hxxps://sourceforge[.]net/projects/viraltool/

Analysis

max time kernel
487s
max time network
643s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sourceforge.net/projects/viraltool/

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
6252	Viral Tool.exe
5480	Viral Tool.exe

Loads dropped DLL 8 IoCs

pid	Process
4892	ViralToolSetup.exe
7104	regsvr32.exe
7144	regsvr32.exe
6252	Viral Tool.exe
6252	Viral Tool.exe
10700	ViralToolSetup.exe
5480	Viral Tool.exe
5480	Viral Tool.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Viral Tool.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	Viral Tool.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSCOMCTL32.OCX	ViralToolSetup.exe
File created	C:\Windows\SysWOW64\comdlg32.ocx	ViralToolSetup.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Viral Tool\Viral Tool.exe	ViralToolSetup.exe
File created	C:\Program Files (x86)\Viral Tool\Read Me.rtf	ViralToolSetup.exe
File created	C:\Program Files (x86)\Viral Tool\License.rtf	ViralToolSetup.exe
File opened for modification	C:\Program Files (x86)\Viral Tool\Viral Tool.url	ViralToolSetup.exe
File created	C:\Program Files (x86)\Viral Tool\uninst.exe	ViralToolSetup.exe
File opened for modification	C:\Program Files (x86)\Viral Tool\Read Me.rtf	WINWORD.EXE
File created	C:\Program Files (x86)\Viral Tool\~$ead Me.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\AlternateCLSID = "{8F0F480A-4366-4737-8265-2AD6FDAC8C31}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\ = "ListView Sort Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "4"	Viral Tool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CurVer	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F0F480A-4366-4737-8265-2AD6FDAC8C31}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Viral Tool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Viral Tool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{E471621E-DB21-4C2E-83B0-4620A50F0FB6}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ = "Microsoft Common Dialog Control, version 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F0F480A-4366-4737-8265-2AD6FDAC8C31}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Viral Tool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ = "ITabStrip"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "165265"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}\ = "Slider General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Viral Tool.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer\ = "MSComctlLib.ProgCtrl.2"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Viral Tool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 980031000000000067580736110050524f4752417e320000800009000400efbe874fdb49675807362e000000c304000000000100000000000000000056000000000038b7b400500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	Viral Tool.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ViralToolSetup.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
6992	WINWORD.EXE
6992	WINWORD.EXE
9208	explorer.exe
6832	explorer.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
2160	taskmgr.exe
2160	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5480	Viral Tool.exe
7248	explorer.exe
6832	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	3828	firefox.exe
Token: SeDebugPrivilege	5016	taskmgr.exe
Token: SeSystemProfilePrivilege	5016	taskmgr.exe
Token: SeCreateGlobalPrivilege	5016	taskmgr.exe
Token: 33	5016	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5016	taskmgr.exe
Token: SeDebugPrivilege	3380	taskmgr.exe
Token: SeSystemProfilePrivilege	3380	taskmgr.exe
Token: SeCreateGlobalPrivilege	3380	taskmgr.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: SeShutdownPrivilege	7828	explorer.exe
Token: SeCreatePagefilePrivilege	7828	explorer.exe
Token: 33	3380	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3380	taskmgr.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
6252	Viral Tool.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
5016	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe
3380	taskmgr.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
3828	firefox.exe
6252	Viral Tool.exe
6992	WINWORD.EXE
6992	WINWORD.EXE
6992	WINWORD.EXE
6992	WINWORD.EXE
6252	Viral Tool.exe
5480	Viral Tool.exe
5480	Viral Tool.exe
5480	Viral Tool.exe
2484	StartMenuExperienceHost.exe
4176	StartMenuExperienceHost.exe
6900	SearchApp.exe
4568	StartMenuExperienceHost.exe
7864	SearchApp.exe
5480	Viral Tool.exe
6288	StartMenuExperienceHost.exe
4564	StartMenuExperienceHost.exe
8988	SearchApp.exe
9208	explorer.exe
9208	explorer.exe
9816	StartMenuExperienceHost.exe
9504	SearchApp.exe
5480	Viral Tool.exe
10712	StartMenuExperienceHost.exe
3520	SearchApp.exe
6776	StartMenuExperienceHost.exe
1688	StartMenuExperienceHost.exe
7156	SearchApp.exe
2172	StartMenuExperienceHost.exe
4820	SearchApp.exe
2412	SearchApp.exe
5856	SearchApp.exe
6832	explorer.exe
6832	explorer.exe
8488	SearchApp.exe
6832	explorer.exe
6832	explorer.exe
7540	SearchApp.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
5884	SearchApp.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
6832	explorer.exe
5480	Viral Tool.exe
5480	Viral Tool.exe
5480	Viral Tool.exe
5480	Viral Tool.exe
5480	Viral Tool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3608 wrote to memory of 3828	3608	firefox.exe	94
PID 3828 wrote to memory of 1320	3828	firefox.exe	95
PID 3828 wrote to memory of 1320	3828	firefox.exe	95
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 1856	3828	firefox.exe	96
PID 3828 wrote to memory of 3820	3828	firefox.exe	97
PID 3828 wrote to memory of 3820	3828	firefox.exe	97
PID 3828 wrote to memory of 3820	3828	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://sourceforge.net/projects/viraltool/"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://sourceforge.net/projects/viraltool/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.0.105382711\156508850" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44fc902d-403f-41e1-889e-514c08248ac4} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 1984 294535e2758 gpu
    3⤵
    PID:1320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.1.1897772234\724875741" -parentBuildID 20221007134813 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dfc7a6-0105-4595-8e18-a42185ca302a} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 2448 294469f6258 socket
    3⤵
    - Checks processor information in registry
    PID:1856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.2.107665070\1738876546" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 2952 -prefsLen 21603 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97f0ad4d-d87e-454f-b9a0-8add9dbf7804} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 2940 2945356c258 tab
    3⤵
    PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.3.683216660\255337835" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dea0289-da7c-4687-b9c6-85cfa8f978fa} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 3648 29446961c58 tab
    3⤵
    PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.4.2098292802\1836713492" -childID 3 -isForBrowser -prefsHandle 4976 -prefMapHandle 4972 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {725a86ed-2c64-4ac4-bcf6-604b1f7ef249} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 4964 29459d68958 tab
    3⤵
    PID:3804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.5.1059703777\71734341" -childID 4 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6177658-b177-476f-bb25-86869d896cde} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 5016 2945a21f558 tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.6.1141315090\1068885077" -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5100 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d445f0e9-0f52-4d50-8dbe-1fabb8624012} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 4992 2945a321f58 tab
    3⤵
    PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.7.138316432\266892662" -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 5844 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a3a578-ddca-4c6e-84aa-366b035ad3b7} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 6044 2945a530358 tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.8.4181881\1578926035" -childID 7 -isForBrowser -prefsHandle 5400 -prefMapHandle 5000 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c729cacf-97eb-49da-8392-f2c99e94d239} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 5520 2945b72ce58 tab
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.9.935972563\802383140" -childID 8 -isForBrowser -prefsHandle 6216 -prefMapHandle 6220 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26adee5a-4d4c-46db-a5b2-121b3c173e8c} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 6208 2945b7e3558 tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.10.804953278\601792255" -childID 9 -isForBrowser -prefsHandle 4456 -prefMapHandle 10300 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6e08f0a-1587-4e83-acef-aa16708c32a6} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 4984 29454977258 tab
    3⤵
    PID:6932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.11.226327237\1559738316" -childID 10 -isForBrowser -prefsHandle 6796 -prefMapHandle 6792 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a2211c-1e4a-4840-b190-d5966d429ee6} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 6804 2945b895058 tab
    3⤵
    PID:6940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3828.12.53703850\826682111" -childID 11 -isForBrowser -prefsHandle 6656 -prefMapHandle 4964 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5da8574-cb95-43cb-b161-e8eaf3957193} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" 6596 2945b8b7e58 tab
    3⤵
    PID:5908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5200

