a08307ebfdde9841

SHA512
19e9990dd343b7e926a0b82e434bb3d686ae619b10ff1598b9e6bbdc2d988702b0d976ede4e86b71cd2540247e0c2697f573c82c1c6a674127bd372683b6f3a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\D35C09500437DD22D7C72D16F29F6C78D8E3C45D
Filesize
40KB

MD5
ec3d82d3ab84ef8d0e0e891b9eba82a0

SHA1
b91604d2cb476dfe7cbc4e5534c60a697167f909

SHA256
4063e41501d57246a92f1abbc94a11eef6c94dd030fcc947f465212516694c77

SHA512
d60e736fd9fa85d4df26f73939a449d454d45e2c89a5f78b782b98aabf67fffc7bd92eb4004904281def6a76ef39e8bd4d93649ce42d2ebff4e71c8a81f7b122

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\jumpListCache\5fOT2ZZcWKqSFvKh9EHX7A==.ico
Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\329B0Q5Q\microsoft.windows[1].xml
Filesize
96B

MD5
0223f9592c8a3d874dd3694eddcee076

SHA1
c8fbd22ad34b843ced6dc2a2deff6fd581040b32

SHA256
bc5594da816931b2e06c63b738ec5f7e851b7a95da5dabc30bcf9260bb265944

SHA512
7713aae208fe63974de42fa0e839fe7cf8a222713014c9022c4907a39bc70428b3898728b72a9a7fdce6e9f438d0fd50a75aa43d043eea0edf65280a4a4022ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_
Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe
Filesize
36KB

MD5
94b56d65a8b7f7253aeacac345d4b096

SHA1
7e11e248ae804d3647479a4fe5f03835a1eee4bc

SHA256
0f312587a999305794730da6f2198c82a346e64211e2fb054256102ac70315be

SHA512
538cc0c1b4dc66e8a3c6ca9a17ddac128441874248589bcc6c88b64ad7d3b93ff143867d6fad0002cbb4584e951d0e82441c350396e6d59b73207a3ffe0fc055

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe
Filesize
36KB

MD5
8ab0ccfe101f2a223bf9fc11f910ec64

SHA1
86a7cf51b399bb786896fb77f59ee8b4844f5afe

SHA256
8cc15be591c4f70f964d3554be30283f925747d09eb71692bf40b8125e2bb68a

SHA512
b862068ea8bdb828186c2bc693b1e99d622a48a82eea13886090c44e17d132ad1a96bae4a96214d9a8abeb22f7c85f4ef25a000cc1bf977fd43e67bf1064a61e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133639804783648708.txt
Filesize
75KB

MD5
5bd0cd20579c428246b7c6bbfbcdba4a

SHA1
88fc2cb1bff86cdbb3c50241aad45a8fc2603b08

SHA256
ed8bf87b30f8d2d3ce3016ef1d27f7b4df9ae46b1a042c79b0cd16ae94d062ad

SHA512
ec7623945e836777cfb498bd76019b062f948edbb83b797c6141872fd4d643aec9766820742143ee734b3520da93da2d048697ee9f07ee20e15b09d2ae9f3a60

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt
Filesize
801KB

MD5
f1cf4337c201c880528cfd12111e103c

SHA1
8b1870cc3b0c43c8bfc88fb65d245da58e82651e

SHA256
aa5a3795294bcf13c6482f98209e65d40ba8fe6030e3588cc77e9cab0424d339

SHA512
75cfca0a9b339aaff950597e8aedf0cd3db090cc819816890e7f76abdac89aeb1562ea569aba77b35242563ac30770497e8e30d65efb378a1c97d10314bac5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL
Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL
Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL
Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP
Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF
Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB
Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF
Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll
Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll
Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL
Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf
Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll
Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp
Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf
Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll
Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
Filesize
161B

MD5
ea7df060b402326b4305241f21f39736

SHA1
7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2

SHA256
e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793

SHA512
3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467
Filesize
6.4MB

MD5
fba93d8d029e85e0cde3759b7903cee2

SHA1
525b1aa549188f4565c75ab69e51f927204ca384

SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
Filesize
6.7MB

MD5
d5671758956b39e048680b6a8275e96a

SHA1
33c341130bf9c93311001a6284692c86fec200ef

SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
da937c43448a0a23fa1affa0d130bfcb

SHA1
c48639cb26151c2c9e210e709feb222701af598d

SHA256
9ebdfd6bb9770859d8e388f9de7e6441db70a004e6fcabebb3ecf1e25bf8b82a

SHA512
c5b5c40972203436cf1834ea3306780883613728c4f95c146702abbfcf82616b473e00b6be32fb6d747a9c4aa827c889077c26dd30d2ef823b9728a5866b18e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
16KB

MD5
4b04de576a84b47a2dc6e586267d195a

SHA1
603806b775a8589e1d3472eaea736d74d8ea3a5e

SHA256
386a0c993368dc94125bf2ce3239b000c4c2a5600c8d94a5480a98861ae9b3d0

SHA512
dc2eb44f3bcd70770f4fa604424aa4e4dca4fe39a510027601bcfa90e5990dde393c29d6e5a4b31f5391cacbcb4fcec4409e6fcd4d4d9c1e94d8c06429fbb723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
16KB

MD5
473088ff6db9d22c97dee4224f26686d

SHA1
da58672804f15c9e3c0da29ccfc5b0584016fddf

SHA256
ada72baca06316a68eeb51242b74b06592a99113b4e56a5f3592de7035548b5d

SHA512
bc8bb5b9813b05d4a9837bb4f5dbd05ba2986987cee773b1c26f0066b52354afe743079d9cd23c8b8a47ab39bc767cbed27ee52741d0b5bb4e59f935ebef946b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs-1.js
Filesize
7KB

MD5
df8b73cff93bceccaf8a7865e3554c37

SHA1
0e37746782cd37ea6f7f1a09ddd6303ec33019e7

SHA256
0549c553fa5db6e99ad27ae49570eea129d368ee7cf29bdde2a1eb4b2fe9d64c

SHA512
d01c50c7c1500958a7bcd0d839ecd00631bdff1acf21327787aec09b05b9b01bc1c505356103e23c90b65a26495b65475bbf91aaae602b77333838e14de2ef9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs-1.js
Filesize
9KB

MD5
70cd612400e7d66e6b3217f3d5bbe150

SHA1
5d8641a272394ba982c825f7236b63c0238cd4f5

SHA256
cdc7cf467726d27a0e2e31df4382b876536f1e6226d55cc4151312dc6a1388d3

SHA512
65597e6565c28e57ce81e174c104b7ef856ace6963712eb313b2bf3cffadb322181b87c5ad9a41ee2892fb219549bb4cf517f994cf21e98d58ca1d69611fd1e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
Filesize
6KB

MD5
6f0fc7a2aec6646765b106cc86a1ec47

SHA1
1ccedb1de13746c14110409d9f33cb39325c6147

SHA256
892aad0850022c6cbb4a693ee1091b2b48e827cae0f8f3320c05f92c29bc5922

SHA512
d66d46d9705daedcbaf669ec7432f232483c516505e499f30775b0184709d44271e1b185571bf63755a6cdd895548fe82cc8f020d446a903d4e1f7aba63918ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
Filesize
7KB

MD5
205c1d93b0b782b5d20536113fdcc532

SHA1
aafa880f3f78cc42662877c4f14eb02f525c7b6c

SHA256
28e043b1f01e42bb29e64998b7bbb85fc00e7383709bcdefe5ebbd1a8dfc5cc0

SHA512
1a9143b93efe01b6ba2f23d8f4b2ef7514b150ae6490a40feb5349298aa7d5d206df7673fc298ddcaa7011285dc29627b994edd007b6a98bc6bd968f126445ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
ca1a38e3704cf45288d9cc11ab856ac1

SHA1
653319590f5dec36d12097531eff16287c3caac3

SHA256
68e69108e3a6d1c60eee28e0e4062526a19026957f31c7c92465d3d9b8804de4

SHA512
4aea06d66c03ce1763d100f4724d8279d79124c19b00e24387c593bd655d9916f51526c394788177a455a6c74f6ac73093caf142d7324e87ea636456217830bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
0169c846883711b951183a0a15dce404