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:5372

C:\Users\Admin\Downloads\ViralToolSetup\ViralToolSetup.exe
"C:\Users\Admin\Downloads\ViralToolSetup\ViralToolSetup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4892
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\MSCOMCTL32.ocx"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:7104
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\comdlg32.ocx"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:7144
- C:\Program Files (x86)\Viral Tool\Viral Tool.exe
  "C:\Program Files (x86)\Viral Tool\Viral Tool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6252
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Program Files (x86)\Viral Tool\Read Me.rtf" /o ""
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:6580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\meow.cmd" "
1⤵
PID:5928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10272

C:\Users\Admin\Downloads\ViralToolSetup\ViralToolSetup.exe
"C:\Users\Admin\Downloads\ViralToolSetup\ViralToolSetup.exe"
1⤵
- Loads dropped DLL
PID:10700

C:\Program Files (x86)\Viral Tool\Viral Tool.exe
"C:\Program Files (x86)\Viral Tool\Viral Tool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\test.cmd" "
1⤵
PID:8504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:8904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:6840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:11088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:9692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:7604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:6916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:8408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:6796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:6844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.facebook.com/
  2⤵
  PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4464 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5348 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4920 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4636 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5736 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:6816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5892 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5784 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6212 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:11100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6360 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6532 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6696 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:11084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6820 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6972 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=7184 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=7324 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7504 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6684 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7712 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7784 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8036 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=8052 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8308 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=8424 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8588 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=8732 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=8788 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9044 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=9112 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=6232 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9460 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=9600 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=9824 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=9932 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=6520 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=10208 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=10352 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=10512 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=7436 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --mojo-platform-channel-handle=10744 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=7788 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --mojo-platform-channel-handle=10904 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --mojo-platform-channel-handle=11180 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=11364 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --mojo-platform-channel-handle=11476 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --mojo-platform-channel-handle=9632 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --mojo-platform-channel-handle=11800 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --mojo-platform-channel-handle=11608 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:8136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --mojo-platform-channel-handle=12104 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --mojo-platform-channel-handle=8592 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --mojo-platform-channel-handle=12360 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --mojo-platform-channel-handle=12496 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --mojo-platform-channel-handle=12660 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --mojo-platform-channel-handle=12776 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --mojo-platform-channel-handle=12956 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:7460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --mojo-platform-channel-handle=13080 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --mojo-platform-channel-handle=13268 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:6612