SHA1
8d3ae414a7fe972469411c4ac8d19654cc63b980

SHA256
89ab0814f55e3330de2ac5ff3eadde3e43da6cda33e0fdae30c89f148bca69f7

SHA512
58e827ae485f383506b48c02a37d51ba2c83d36564b3b2be50e18db673154477cdfa69b787a35e11f70b6463ab4258bce26b7db12d92557ef485a0aff5705fa1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
e1472623b69fbdfd258f180e0313cee3

SHA1
d873b71429b5daa4104f007f9c40d1208aebfa03

SHA256
75d30dd36d8261dac49812777caf580ff4ce4601f7a3a5e1fc1d7062095eb508

SHA512
2a5fab35cdb9833f58225586d879c5be69055c5a8ae9a162a3772b921f0643a4b366c807a304866ff58a418b7419d396427408d7736081e5ce9612ec84a93eee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore.jsonlz4
Filesize
3KB

MD5
4481ffc2efe75580d88029011cd92660

SHA1
73b5479b699862a22816fa849aa15ad4158fcd80

SHA256
ae0c8a462f6a7eb99a806f3808cef180216300d1f25b1975ee5db18793df0a60

SHA512
3844814c2411da7edd56ca4b315d9599eeecd2036a2549d14618a2bb219e912d7ad4a26116c9da671fc6eb23b010c9a43f78bf520f53daccd2c57365f8bfc10e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
824KB

MD5
a4c3eb5e9e2c047ffd6aa88f788d18dc

SHA1
488dfb54e1a6ca28b432ae596b799cf4290d3cbb

SHA256
74b0cf34deb6a5994a39dcd2c1e56137c5385f778b9395043f05ad99ab7d4097

SHA512
01423a2810d691d183433f12926ca2350418d7923e86fb627cf737b7160d9e77fb73bc38e296c100f1281d7eec5e4270f0757f54608363fcc52c42454fdaa51b

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Windows\INF\acpi.PNF
Filesize
10KB

MD5
f2675bc75d1c9d6c6411454ec14aa858

SHA1
5e6a1b86c75b3441a7fd2928f07571fbcb3620d0

SHA256
a5ae7c88dfb3525ebe0e4ff93bfed0357dd7da183becef6c33b78d3371d3066e

SHA512
652ac9ccbd22b40bc5962c0d5caccf9646cfecb5f92eb73e30965699dd5d5205a01a81f1ba33df71b6e80a80f316d0671a8456b81f59d55744543d410e557bfd

Download Submit
C:\Windows\INF\cdrom.PNF
Filesize
11KB

MD5
8cfacf3295fab7c775c73ad070370d7c

SHA1
94c68770d34b8b7e76a56e5fe1cc133489f7512e

SHA256
9b35d47bee5e29d26c4c9276fcc3ad9e9b15f8f809b7034d39e9222c1a2b344a

SHA512
93b4087befc6fff2edb83ea9085dccf09be23a2c9ee211f99b75ef2fd369a93587bdf593949ef3d4592a89edfee9faf4b573e71132378bd028b98e705eeaa383

Download Submit
C:\Windows\INF\compositebus.PNF
Filesize
7KB

MD5
1f6cb7079e2569c00f8139980c273c09

SHA1
13c102e5bd1ed8276a516bc396cc14791d4255f9

SHA256
ed5b792e9f05ddd68e46a6ea0188c28e6b43b0890894a2d1498261740202ea6d

SHA512
4cc71221c809311bd8971be78ec191ebfa6e33d4bc1e83fedbcde0d6216edac684387b9c2a43713f97c97a8f01a5cf7250003e5b2accd51a798f3f65fd04ed40