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ba3350d2a3374b0dad6ed6de3ef9b745 /t 4044 /p 2436
1⤵
PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\test.cmd" "
1⤵
PID:10832
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10680
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8668
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:8856
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10860
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10516
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10660
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:10992
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:11108
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:11004
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10476
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:8848
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10472
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9880
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9168
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5892
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10112
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8760
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9416
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9276
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10400
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8296
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9124
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:6968
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9632
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10236
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9372
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:11012
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10780
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9196
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9284
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:628
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9104
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:4564
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10312
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9720
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7780
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10128
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9448
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:11248
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9224
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8988
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9376
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7376
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10252
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:11000
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:11228
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9248
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9660
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:5620
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8632
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5056
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:8696
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9912
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9408
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:11208
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9032
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:11204
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9380
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:10124
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9600
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:5496
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9028
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:8664
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9856
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9980
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8672
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:10052
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9792
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9400
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10168
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:11240
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:11192
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8880
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9452
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9120
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9804
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9956
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10300
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:8460
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:3988
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9364
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9940
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5420
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10384
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9240
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9752
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9436
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9076
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9732
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9540
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9288
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9780
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10332
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10280
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:10104
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:8840
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10316
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10000
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9132
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9272
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9820
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9384
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9016
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9008
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:9712
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:9504
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9176
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:9920
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10144
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10148
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9328
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:1604
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:468
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:6924
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7796
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7852
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8288
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:3540
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:4440
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:5876
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:6932
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:6028
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7052
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:5564
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:4264
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:3924
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:6940
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10736
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:3660
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10756
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7000
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:3056
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10880
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8584
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:6232
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:4316
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8252
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10968
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7632
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7824
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:10924
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8264
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:8300
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7072
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:900
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:10972
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5256
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:4244
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:6852
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:1164
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:10364
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:6304
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:4312
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:3328
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:3688
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:10712
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:6424
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5544
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:6996
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:5900
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:452
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:1088
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5676
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:832
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:3520
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5204
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:6468
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:3796
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8628
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:7848
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:6840
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:5296
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:4876
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8232
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7956
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:11088
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:6132
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5264
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7392
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:400
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:5888
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:6700
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:2920
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:6560
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:2852
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:2676
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:2692
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7604
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:8576
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5772
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:1876
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:5712
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:4404
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:8188
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:7464
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:5064
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:6584
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5656
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5748
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:8420
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:3548
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5984
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:5324
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7332
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:2660
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:2152
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:4788
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:7832
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:6264
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:7624
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:1196
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:808
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:1280
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:2812
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:3076
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:6104
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:5172
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:5932
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:2980
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:4448
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:5684
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:6244
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:1208
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:3812
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:3376
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:11044
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:9500
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:11092
- C:\Windows\system32\msg.exe
  msg * Oops!
  2⤵
  PID:7840
- C:\Windows\system32\msg.exe
  msg * You
  2⤵
  PID:2052
- C:\Windows\system32\msg.exe
  msg * Are
  2⤵
  PID:392
- C:\Windows\system32\msg.exe
  msg * Hacked
  2⤵
  PID:4452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3380

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:6612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7864

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6288

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:9208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8988

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:9000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9504

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:10920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6776

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:7248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:7156

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:8440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:8788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:10548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:7528
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:3360
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
    3⤵
    PID:10732
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:9832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:9564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\test.cmd" "
  2⤵
  PID:5724
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7700
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9692
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5856

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:8488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:11152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x4c0
1⤵
PID:8664

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:10720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Viral Tool\Read Me.rtf

Filesize
2KB

MD5
5261da54f4b32c16cba473336476c284

SHA1
008703f1f78557c2f84f0f3eadd14d6b242db0fd

SHA256
9fb0458fd02ad9d8a67f17b11e563c4ee533ad30577ea7b1ac23475097bd6a94

SHA512
18b3740b65df6ea0c71d3dbf6d03aa6c9bda0f254e94c1620eda767995301103b2e35ef105909cd88fe78b5d1aaf0f1552c0e191d723b341ee0bb51c02aaec8d

Download Submit
C:\Program Files (x86)\Viral Tool\Viral Tool.exe

Filesize
320KB

MD5
90d6061903e5b071c471b376148ca34f

SHA1
8ad3fe6001e01320ec303ef17abfd21b745dbdda

SHA256
14b8845b076ba2b366bee013ac1565527eee301d8398873c399bfafa952fa04c

SHA512
4da2d0f4c3d5cddeebb6664a2f85d7f99960b6d4167b3528d6e6071e5b56c71837332d8c1af7b1663b65934e460696ad9a7f3c09bbbee3e2c1b4a60ade8e4dde

Download Submit
C:\Program Files (x86)\Viral Tool\Viral Tool.url

Filesize
69B

MD5
0268142fdb4fcc0b5bc767b9612ad7ac

SHA1
7dadf66dabc8af83933d1c04fc5fe884880e5ef9

SHA256
b2baea8d98bfd81dbef577f5a15be39161b7cef1c4ddb1755d7021bea2ea9cbc

SHA512
88c5cf1a82636c2b01ea39cebbc77974737d0ada667dc4044c09e5bba1ddcab47a43b1eeed3e0de974befb00028ead37186878cceb3e3d1b6a2fbbb642dd860b

Download Submit
C:\USERS\ADMIN\DESKTOP\TEST.CMD

Filesize
91B

MD5
4c152b02f13d3707e4bc8598b2094211

SHA1
4e955b5d9ae437faa4e1afc678aa99f7f8ab7870

SHA256
c8f6f7df6c325a1b77e116ce9ee34b21402bf7d29a7e7d1fc623d0a89be15713

SHA512
ca80f6d2f08bbb319ec3541822e66921463a54a4910cb34ef87c85ccb0174756d6ad1ddb1eb90665a18bc3878a5191ac39530b35e4790c951bc04228968ad7ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
70c9176eb809c80a24e7cf3446a14750

SHA1
f6faaf97bae3d356741bab6a1a0c8bf798fff4d9

SHA256
ebc53c56d083b2e9bcdb5c87c474d5364bdabfe9a5d9c63a352ff087efc51c55

SHA512
ffba525f8becbd3f4e0596dc4503f178b51344a181cd086a9cd5394aea5e244825c0b4882ab0e9c50685be89730bf2d88e1e2f18e63e1db2fc016950ceca1060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
2bdfdd07244f9c435bc44237047308d0

SHA1
ffa625a2387e2abc4b07ecdc7f04db2549ddec4e

SHA256
3ba71d2d9c7ce647e47fd40cb722e86622ab1f657d4af09f67478372cae11b43

SHA512
ec18998c269e399926068ffee56d658dca7aa3eb85e56aca202f9ccfb9b2b070ea38c7abf9b08bf9cf5e5820871bc5782a272187cc15ccdaaaa502f66af4a5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
ef96a44ea3ccae6200ecfc6276da45a9

SHA1
0fa0fe7898d09f3048ca399113050f9c2ddb08e6

SHA256
f635e9786999d984aa550dfc01b5b6f2dcc280264e96d7d7a88bcdc58fcefc59

SHA512
57c41c5a4bdc9e9cf7c74e59cf9f9546b6c1516775d588f1b09c0c4ca82c4ea2695ec905ff1639d58500629691a008fb29921dbf6181a9cb9ca38817deca2a9f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f97d9gc7.default-release\cache2\doomed\13891

Filesize
10KB

MD5
490cf22c4c5e4d1832e726017f0cde02

SHA1
cfc1ef542bd0cc4adfe557dbc30c6b966fd1009b

SHA256
dce811395885f4e24d38627694f6b953a798d585366969c978db3dfb383ffeb1

SHA512
500637b9abe8fe3fadb7415b38875f857a902a4099db017cab4d22f9ff0424e13dfc8f0da665d7c90a38f1f402df8b403f7f773854a0127bc135e04799b836cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f97d9gc7.default-release\cache2\doomed\13914

Filesize
14KB

MD5
67b7d2f3e98e7fe9f19e37b1b5a0ce2b

SHA1
c0ed95755244bf690d3bae0935d2a60dceba87c3

SHA256
c0ea55d0ca928d7d0759b606f4e4ad17f811f4ddcc9a248f36759283439332d1

SHA512
737bb0f01756cefd3ff18b30fef4fd3b82c0c0bbbdd67fa6326592bacda2a06566cc5ee76bba10664f35e5cdf72b816a207af48cdbb9371ecaf8e9d61c5cf133

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f97d9gc7.default-release\cache2\doomed\25011

Filesize
7KB

MD5
4e1cae3d9a53e5f3e0081f8bb3b46c83

SHA1
1412fe52df54d59c4be6e94ca71096a0a26f0c01

SHA256
0b6eee1f3d795fc99ff36677dc27926272f759d91365334a2226c27bdbbd5a2a

SHA512
9d2728dc0f4e896a3bfd6f2316fecac8b618e269fe956b7d41adefeec16bac855cb51def7142a4d7566cf4486c12dc9f5dbf2373ed5ea9cf9404f35ce5f51dee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f97d9gc7.default-release\cache2\doomed\29870

Filesize
21KB

MD5
f9cd94f66428d8f7b68ca433a1260821

SHA1
991f25ceddf8a062ac62c989fead46c1e1c44fc0

SHA256
e6b6d2becec05a19542bf3ae7eb5a4e0ea33a9f7f0cf185afccd9b57c592c63c

SHA512
045fdab0e26321d5c5a8140083883262e90ffb7e6ab7e7473d54acbffd0a3a272113c7cb7f02c72453690592cc0f292625e22229a034ce9c47b864bc5f8f800a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f97d9gc7.default-release\cache2\doomed\32025