Download Submit
C:\Windows\INF\hdaudbus.PNF
Filesize
10KB

MD5
e8916e3b6f7c4412e7e4e545269ac561

SHA1
e624fb03d85cadf20d3f94fe87a1a47b28fd3ff7

SHA256
037684d6f6c6994d45c5dddc52f397aa0ad2ef680c32b0a8bf4d0f0a983b1b46

SHA512
5ff601373ac7cf77cc220238b1a002f5a5ad6f33c79925eba7fc81b846a5bdd79cafc3ec2ab4d16fca9e8fdf729af7abc8327a54b702ecbc5a6372eda5cadb4d

Download Submit
C:\Windows\INF\hdaudio.PNF
Filesize
101KB

MD5
25017f1fc56e9be6d663c7d049973a08

SHA1
2e5875d5a1e8d13ffbfc528a8d7c002c7af21dfd

SHA256
5b944aac8774177fffd371d16b8ed1f14dc8af7757565fca3e3b0433c2bde7e9

SHA512
8fb187023140ad647d67ae3adcbb01b3072f82b4e1fa7c17fa99882ca4ee9ad8518d9535fb8612e14679d991fd304f60e253451f5e76a27b22c2abe5c5c1edb9

Download Submit
C:\Windows\INF\input.PNF
Filesize
150KB

MD5
e11a44f0b96c6c0029d425c6a931012a

SHA1
597810d48d5a28ecfb095f8c597f375d45cc486b

SHA256
dadebc3fb6edd0a50368f44e9f15db94ff3a3042345e933edfe2c004311d2816

SHA512
8512d5d7c0c1ae633d23073f93cfcf8566e45a52a46e84e9c6bf3d01988f582b435e7ac512a606099a03ec5c11699fc7fdca3113e806ab20d6dc26f932eba36d

Download Submit
C:\Windows\INF\keyboard.PNF
Filesize
115KB

MD5
3f0c17fe9b6237ef24b31327f8fb324b

SHA1
79e962d454f8ba8b9e44349bc5f78ddab3e10c7e

SHA256
2c1c510e6e3902b09d98ba9f9d9260760539705ffed7ecc75ea48653fe6fb9a8

SHA512
0a6820853ca8fb025555f9e4e3fa2987509ea49577a1aab316e50b1e88018f4cde12aba1d430dd54c24672edc0a6f6cb0e43f1b59065e894acb91ab75bceb1dd

Download Submit
C:\Windows\INF\monitor.PNF
Filesize
1.1MB

MD5
7153a86a52316dc4d627bdfc127692e9

SHA1
4e34871a17774030e6d6f86c31b3d64cb8413761

SHA256
6510fdf14233c899cbcc4297b9cbe97465bf20d80d2264bec8a63022482a2c7e

SHA512
d5e44382de04929f05eb2a34ae0b0a0d9e56b4b9265276e4f00451ae88dcdf392ab4a7e26558c45d625638667a8f9623a6a1a9ea013e521563d7e3028f20a577

Download Submit
C:\Windows\INF\mshdc.PNF
Filesize
68KB

MD5
bf197e4d644b2398ceca18b673118a7d

SHA1
55c4844c908caf06f85fdc4a190d56f9eca36110

SHA256
5937908b73a9b72eafecb9e6ef2da650177acf91b7b990f157d5962393648508

SHA512
519556e9e437b7402a79f894d6bf9a05bdc36121ba6d224f9a22b4085e3de06cc3c2fd5fc775c9920e90bfed619a429ee8b1aafe676ce865a62656f81439a4da

Download Submit
C:\Windows\INF\msmouse.PNF
Filesize
96KB

MD5
d4ff0d68eb8720c0841ed738161ffe49

SHA1
728f8d8c04aa80544194ffd4a15b35bfbc01f97f

SHA256
ca7e709c1d8c47c634c067561187c1e15b158494376e5e173bd8c16abba90a75

SHA512
fac457e645ef8f57225743aec8c4d74c1fe8e3cb17382c660106ac5688cea73d607e032a1fb51a40212839c9a187d231a99faf9702149be9d0d85c5cc337b61c