Filesize
9KB

MD5
9f0cbfc8d74b3fe6843e4ff644a9ea90

SHA1
5b531fa52d6eb4fa6e0f501dc811cb7769c52a26

SHA256
f3bc37781c14f4b802653b0beb2c21357f4d1d034f6ed67ab693ecfd0fe51d5f

SHA512
dc473851f2553ef06dc77df477ecae95f8be3f3deec0199a40b75da0dae803c9279d593fbe22de382595b74d48e1cc5ef75332afa7988491fa2ba1427fd25ca7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f97d9gc7.default-release\cache2\doomed\828

Filesize
8KB

MD5
f75920c7b6cce5fdf6cafb7d0a178c0a

SHA1
67dc4f76ace6b184e254f3aa49d193fcd0f4dbce

SHA256
16148a8d0af098aeb442f7fee0bab90cf814ebb66d3bc02b6fb0228ebf44287b

SHA512
56f2580472cd3d65459f3e0d950b7f4a2b072be3651156f6bb48b3bf04bbc4e37766e00001990e9f32944ee3c10ab19f2769423bae57419080584054870e2291

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel

Filesize
36KB

MD5
fb5f8866e1f4c9c1c7f4d377934ff4b2

SHA1
d0a329e387fb7bcba205364938417a67dbb4118a

SHA256
1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

SHA512
0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133542681989169261.txt

Filesize
76KB

MD5
23b1b0ea6eb9412fc6c84738afa1dd1e

SHA1
051be5589f83af439d02e039d7de3f386f5f25ba

SHA256
54a7a75e9a63ff72b8313f9e672ba61381b7f4741b200e069d28524947572eeb

SHA512
e0e7af2f6d5813cd86b49616ab0c9282e565494c0dfd5a77694ac4309e3f2dfdcca23ef1763f8000afdec287602451532cb04fe6a7ac93dde8f283dd175dbd2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TV3VV50F\microsoft.windows[1].xml

Filesize
97B

MD5
5b984c298841d3dc3a3a0f8a819790bc

SHA1
27ec8f9f31d80734493d88e29e639b7562276867

SHA256
c9bc2d8c025943515a1412a4cb84dd9c184b73031125619bf2cd2d2d2efc2d66

SHA512
884209f3ea5207c6ad508975e139b2a16a6b861152c6861a3c1f1459973c896387e92407230ee1c90a6d4a9a49c52aa18d9d292b281a5b906f219280b7f15a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA03A.tmp\ioSpecial.ini

Filesize
679B

MD5
8c986d4b28ab26ba1c56ddbf44396851

SHA1
c283719a4cc09ab6cdecb327ba184fb484ac5d37

SHA256
6d8557f6b2bbfeb771b6265b719d48ac1e0b030d4bd5605c4263ed596fe4462e

SHA512
410b436567a77808dc85c6b0e97a49ecc3362a4a9f770e844a3792cc24a1ac886e1745ff6e60d44f6c4664dd1fc4b79d80186bbccd530aedc736de6ca0629c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA03A.tmp\modern-wizard.bmp

Filesize
51KB

MD5
9e4cd80a60db6947642677bf31a10906

SHA1
feedc432df18b13ffba2b7478347d885861701fa

SHA256
a7b2f12e01cbea88d4f645f797f2ca6107d76ae13cd1be6dc532b759bfe0d925

SHA512
a02ae76b7a5df03a149a0b9c9efd314b8646b829b930233d0cea8b619b21720b383f92be95838310e7f1c4183d256823a96e48866b65ac7d2141ed4254ae471a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss585D.tmp\InstallOptions.dll

Filesize
14KB

MD5
eee2912bd1ee421cf1f1dfb1cc327d97

SHA1
c5d3741ddb195718c9b17923eb6abfb7a732bdc1

SHA256
e560384c5298ee2123e8340e716b2c4680f51b4d0347995ba3290dbd1130c6c0

SHA512
1808a068386c790d8ad5096d9fededcfa6e5688e3a68f2499418456c9cafd7b837c811298e6570212155b4a3d6038c1749cfcd9d1b86f090f66d1a5301adecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss585D.tmp\ioSpecial.ini

Filesize
679B

MD5
8a787de96570304fcc52ca1780769f71

SHA1
1813d4d6990681990fbcc42357df8aeda46b6b7a

SHA256
b2178d9303ba8c60e4f05d1b2a9d048a17745a9b7f8965494a9825a237b979fa

SHA512
0248184d1d78eacfaf950035aa5168ad00058beaf7b351f8eba006b33bc76f8ff6a669002d0b3eb77b94de5a551653019d295950a12375508d224386fb516fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss585D.tmp\ioSpecial.ini