Download Submit
C:\Windows\INF\mssmbios.PNF
Filesize
7KB

MD5
ec12d38bb23c6b480c8de3e40b3b2b41

SHA1
f2ef3e8b09011ddd838cd0859ffc37dfb3a95295

SHA256
cd7eb2eaf9363b784a3bfe47c85568a6769889dd03ef308553c3d8c81302ca87

SHA512
5a8c5cacbe2b2b5317243f26e3d418ec1ab2bf328880cbb4525116f7f0d157460d8f5baad4d892dc88a9c3913c8310d3588d0c87bb0626898a586f521549e0b3

Download Submit
C:\Windows\INF\pci.PNF
Filesize
21KB

MD5
0c0da95bb1d408c215d23e91765c37e5

SHA1
f5ebb519981c38368e6a8c1a357955617d064637

SHA256
f115b049c051e01e59c2ccd5a32266e558318fb4a2d0b94852cfd81bbf884f09

SHA512
a0bda7d9c5e8696958bff6080f9f09cb9a3fcd9b143a3aaa3585a6c79236ddbcaa5f0e57613703467b714f88f561b090223568ddf2f81022121b2dfd021a2b57

Download Submit
C:\Windows\INF\rdpbus.PNF
Filesize
7KB

MD5
5f99e935fdeb100ee830b505f20dcd7b

SHA1
c6c6ce347fd49aa141f57fb9a301ec5067f5edab

SHA256
ed1b0901cd253963861c2ff593da7b0a77941587ac868d7140aecf420c29c504

SHA512
019c9dd53b136ac2e1a252008565e2e2674692ff44f70342b7f8aa6e0eac30b1a4d4b8831ad02a55e0322d9c30e825d8176b9294e392275c213451c0157d0795

Download Submit
C:\Windows\INF\spaceport.PNF
Filesize
7KB

MD5
43eca06e49d7fc2e464dde585728acf7

SHA1
5a4ae28deea08756e9a458d4b665ccfb3b0089e9

SHA256
cc86248b9f74db0d93d2c7f480f96c6390d9bf95ac1dcb8911d2b6be2bdd225d

SHA512
c2b2c35dd6dd99ffea0df85dace967bd0772b640152c46b561050c2011ef8214097d4fed107cde3f268637bdfac330a99322d40f63436392257acad76df96ff0

Download Submit
C:\Windows\INF\swenum.PNF
Filesize
7KB

MD5
5b472a89946d2709bec27c763951de62

SHA1
6392d9225bc9f3536d52c497feb39638b585d570

SHA256
ceb09e69d1f5dc4f07a6a69a0fa3cab791131ed3d318750367a48a13b06e1fb0

SHA512
51426dbfead6f6745bf0d4463ffd3cd400a56b9f50d424e320aea597d9bedd5d401f99c25bdc5ea59d412adb16ac5ddbdf3a33e60affbcbad55db9890e14a662

Download Submit
C:\Windows\INF\umbus.PNF
Filesize
9KB

MD5
6f3dc55200afc11a5fca018d1a533424

SHA1
3dfaffcb8e3d4390294a5708955935a6eee9dbb2

SHA256
a262dc0f0bbd6bcae8f52fa0954a41a8aecb52ca00f15a22a47f41afd0ef79cc

SHA512
866eec19c3ccd0e6685d4a69db1cd652f54551decfa10634df9dd6f0dd8e8d23add7f135a972c3d3ec659a71f38f91ff2c41922f5d4a7bf63a64265c97dd893b

Download Submit
C:\Windows\INF\usbport.PNF
Filesize
146KB

MD5
46f55342ecfdc6e8232fdd50990e0d9e

SHA1
5165ca48dc577201c6e1ab9fdfa87744351a6608

SHA256
04ec8e11336e1e8198deca3f5e96080a704b760a2561c70bb898d17d4e90131e

SHA512
854c6ad81d718c1dc4b86ab9d724efe69296f3b78dae0f0b7d4767994336b15e52e4b506b37e75d1205b368f10b717b2803abda16d4190438cfa3f579ab5da57

Download Submit
C:\Windows\INF\vdrvroot.PNF
Filesize
8KB

MD5
87a368aa4783d415a1dbea3f047f566c

SHA1
902bc7f3b0968c83534422ecb4d0ec1049fe4139

SHA256
c76559fd6599b43b05bd28b1e8edc95f137826096f9766d3abc4a6cf9b11673c

SHA512
1db04ae47931f91fd6a8ed5458567663a163d1f1eb1192dd6583fd92afdd75d4ee0be0bbb508ce0d6138b9e0d74e23d37cc8c1af098a7cc2fe21f4b3f733f3ac

Download Submit
C:\Windows\INF\vhdmp.PNF
Filesize
7KB

MD5
10c82f8fdc08d7358192a47ad8fa6952

SHA1
124a270ad4f6f88542d6a3038593f2950a56cfad

SHA256
55e5a9eaaf8e7727231eebb9668f26ae8ba10a24cf53d7048c886c80767b898d

SHA512
d976a177b80e9680c590c7ddb703ce8b60a70d08cb3fddb6b751b02212cb1e445b659f4757c2686d609d0f46da2782c2f85004e72c8614f2d760f809e8c658aa

Download Submit
C:\Windows\INF\volmgr.PNF
Filesize
8KB

MD5
c3b4b1d0478ff48d2b852ac6debb12ef

SHA1
6595f54b5f18b699714ea3af3c80aa8d58355ee0

SHA256
503d09cd3c41cc94dd646c757601909909a98a39ebf20fe8be7c1e06d09276c3

SHA512
ad679173a5dac7b4f18f87d68d6dfda149ebbfeeefb21a24b62f4a02209cb5d44d7e130021a7d65c63d09fe64638c2efb882ff5e747abd57a06fdf0375d801e0

Download Submit
C:\Windows\INF\volume.PNF
Filesize
5KB

MD5
c0f9bde3024493ed084877a08e33a1c9

SHA1
1eaba3c74cdff6a97a6fe0337d078f7692f56210

SHA256
144a191f6f685aa8de1d64503e170472a3e292e7e9780a66ab6c165964703a27

SHA512
3061e4b16e8cfb143cc48f55702fd4d0b668a6aee6521f50999b576a84e25cb9061aba9690726a4a773ccbd70a44ebc9eb4842a454643947f8b67c663b477858

Download Submit
C:\Windows\msagent\chars\Bonzi.acs
Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
memory/372-1584-0x000001FA4F200000-0x000001FA4F300000-memory.dmp

Filesize
1024KB

Download
memory/372-1585-0x000001FA4F200000-0x000001FA4F300000-memory.dmp

Filesize
1024KB

Download
memory/372-1588-0x000001FA50370000-0x000001FA50390000-memory.dmp

Filesize
128KB

Download
memory/372-1591-0x000001FA50330000-0x000001FA50350000-memory.dmp

Filesize
128KB

Download
memory/372-1619-0x000001FA50740000-0x000001FA50760000-memory.dmp

Filesize
128KB

Download
memory/1128-1720-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1208-1452-0x0000020FF7BD0000-0x0000020FF7BF0000-memory.dmp

Filesize
128KB

Download
memory/1208-1463-0x0000020FF7FE0000-0x0000020FF8000000-memory.dmp

Filesize
128KB

Download
memory/1208-1443-0x0000020FF7C10000-0x0000020FF7C30000-memory.dmp

Filesize
128KB

Download
memory/1208-1438-0x0000020FF6B00000-0x0000020FF6C00000-memory.dmp

Filesize
1024KB

Download
memory/1700-1063-0x0000026D2DD50000-0x0000026D2DD70000-memory.dmp

Filesize
128KB

Download
memory/1700-1029-0x0000026D2C800000-0x0000026D2C900000-memory.dmp

Filesize
1024KB

Download
memory/1700-1062-0x0000026D2D740000-0x0000026D2D760000-memory.dmp

Filesize
128KB

Download
memory/1700-1034-0x0000026D2D780000-0x0000026D2D7A0000-memory.dmp

Filesize
128KB

Download
memory/2552-1317-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/3780-1436-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4064-11671-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4064-11670-0x00000000005A0000-0x0000000000C4E000-memory.dmp