Filesize
738B

MD5
de9c12f272049b282793944bcc347476

SHA1
b72dbe97b66ed517c349a0fb09e3572a23896856

SHA256
782013ea908dba8c3f707f4e2972523991b69199d3d56c088da35e88c25d2d69

SHA512
628462bcc099a937b0453ac9a5e3e14f03862b12fe73741baefb4f366a97b1bb5ece455d04cf4c9cb253f557aeb67ce4caaf726f959c5153a26d9f16c641873a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss585D.tmp\ioSpecial.ini

Filesize
764B

MD5
08391e1c92faf3c1f685697ff7b4d5cd

SHA1
11fdbdddebe7eb6d4b61c73004fc942c5a75de4a

SHA256
eeffdd8c8876ecc98d905116e71bf8b021a8415a5adbaa7d26f183dcbb386df0

SHA512
eab2a80bce500b83b5597890a078a40c4e0888828ed4a2465ff4d427636a37eb8e096be5d96efed9e0163890987e80cee2dd9d278b9e38978a71c52e4b6723bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
251B

MD5
78822634cfad342229d70ea4dd10d9df

SHA1
c6327d664d9e69762a03c3fe93b32c5f9be5f590

SHA256
3135f6a92f60ed3e119050c03448f24f00901a2c13ece868c624eb9453a78af9

SHA512
84f3faee1f55c0876876b054a9073819ce7de4f3fcc2a325a26af67465ffcb90e67a2601dd0f55acaec211dee9d3d90e5ab759c9e9538440cc11601468e51155

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b65d36bc7532130c4df19091f88fed5c

SHA1
f48b74f8d2f79a9d131a369eac11c3528a724ae1

SHA256
dfeb5f8330b5b0f05a6d530b18b03042be7d6b36d04b689b4a6e70f59cbf987d

SHA512
8bc4eb8d0fc624f635d0264fd1008c94c21a68c819e6677782e1cd205b2152f4a1b5f04166fdd9dfcdc04a8b783ca8f5a95212d63eb60ae65a8e6c42aba56ae8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\5522c65f-9484-4058-bcd5-d7f05bb1430e

Filesize
746B

MD5
05b46662620f9b9d9a57817c3e0a967f

SHA1
cb62e6dc6b63a55a698e1c97fd5e1e2c394dc5c4

SHA256
8e87b027d27d44fdef522b49b3b67a2fb7ac7d0948e8ed0305402f6f5c72a1ac

SHA512
864a03c75ef0ade2801d454a350bd470a08dc0201a6c267a2107beea809fda7568526d276161a7b5cae8d0256b833dad68ce1b5229323473324c17a907ff52ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\ce507330-8169-4f23-9772-42d94c4fb588

Filesize
12KB

MD5
a95c49a7575cd4fbd1ec68f6c5371351

SHA1
aad97649a9a81363a2ab82a6a1d98bcbacef7e2a

SHA256
ef9e46da99836fac1dc82babb9caae567aad08a974aa224d3a4367e3c214a240

SHA512
06ed6a945c4d9a3c57d73ea5a5bf411bc4556e6ae5b8e4ea8b062b1b35aef7013b55a1839d9961be778a088b5b8ed49d0b4da9862f4965b4e7049a9dfe1d211f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs-1.js

Filesize
6KB

MD5
b6fbc317e98f8715d09f58e2aef2e3c6

SHA1
f93b0de8f417d123c2f68bc9460cb2c9e18fac34

SHA256
0aeaf9e655783784db17d85b36d9967e28ce000450d6a7ead02b6cbefc493fad

SHA512
65e5992040497a13363b9792bdb824949fbf6fe94e5b7b804aa9dfb32895dd4e7c3fc5763643d5e556245744059fd4d13908e3bc525169f5c53bbc3095e52122

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs.js

Filesize
6KB

MD5
396c207effbe85d30521323e7fd8b15a

SHA1
3fcdae9c9a2e84938a67ad0af83201c4fcdd45bf

SHA256
80c595bd6dea4d9f3a11ddb1f9d306b3ab469d70cf500048970c010ae1c0c7d8

SHA512
6b0c8f05ded37e325d42eec7be5e55279631fa9376047e8743dae0628e88681224ae376d32b25dadc18961b2a24f13e3d838c1b43f5bc0be20ba5e72ab1c60ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs.js

Filesize
6KB

MD5
916651c1d4cf7d524a615a880b3184d9

SHA1
07c8ff3cfb774c81521433ac33f2b2b0e8157b2c

SHA256
07f7d764c5416fba40b32a01b6bbc873d4f703b23fc65bac17b40ab1e1451c51

SHA512
30f213530ed68db7fd0c193836221dc0baa168757020f451a2f75f6eca95a3ed290befb8ea1b521bc7731449330a3f3e5bdcfb7eb4c5456c9026a709204268d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
9a3221652826864637886244b6ee7b62

SHA1
01046a0de09505ec724e1fdc236fabd010490a77

SHA256
ef8bc2774934cc0a730102977df728bb96b0f162930f485a95768d27c66f15f2

SHA512
581457e50bd3f74d7138f065d456bc6b04f6a3fb03df491466bc9ae6704350972a50f0f2c148102f8d13222ef60377188a7e5c287e327defa5a534736eeb1f68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore.jsonlz4

Filesize
10KB

MD5
41feca56c45da197787ef428e9d423f1

SHA1
74cbbf0878bb7390d11ac05cdf9b169c405dbdd6

SHA256
68430a760c6892cd49e9a4464b40ef0da4f2d058a404317c35690661e97a1a97

SHA512
9fd6bb2d0d72d4d56af5bd27292f7d99b5cae43bfca80813d0ede488011bc037cd7c5a8fbfa2a2844896ed193860016344967b1eff5f628597e100f90a763ebf

Download Submit
C:\Users\Admin\Desktop\Viral Tool.lnk

Filesize
1KB

MD5
6e20c74852ab5d91cf6985dc9af29eed

SHA1
742eeb29e991de4ef30e025602886d4a5ad3968f

SHA256
7815f6687a78b26361f893f6a847a62f35761b05842d2d62d5aadf9a69902648

SHA512
5c1eb7e26a606306932fc5e2527928d4b4f5f876c12fb2e1c32088ece1348187376d44056845e061116fef9c1041dfd79eddd4f203f89e19ac180d342288a3bb

Download Submit
C:\Users\Admin\Desktop\test.cmd

Filesize
74B

MD5
399204dd9f7d379a9326e02d0c16b7fa

SHA1
4ca184b217f28b7e36c40ff1501cd46e61a9ee83

SHA256
80e6c95af8386228a862d4f72a242b9e3656a217029c28d1d63758a1a04dd0b5

SHA512
bc1ddb802b2e433fa78812def92028b849800e31cc3a22cdb437bae0adc4820098bf6bc85b27d772db17cc44b022a5bf62b1da121486a5cb8d8940b30d70cd94

Download Submit
C:\Users\Admin\Desktop\test.cmd

Filesize
91B

MD5
82458cc8757b9454a390e13fdc7f3b7d

SHA1
242a9c3329a3b9b6035f67500a5ae69ad796180e

SHA256
59ad2b6b2b46629682961806234e94a15894b125ea21b2460752896b059986d9

SHA512
541c41cc145fa17ded0c053d16ee239348d86c9d497299c78e15eb16cd88ecc5b677f6169ae34d53e5d135ec16f92890e88c61469f94f03ec6a1c0328b423c4c

Download Submit
C:\Users\Admin\Downloads\ViralToolSetup.wPQotCvV.zip.part

Filesize
31KB

MD5
1d68ed477f590f38a3a1f2c03d5ad48b

SHA1
84218072be356f095c5568b3820766953aab1e11

SHA256
30195c64fa2dfd500506164ca640ca06308128f64afed2a54861013c0937d86e

SHA512
cc6164982a71a28bef6e8b56e7842573063a4f5b51c2c5d29833d4b97ef6624173be8f53adbf10036a2014ca8c52a69ba48bdf6b3f26ba5a55edcf887e4687a9

Download Submit
C:\Users\Admin\Downloads\meow.cmd

Filesize
77B

MD5
c51101c5ce2db2b89087337028665f5f

SHA1
08d3ccb1dd19501a0b2ba46a4c096f1c2770e34a

SHA256
38dda6b70307ce8c9f96df44d63451d536ae33c77d6d54aa25f30b2e9ed8fec2

SHA512
be3b38f2ebb5b9f711dc72dfe6d173ed61a9c78dfc0a7f78138f00785926bc46c17f9ba6db1eb0afc5bf243d4caae93a916932697fbc59639d8d59ef0b7ac00f

Download Submit
C:\Users\Admin\Downloads\test.cmd

Filesize
89B

MD5
6a52eb7833d1010d0713cec0e3154bc5

SHA1
2cb4711f23e170512cca624bde40d08bff57fc8e

SHA256
1f9b3e3a33fbfc039b19071f32fe046649ddcb644792f007573e7f19bb8a9069

SHA512
152823c3f65d320cb267b3c297d1611ef91a8f0bb146ce05ef741d4835e13fdded49c24445e2cb6eeb9c28e3a37f373e8b652d90d244a9cf61a3444f74cf566e

Download Submit
C:\Users\Admin\Downloads\test.cmd

Filesize
107B

MD5
e21684ffb4ba9bc5fdab8654d35b6fa1

SHA1
db554d802b982b05d670c25c230787835f31fd85

SHA256
5b458ae412da4a17439bc3ccced84b876c678882bcecbf1dcbd71d67528266f9

SHA512
bdb835dca1a8290468f0ac97e6511947f94943a1d4e64d86e435077f13ff83e1cb17db112062719af375126d757e43187531a6bcb9cadb8aebbb76fcdc1b04ab

Download Submit
C:\Windows\SysWOW64\MSCOMCTL32.ocx

Filesize
1.0MB

MD5
714cf24fc19a20ae0dc701b48ded2cf6

SHA1
d904d2fa7639c38ffb6e69f1ef779ca1001b8c18

SHA256
09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712

SHA512
d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

Download Submit
C:\Windows\SysWOW64\comdlg32.ocx

Filesize
152KB

MD5
ac9bd4138ba1cece3c25f62166b0ba70

SHA1
14b8593f4afc6dbd0f5b97d015bf50599d53a6a9

SHA256
00b5af20504fa3440ef3f9670a49963622d1a3557090e349f465746213761cef

SHA512
272d940a8eaff6820027e51b03adef1db66e5d7d909a39f0cf6532f792c9e22d47f18040247caa41c3d9bab44162a668b00a6845c445e58df7d1952b616c168e

Download Submit
memory/1120-936-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2412-1089-0x00000287038A0000-0x00000287038C0000-memory.dmp

Filesize
128KB

Download
memory/2412-1085-0x00000287032D0000-0x00000287032F0000-memory.dmp

Filesize
128KB

Download
memory/2412-1087-0x0000028703290000-0x00000287032B0000-memory.dmp

Filesize
128KB

Download
memory/3380-902-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-903-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-906-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-907-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-905-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-904-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-897-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-896-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3380-895-0x0000020B1F090000-0x0000020B1F091000-memory.dmp

Filesize
4KB

Download
memory/3520-1017-0x0000016960800000-0x0000016960820000-memory.dmp

Filesize
128KB

Download
memory/3520-1019-0x0000016960C00000-0x0000016960C20000-memory.dmp

Filesize
128KB

Download
memory/3520-1015-0x0000016960840000-0x0000016960860000-memory.dmp

Filesize
128KB

Download
memory/4820-1066-0x000001D4D9B20000-0x000001D4D9B40000-memory.dmp

Filesize
128KB

Download
memory/4820-1064-0x000001D4D9B60000-0x000001D4D9B80000-memory.dmp

Filesize
128KB

Download
memory/4820-1068-0x000001D4D9F20000-0x000001D4D9F40000-memory.dmp

Filesize
128KB

Download
memory/5016-502-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-496-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-497-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-505-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-501-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-504-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-503-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-495-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-507-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5016-506-0x00000205DC920000-0x00000205DC921000-memory.dmp

Filesize
4KB

Download
memory/5856-1106-0x000002B2EFF70000-0x000002B2EFF90000-memory.dmp

Filesize
128KB

Download
memory/6612-917-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/6832-1056-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/6900-926-0x000001AB56DB0000-0x000001AB56DD0000-memory.dmp

Filesize
128KB

Download
memory/6900-924-0x000001AB57100000-0x000001AB57120000-memory.dmp

Filesize
128KB

Download
memory/6900-928-0x000001AB574C0000-0x000001AB574E0000-memory.dmp

Filesize
128KB

Download
memory/6992-748-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-795-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-743-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-746-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-751-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-753-0x00007FFF5E630000-0x00007FFF5E640000-memory.dmp

Filesize
64KB

Download
memory/6992-754-0x00007FFF5E630000-0x00007FFF5E640000-memory.dmp

Filesize
64KB

Download
memory/6992-750-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-749-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-792-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-794-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-747-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-793-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-796-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-741-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-742-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-752-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-744-0x00007FFFA0850000-0x00007FFFA0A45000-memory.dmp

Filesize
2.0MB

Download
memory/6992-740-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/6992-745-0x00007FFF608D0000-0x00007FFF608E0000-memory.dmp

Filesize
64KB

Download
memory/7156-1047-0x0000014C00180000-0x0000014C001A0000-memory.dmp

Filesize
128KB

Download
memory/7156-1043-0x000001547FD60000-0x000001547FD80000-memory.dmp

Filesize
128KB

Download
memory/7156-1040-0x000001547FDA0000-0x000001547FDC0000-memory.dmp

Filesize
128KB

Download
memory/7248-1032-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/7864-947-0x000001E4B8C90000-0x000001E4B8CB0000-memory.dmp

Filesize
128KB

Download
memory/7864-944-0x000001E4B8CD0000-0x000001E4B8CF0000-memory.dmp

Filesize
128KB

Download
memory/7864-950-0x000001E4B90A0000-0x000001E4B90C0000-memory.dmp

Filesize
128KB

Download
memory/8988-974-0x000002479A7E0000-0x000002479A800000-memory.dmp

Filesize
128KB

Download
memory/8988-972-0x000002479A1D0000-0x000002479A1F0000-memory.dmp

Filesize
128KB

Download
memory/8988-969-0x000002479A420000-0x000002479A440000-memory.dmp

Filesize
128KB

Download
memory/9000-985-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/9208-961-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/9504-994-0x0000027223800000-0x0000027223820000-memory.dmp

Filesize
128KB

Download
memory/9504-996-0x0000027223C10000-0x0000027223C30000-memory.dmp

Filesize
128KB

Download
memory/9504-992-0x0000027223840000-0x0000027223860000-memory.dmp

Filesize
128KB

Download
memory/10920-1008-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download