Filesize
6.7MB

Download
memory/4064-11699-0x000000000B7D0000-0x000000000B7DE000-memory.dmp

Filesize
56KB

Download
memory/4064-11698-0x000000000B800000-0x000000000B838000-memory.dmp

Filesize
224KB

Download
memory/4128-2158-0x000001C4E7590000-0x000001C4E75B0000-memory.dmp

Filesize
128KB

Download
memory/4212-882-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/4684-1722-0x0000029912B60000-0x0000029912C60000-memory.dmp

Filesize
1024KB

Download
memory/4684-1721-0x0000029912B60000-0x0000029912C60000-memory.dmp

Filesize
1024KB

Download
memory/4684-1750-0x0000029913AB0000-0x0000029913AD0000-memory.dmp

Filesize
128KB

Download
memory/4684-1757-0x00000299140C0000-0x00000299140E0000-memory.dmp

Filesize
128KB

Download
memory/4684-1726-0x0000029913AF0000-0x0000029913B10000-memory.dmp

Filesize
128KB

Download
memory/4684-1723-0x0000029912B60000-0x0000029912C60000-memory.dmp

Filesize
1024KB

Download
memory/4696-2150-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4852-1581-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/5128-1326-0x0000029FE2EE0000-0x0000029FE2F00000-memory.dmp

Filesize
128KB

Download
memory/5128-1324-0x0000029FE28D0000-0x0000029FE28F0000-memory.dmp

Filesize
128KB

Download
memory/5128-1323-0x0000029FE2910000-0x0000029FE2930000-memory.dmp

Filesize
128KB

Download
memory/5128-1318-0x0000029FE1A00000-0x0000029FE1B00000-memory.dmp

Filesize
1024KB

Download
memory/5164-1169-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/5408-1028-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/5468-1186-0x000001B01AB40000-0x000001B01AB60000-memory.dmp

Filesize
128KB

Download
memory/5468-1198-0x000001B01AF50000-0x000001B01AF70000-memory.dmp

Filesize
128KB

Download
memory/5468-1176-0x000001B01AB80000-0x000001B01ABA0000-memory.dmp

Filesize
128KB

Download
memory/5468-1171-0x000001B019A00000-0x000001B019B00000-memory.dmp

Filesize
1024KB

Download
memory/5468-1173-0x000001B019A00000-0x000001B019B00000-memory.dmp

Filesize
1024KB

Download
memory/5712-1855-0x000001BA7F700000-0x000001BA7F800000-memory.dmp

Filesize
1024KB

Download
memory/5712-1856-0x000001BA7F700000-0x000001BA7F800000-memory.dmp

Filesize
1024KB

Download
memory/5712-1860-0x000001B2006C0000-0x000001B2006E0000-memory.dmp

Filesize
128KB

Download
memory/5712-1874-0x000001B200680000-0x000001B2006A0000-memory.dmp

Filesize
128KB

Download
memory/5712-1891-0x000001B200A90000-0x000001B200AB0000-memory.dmp

Filesize
128KB

Download
memory/5760-918-0x000001FD2DF00000-0x000001FD2DF20000-memory.dmp

Filesize
128KB

Download
memory/5760-919-0x000001FD2E500000-0x000001FD2E520000-memory.dmp

Filesize
128KB

Download
memory/5760-888-0x000001FD2DF40000-0x000001FD2DF60000-memory.dmp

Filesize
128KB

Download
memory/5760-884-0x000001FD2D000000-0x000001FD2D100000-memory.dmp

Filesize
1024KB

Download
memory/5820-2004-0x000002215E600000-0x000002215E700000-memory.dmp

Filesize
1024KB

Download
memory/5820-2011-0x000002215F300000-0x000002215F320000-memory.dmp

Filesize
128KB

Download
memory/5820-2008-0x000002215F340000-0x000002215F360000-memory.dmp

Filesize
128KB

Download
memory/5820-2024-0x000002215FB20000-0x000002215FB40000-memory.dmp

Filesize
128KB

Download
memory/5876-2002-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/5916-1853-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads