Analysis Overview
SHA256
f9bb53c79f60d12aff749aac505f9e5fe227e6d4325853ffa8d83f6f02809d6e
Threat Level: Known bad
The file StarStacker.bat was found to be: Known bad.
Malicious Activity Summary
Wannacry
Deletes shadow copies
Blocklisted process makes network request
Modifies Installed Components in the registry
Downloads MZ/PE file
Reads user/profile data of web browsers
Drops startup file
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Sets desktop wallpaper using registry
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates system info in registry
Modifies registry key
Runs ping.exe
NTFS ADS
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 16:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 16:36
Reported
2024-05-19 17:06
Platform
win10v2004-20240426-en
Max time kernel
1789s
Max time network
1765s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\dismhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\SETE5DA.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File created | C:\Windows\SysWOW64\SETE5DA.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp50.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb014.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page5.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\J001.nbd-SR | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Snd2.wav | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\t3.nbd-SR | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Options\AutoDirPatcher.vbs | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Options\bonzibuddys.URL | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb002.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp005.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\Thumbs.db | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp003.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\j3.nbd-SR | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Runtimes\spchcpl.exe | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\book | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page13.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page8.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page0.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page15.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File created | C:\Program Files (x86)\BonziBuddy432\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page3.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page6.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Apps.nbd | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\s1.nbd | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page12.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\sp001.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page12.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page15.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page10.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\empop3.dll | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page2.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb008.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb015.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\book | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page7.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page9.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Options\BonziBuddy.bat | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page1.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\CHORD.WAV | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\j3.nbd | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\t3.nbd | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page3.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp002.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page19.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Runtimes\Readme.txt | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page11.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\AUTPRX32.DLL | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\MSAGENTS\Peedy.acs | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp001.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\T001.nbd-SR | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Options\AutoShortcutsMaker.vbs | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page15.jpg | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\msvcrt.dll | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\lhsp\tv\SETE596.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File created | C:\Windows\msagent\SETEEC4.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\SETEEF9.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\INF\SETEED6.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\lhsp\help\SETE5B8.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File created | C:\Windows\msagent\SETEEA1.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\AgentPsh.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\INF\SETE5C9.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETEEA2.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\help\SETEED8.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\fonts\SETE5B9.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentAnm.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\intl\Agt0409.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\dismhost.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tv_enua.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\SETE5B8.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File created | C:\Windows\msagent\SETEE8F.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\SETEE90.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEE90.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\SETEEC5.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\INF\tv_enua.inf | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETEE8F.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\SETEEA1.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\SETEEC4.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\AgentSR.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\lhsp\tv\SETE596.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\tv_enua.hlp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentMPx.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\fonts\andmoipa.ttf | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File created | C:\Windows\msagent\intl\SETEEE8.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\chars\Bonzi.acs | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SETE5A7.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tvenuax.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETEED7.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\fonts\SETE5B9.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDPv.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEEC5.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\mslwvtts.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\chars\Peedy.acs | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| File opened for modification | C:\Windows\msagent\SETEEA3.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\SETEEC3.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\INF\SETEED6.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\lhsp\tv\SETE5A7.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentCtl.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEEC3.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\help\Agt0409.hlp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\AgtCtl15.tlb | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEEA2.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\AgentSvr.exe | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\INF\agtinst.inf | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\msagent\intl\SETEEE8.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\INF\SETE5C9.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDp2.dll | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEEA3.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEED7.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File created | C:\Windows\msagent\SETEEF9.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\Dism.exe | N/A |
| File created | C:\Windows\help\SETEED8.tmp | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
Launches sc.exe
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\clipup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA141FD0-AC7F-11d1-97A3-0060082730FF}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FD8-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575} | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE6-1BF9-11D2-BAE8-00104B9E0792} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE6-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A45DB49-BD0D-11D2-8D14-00104B9E072A}\TypeLib\ = "{0A45DB48-BD0D-11D2-8D14-00104B9E072A}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575} | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DB2224E-D2FA-4B2E-8402-085EA7CC826B}\ = "_CCalendarVBPeriods" | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D44-2CDD-11D3-9DD0-D3CD4078982A}\ProgID | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCE47F78-8A6C-4C6D-A6F7-8BE4427127C4}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{311CFF50-3889-11CE-9E52-0000C0554C0A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6549F504-C43A-43F3-B8CD-D077AF0427C8}\ProxyStubClsid | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ProgCtrl" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB61DB30-B032-11D0-A853-0000C02AC6DB}\TypeLib\Version = "2.0" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA478DA0-3920-11D3-9DD0-8067E4A06603}\ = "ISkinPopup" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{920FF31F-CA25-451A-9738-3444FC206BCC}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A2-E66D-11CD-836C-0000C0C14E92} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D40-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E91E27A1-C5AE-11D2-8D1B-00104B9E072A}\TypeLib\Version = "2.0" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\DefaultIcon\ = "C:\\Windows\\msagent\\AgentDPv.dll,-201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSWINSCK.OCX, 1" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F5A7562-BDC3-41F8-8122-4A54D2C3C50C}\ = "_BonziCHECKERSControl" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE11629C-36DF-11D3-9DD0-89D6DBBBA800}\verb | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D40-2CDD-11D3-9DD0-D3CD4078982A}\ = "ISkinButton" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB52CF7B-3917-11CE-80FB-0000C0C14E92}\ProgID\ = "SSCalendar.SSDateComboCtrl.1" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CFC9BA2-FE87-11D2-9DCF-ED29FAFE371D}\ = "SkinItem Class" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BonziCHECKERS.BonziCHECKERSControl\Clsid | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCommand\CLSID | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A45DB4D-BD0D-11D2-8D14-00104B9E072A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\ = "Microsoft Agent Control 1.5" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE6-1BF9-11D2-BAE8-00104B9E0792}\Programmable | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D4A-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FDE-1BF9-11D2-BAE8-00104B9E0792}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4900F95-055F-11D4-8F9B-00104BA312D6}\TypeLib | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CFC9BA1-FE87-11D2-9DCF-ED29FAFE371D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry key
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StarStacker.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa21d746f8,0x7ffa21d74708,0x7ffa21d74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5344 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6220 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7008 /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_5835136.cmd" "
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_5835136.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_5835136.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Windows\Temp\MAS_5835136.cmd" -qedit"
C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
C:\Windows\System32\sc.exe
sc query Null
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_5835136.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_5835136.cmd" "
C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\System32\fltMC.exe
fltmc
C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
C:\Windows\System32\find.exe
find "127.69"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
C:\Windows\System32\find.exe
find "127.69.2.6"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/S"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
C:\Windows\System32\find.exe
find /i "/"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
C:\Windows\System32\cmd.exe
cmd
C:\Windows\System32\mode.com
mode 110, 34
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $ExecutionContext.SessionState.LanguageMode
C:\Windows\System32\find.exe
find /i "Full"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
C:\Windows\System32\PING.EXE
ping -n 1 l.root-servers.net
C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
C:\Windows\System32\find.exe
find /i "0x0"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc query UsoSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc query CryptSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc query BITS
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc query TrustedInstaller
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DependOnService
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Description
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v DisplayName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ErrorControl
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ImagePath
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v ObjectName
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start
C:\Windows\System32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Type
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\System32\sc.exe
sc config DoSvc start= delayed-auto
C:\Windows\System32\sc.exe
sc query ClipSVC
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start ClipSVC
C:\Windows\System32\sc.exe
sc query wlidsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wlidsvc
C:\Windows\System32\sc.exe
sc query sppsvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start sppsvc
C:\Windows\System32\sc.exe
sc query KeyIso
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start KeyIso
C:\Windows\System32\sc.exe
sc query LicenseManager
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start LicenseManager
C:\Windows\System32\sc.exe
sc query Winmgmt
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start Winmgmt
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Start-Service DoSvc
C:\Windows\System32\sc.exe
sc query DoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start DoSvc
C:\Windows\System32\sc.exe
sc query UsoSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start UsoSvc
C:\Windows\System32\sc.exe
sc query CryptSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start CryptSvc
C:\Windows\System32\sc.exe
sc query BITS
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start BITS
C:\Windows\System32\sc.exe
sc query TrustedInstaller
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start TrustedInstaller
C:\Windows\System32\sc.exe
sc query wuauserv
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start wuauserv
C:\Windows\System32\sc.exe
sc query WaaSMedicSvc
C:\Windows\System32\find.exe
find /i "RUNNING"
C:\Windows\System32\sc.exe
sc start WaaSMedicSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_5835136.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_5835136.cmd') -split ':wpatest\:.*';iex ($f[1]);"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "7" "
C:\Windows\System32\find.exe
find /i "Error Found"
C:\Windows\System32\Dism.exe
DISM /English /Online /Get-CurrentEdition
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\dismhost.exe {6F8C2633-B4EC-41CC-86C5-9C9F38AD0E87}
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
C:\Windows\System32\cscript.exe
cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
C:\Windows\System32\find.exe
find /i "computersystem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
C:\Windows\System32\findstr.exe
findstr /i "0x800410 0x800440"
C:\Windows\System32\reg.exe
reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
C:\Windows\System32\find.exe
find /i "windowsupdate"
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
C:\Windows\System32\findstr.exe
findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo: "
C:\Windows\System32\find.exe
find /i "wuauserv"
C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
C:\Windows\System32\find.exe
find /i "0x1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
C:\Windows\System32\find.exe
find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
C:\Windows\System32\reg.exe
reg query "HKCU\Control Panel\International\Geo" /v Nation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
C:\Windows\System32\find.exe
find "AAAA"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Restart-Service ClipSVC
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temC991.tmp
C:\Windows\System32\ClipUp.exe
clipup -v -o
C:\Windows\System32\clipup.exe
clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temCA6C.tmp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
C:\Windows\System32\find.exe
find /i "Windows"
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
C:\Windows\System32\cmd.exe
cmd /c exit /b 0
C:\Windows\System32\wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
C:\Windows\System32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\mode.com
mode 76, 30
C:\Windows\System32\choice.exe
choice /C:123456780 /N
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
MSAGENT.EXE
C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
tv_enua.exe
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa21d746f8,0x7ffa21d74708,0x7ffa21d74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16500626687555477978,3659277950944946870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x504
C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe
"C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa21d746f8,0x7ffa21d74708,0x7ffa21d74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5416 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8348230435481082083,18088015786158992587,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3596 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| NL | 23.62.61.161:443 | r.bing.com | tcp |
| NL | 23.62.61.184:443 | r.bing.com | tcp |
| NL | 23.62.61.184:443 | r.bing.com | tcp |
| NL | 23.62.61.161:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mashable.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 20.190.160.20:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 8.8.8.8:53 | bonzibuddy.org | udp |
| US | 198.187.29.31:443 | bonzibuddy.org | tcp |
| US | 198.187.29.31:443 | bonzibuddy.org | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 31.29.187.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 198.187.29.31:80 | bonzibuddy.org | tcp |
| US | 198.187.29.31:80 | bonzibuddy.org | tcp |
| US | 8.8.8.8:53 | 89.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| NL | 23.62.61.179:443 | r.bing.com | tcp |
| NL | 23.62.61.179:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 179.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | massgrave.dev | udp |
| US | 104.21.22.3:443 | massgrave.dev | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 3.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updatecheck.massgrave.dev | udp |
| US | 8.8.8.8:53 | l.root-servers.net | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | purchase.mp.microsoft.com | udp |
| NL | 23.62.61.195:443 | purchase.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 198.187.29.31:80 | bonzibuddy.org | tcp |
| US | 198.187.29.31:80 | bonzibuddy.org | tcp |
| US | 198.187.29.31:443 | bonzibuddy.org | tcp |
| US | 8.8.8.8:53 | bonzibuddy.tk | udp |
| US | 172.67.138.185:80 | bonzibuddy.tk | tcp |
| US | 172.67.138.185:80 | bonzibuddy.tk | tcp |
| US | 172.67.138.185:80 | bonzibuddy.tk | tcp |
| US | 172.67.138.185:80 | bonzibuddy.tk | tcp |
| US | 8.8.8.8:53 | code.jquery.com | udp |
| US | 8.8.8.8:53 | www.twitter.com | udp |
| US | 8.8.8.8:53 | www.reddit.com | udp |
| US | 8.8.8.8:53 | 185.138.67.172.in-addr.arpa | udp |
| US | 151.101.66.137:443 | code.jquery.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.66.101.151.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.bonzi.com | udp |
| US | 52.9.16.169:80 | www.bonzi.com | tcp |
| US | 8.8.8.8:53 | secure.bonzi.com | udp |
| US | 8.8.8.8:53 | 169.16.9.52.in-addr.arpa | udp |
| US | 52.9.16.169:80 | www.bonzi.com | tcp |
| US | 8.8.8.8:53 | secure.bonzi.com | udp |
| US | 8.8.8.8:53 | www.bonzi.com | udp |
| US | 54.153.99.140:80 | www.bonzi.com | tcp |
| US | 8.8.8.8:53 | secure.bonzi.com | udp |
| US | 54.153.99.140:80 | www.bonzi.com | tcp |
| US | 8.8.8.8:53 | 140.99.153.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| NL | 23.62.61.90:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | r.bing.com | udp |
| US | 8.8.8.8:53 | doxbin.com | udp |
| NL | 190.115.31.91:443 | doxbin.com | tcp |
| NL | 190.115.31.91:443 | doxbin.com | tcp |
| US | 8.8.8.8:53 | check.ddos-guard.net | udp |
| RU | 185.129.100.100:443 | check.ddos-guard.net | tcp |
| US | 8.8.8.8:53 | 91.31.115.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.100.129.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | netdna.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 8.8.8.8:53 | 207.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.doxbin.com | udp |
| BZ | 186.2.163.191:443 | cdn.doxbin.com | tcp |
| US | 8.8.8.8:53 | cdn.doxbin.net | udp |
| BZ | 186.2.163.176:443 | cdn.doxbin.net | tcp |
| US | 8.8.8.8:53 | 191.163.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.154.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.163.2.186.in-addr.arpa | udp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | udp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.229.21:443 | js.hcaptcha.com | tcp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.19.229.21:443 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.129:443 | r.bing.com | udp |
| NL | 23.62.61.97:443 | r.bing.com | udp |
| US | 8.8.8.8:53 | tse2.mm.bing.net | udp |
| US | 172.64.154.167:443 | www2.bing.com | udp |
| US | 8.8.8.8:53 | www.xvideos.com | udp |
| NL | 185.88.181.2:443 | www.xvideos.com | tcp |
| NL | 185.88.181.2:443 | www.xvideos.com | tcp |
| US | 8.8.8.8:53 | static-ss.xvideos-cdn.com | udp |
| NL | 69.55.53.172:443 | static-ss.xvideos-cdn.com | tcp |
| NL | 69.55.53.172:443 | static-ss.xvideos-cdn.com | tcp |
| US | 8.8.8.8:53 | 2.181.88.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.53.55.69.in-addr.arpa | udp |
| NL | 69.55.53.172:443 | static-ss.xvideos-cdn.com | tcp |
| US | 8.8.8.8:53 | cdn77-pic.xvideos-cdn.com | udp |
| US | 8.8.8.8:53 | gcore-pic.xvideos-cdn.com | udp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| NL | 93.123.17.254:443 | gcore-pic.xvideos-cdn.com | tcp |
| NL | 93.123.17.254:443 | gcore-pic.xvideos-cdn.com | tcp |
| NL | 93.123.17.254:443 | gcore-pic.xvideos-cdn.com | tcp |
| NL | 93.123.17.254:443 | gcore-pic.xvideos-cdn.com | tcp |
| NL | 93.123.17.254:443 | gcore-pic.xvideos-cdn.com | tcp |
| US | 8.8.8.8:53 | a.orbsrv.com | udp |
| GB | 195.181.164.16:443 | a.orbsrv.com | tcp |
| NL | 185.88.181.2:443 | www.xvideos.com | tcp |
| US | 8.8.8.8:53 | 12.50.17.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.17.123.93.in-addr.arpa | udp |
| GB | 84.17.50.12:443 | cdn77-pic.xvideos-cdn.com | tcp |
| US | 8.8.8.8:53 | s.orbsrv.com | udp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| US | 8.8.8.8:53 | s3t3d2y8.afcdn.net | udp |
| GB | 89.187.167.8:443 | s3t3d2y8.afcdn.net | tcp |
| GB | 89.187.167.8:443 | s3t3d2y8.afcdn.net | tcp |
| GB | 89.187.167.8:443 | s3t3d2y8.afcdn.net | tcp |
| GB | 89.187.167.8:443 | s3t3d2y8.afcdn.net | tcp |
| US | 8.8.8.8:53 | 248.229.211.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.187.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn77-vid.xvideos-cdn.com | udp |
| GB | 89.187.167.27:443 | cdn77-vid.xvideos-cdn.com | tcp |
| US | 8.8.8.8:53 | vast.livejasmin.com | udp |
| LU | 93.93.51.191:443 | vast.livejasmin.com | tcp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| US | 8.8.8.8:53 | s.opoxv.com | udp |
| NL | 95.211.229.247:443 | s.opoxv.com | tcp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.167.187.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.51.93.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.229.211.95.in-addr.arpa | udp |
| NL | 95.211.229.248:443 | s.orbsrv.com | tcp |
| LU | 93.93.51.191:443 | vast.livejasmin.com | tcp |
| US | 8.8.8.8:53 | galleryn3.vcmdiawe.com | udp |
| LU | 93.93.51.190:443 | galleryn3.vcmdiawe.com | tcp |
| US | 8.8.8.8:53 | 190.51.93.93.in-addr.arpa | udp |
| NL | 185.88.181.2:443 | www.xvideos.com | tcp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| NL | 104.110.191.150:443 | aefd.nelreports.net | tcp |
| NL | 104.110.191.150:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 150.191.110.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f53207a5ca2ef5c7e976cbb3cb26d870 |
| SHA1 | 49a8cc44f53da77bb3dfb36fc7676ed54675db43 |
| SHA256 | 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23 |
| SHA512 | be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499 |
\??\pipe\LOCAL\crashpad_4752_GUMSVIEYDAUJUDOK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae54e9db2e89f2c54da8cc0bfcbd26bd |
| SHA1 | a88af6c673609ecbc51a1a60dfbc8577830d2b5d |
| SHA256 | 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af |
| SHA512 | e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 24c0da56d49fc1a20a3fe6ad0211424e |
| SHA1 | ea69c8b5c49567179507992a9bdbece32bf0510a |
| SHA256 | c175f015bb5f8a27b1f5ac14d307f6d8bcee83b48184807951d307eca6bce491 |
| SHA512 | 074175732cd06a23818ce37e2819f7c273c615c0fdecf7d20f9383b3624b2f44091eeb4de000bb435227d4acd79400d10fed84708af049539c0c57b90d71355b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0bd135be7bd4f10eaf15013df307934f |
| SHA1 | a03ba67a3352e79e47ddaaf23475b2a17ec4d4c0 |
| SHA256 | c20d69613bff26a0b4aaf25782b9a820fe5d7ca5fd2b716fd93033ef1bcf64dd |
| SHA512 | 1699beb8abba60beb1e3a33902f4284beee21ac784808076a6e49ed7e01d6fd6a18c73300bb7571cebd0df1d39dc85bce71b275f1c4ac6ce17a3542a4c768201 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | af48c5747c2acef5d36e169be3b07019 |
| SHA1 | 2d9383562353681b53b96f0e53d3785ae0b40d6a |
| SHA256 | 10453ec2e259f822ed829f1393a6e01b35e7a9b1369d34329b101286f2ab808a |
| SHA512 | b7ed45573320955c2509699b99f68df8504d11166263347934697cd8d1a3cce81810f111e6ca5acebd37f4a8ead8b07f65df2651b31a5ad199d906804360ef49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 560cc6d280a667aff09b88de023d7329 |
| SHA1 | cc672a66aaf0abb1b0f78a0060e6e5e552f2e91c |
| SHA256 | 6e4433047d722a41b91e2f641adecc3c8df04dbed26e13076731f18a123ef4c2 |
| SHA512 | d8312dd030f6fb8b98c9444587e60cde41898ff1f8968f27cd4eda6cdc0f9aa466727fb92fc297e4bf33db2084a926f9fe4aecaa58a3ebbf8c9fd095dad183ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a79075c05c4e620558240b510b30f3a2 |
| SHA1 | 0f05edf1a8df504d672bdb48cfed20f6ec3b204b |
| SHA256 | 4cd01cc681052787ab8cced0153f450ca2b7ae1202179eee72bb03c4850b51f5 |
| SHA512 | 9dabe36df27c8e75e5e27e00d2d577fe0333c1d470b72994823e5cbbefe79544effde35173f0aad0fc50f760232df3a8731b055025c461888f96b0eb39103453 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d89b2859c644ef1a1e78814145ce093f |
| SHA1 | 1d263eabcb59d7dc1cf3733b461a6799b9592f1d |
| SHA256 | da8a17364d122c5fa1b62ef578d6fba528909a530232a1f507197fef4c0aa725 |
| SHA512 | e9d02bce53843ac4dd25f5054f4fa02a2cd3efef331ee24608762ac220e8f4531be1f2b6c10062c470f40da3232b58efac7cd72e240f1ec80cac5caa7609c006 |
memory/5944-315-0x0000020659110000-0x0000020659132000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxgggguc.adr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5944-320-0x0000020672750000-0x0000020672794000-memory.dmp
memory/5944-321-0x0000020672820000-0x0000020672896000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 809914229795865b7250f1562cdeb823 |
| SHA1 | cd23d2d008fa32007e7b713dd13291e0c50f8ce0 |
| SHA256 | e753b05d0a1fb96415c6d7570b20188bd44071fc5f9ec4335e856e13ff196c98 |
| SHA512 | 5d5ea830c2483cbf4ce926fbc39a1afe6f141dbabae16c12a32128a61f23de435cd0142fcfa6182995bdc29ec520b31c36c4272ccafacd9b915f5a7f741312ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d33ef4c8bcebbf0636799c41e068d0be |
| SHA1 | f60b2ea08401cadde82f2c8b9f45743e88c68531 |
| SHA256 | cea20c7c819bb69ca7ff273a95c1407cff9f74b3f92ed8a76aa113fbf1a2cf3f |
| SHA512 | cca2b6cc39c4e5cce06f28dcd6b372d2890343d5a01dd25177ec26e0dbb8ceef63dddac985f5042a7152d0a6e59b807c3a712c44badc43bd94653e350fabfd17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | aac57f6f587f163486628b8860aa3637 |
| SHA1 | b1b51e14672caae2361f0e2c54b72d1107cfce54 |
| SHA256 | 0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486 |
| SHA512 | 0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 395699fc7fc3283d3bade75dbffa446e |
| SHA1 | c9474c5a587fbd3a25c0992f1dfe7946e3b7abba |
| SHA256 | a184c8951b524d5a22d7bca69a0d775523e8c095d158f80ac4415d87d17acd1c |
| SHA512 | 70749ca5fc0cc5b9b85d13ecde89ffffbc1af7b36a650be842ff303b0ed0ef49e8d9f3edb91324d42462446b882b2558abff235f42e300226e491432196ba8fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | b38fbbd0b5c8e8b4452b33d6f85df7dc |
| SHA1 | 386ba241790252df01a6a028b3238de2f995a559 |
| SHA256 | b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd |
| SHA512 | 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 2004fddf8dabaf3ab5709db7ffe1437a |
| SHA1 | 5320ba67472de1929e69494496e7f1281f5797eb |
| SHA256 | d32d2c2c4ab40edf9f4258f96e287cbc7bf590637f378dfb783c6dda39c3d401 |
| SHA512 | bcfb4a1d364c4025df386e69e65e20794286a2e5e5b644c2fdccbe52070ea579e06b67682387dcde4dc0cfce9ffa54ce19dc19c76d67ce2ab09ab223c506cf9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | 153d9573f0f824b040ac13793d95e406 |
| SHA1 | f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8 |
| SHA256 | c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016 |
| SHA512 | 5e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f9ff4037-8f05-4302-bdf8-37f5c931be48.tmp
| MD5 | 151d0bc38cdc1013234edb8747617a9f |
| SHA1 | 59aa6e9150e4584355aa971d02788dcbacbc29b5 |
| SHA256 | b5c896f9c75a91b2d11a747aefae3aca1be5d52fe6994519a5a03fdee2c9ef77 |
| SHA512 | 3e42f68ebe1d419a36c7c5361c269e1baf1b480b112a003817fbfe7a459994f73ba5c9b884a5bfff2a6bff6e751db28dc137da3e99b3df2f1acb02e068cf85ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c45e6371977486a35dec5d022c0201cd |
| SHA1 | 9439e2b8e18bbf0b881231983725c43a75d69318 |
| SHA256 | ac7bfc6a9796d7d5f9c532c9758810f7ae0b2d6c5eb9339ab5c6013ed9206d49 |
| SHA512 | 23d30c495d38aff84955298e05aa88c1ce69d640327e00a9979bd414ffafb0b2bff73e9940ea4c7cbff3e33b6ed4c346a65b423b46cc9d1071395ae6d43e6c80 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c5972.TMP
| MD5 | abbba93a79694a9c214dd0f1d32322a8 |
| SHA1 | 5769e06293688914be362420dcb64affcccdec4c |
| SHA256 | ab163ca29e29c3dd4b3f2d86c407855745c5c729ef50da9928ce41e1a8834988 |
| SHA512 | 7084b1d1d33edc57eca3cbef578745e3ff1269b730db1c3ef4827b856127930fac8683e872eb729c1d380cf67755557f8a86955077b750f6f97b17aeab44062c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7c6650b526bc160d856035207eca474f |
| SHA1 | 30bf141f03cac4c88eb26c82bc4d4c4cca133b2a |
| SHA256 | 307c581203fb94b9e3006b1a9c93072720bfceafbb6a0aa5bf04db8d7859db41 |
| SHA512 | cd54d3b0c0ddd8d43c5c39724980f135fc136bf67e2a6a3871095b3a326dfd99e766ce9695588b70d1af6a4c6d54e16e46a59f76a91f7bd3af5c336f76ff8777 |
memory/5944-771-0x0000020672A70000-0x0000020672C32000-memory.dmp
C:\Windows\Temp\MAS_5835136.cmd
| MD5 | a0c3a93b5f499eba3664db16c17bc322 |
| SHA1 | 12b86b1c2afda75da2054782d8547de222f2dc73 |
| SHA256 | 478c59321d88c6f4a483b625fe1c8a2624fd9f2dce585a4b4ed6c75f171f4c9d |
| SHA512 | 453ce37e9f876193e6c3bfac15fcc26f2dbd475ec2ef94f248f18eaf9249f58cdc8cbabb6226ae429063010f1ebe46ab39e8d9a8f1deba9bac65bdc777f0efcc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 503ec097474971fc074a2b75ce6dd6a9 |
| SHA1 | 18cf2a8818f35d6ab8ce7f73695a6eaf7dbe8ed0 |
| SHA256 | aff599a1799455e80cfd4af75a13f6be566fb0c621e60829cb34da4be0b67e6a |
| SHA512 | bc6e6d4ea73f1fb2a276ca8eddda279be2b8bd36706f0be255dcfc29c92f16dabddaf44720c6563b0e9f30a347adca3c86fbdcf0b18283453679aaab88dc8676 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8857491a4a65a9a1d560c4705786a312 |
| SHA1 | 4f3caf2ad5d66a2410c9cca0381d26a46e832cb4 |
| SHA256 | b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360 |
| SHA512 | d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4edc5d8588de3394e8a8d79ae5b943dc |
| SHA1 | f79737afd4a1e21580ec1a165334b416911345ad |
| SHA256 | a81d7b3bd76b4a17da3876d10b186920939834c8c877ad13ce475a8f07bd56d6 |
| SHA512 | b294a1b8eb74f6a33fee7371429755662c4620b051cf909b056e72f8c0088dc0d0c7651aa8fc4af1bd78559551a3984ca4a6ab816b8ab956b290c192df557d15 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 9fdf0ab4631de53b620acc1bdac33d49 |
| SHA1 | 864b7a2d4db5d269794300ef016b0914eef12ea6 |
| SHA256 | 2f9fa6518f70c947cb9731ef12f18564d5e5aad370e2f58041e79ccbc76c8359 |
| SHA512 | 5f67cb183f31ba047c50d53194d35201cd7984d8512e04e3aea1007b7dc202038d71b8bafb68d9678ae2e15768e67d3e040b431258a03b71b9e9056d876251ee |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\FolderProvider.dll.mui
| MD5 | 22b4a3a1ec3b6d7aa3bc61d0812dc85f |
| SHA1 | 97ae3504a29eb555632d124022d8406fc5b6f662 |
| SHA256 | c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105 |
| SHA512 | 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\FfuProvider.dll.mui
| MD5 | dc826a9cb121e2142b670d0b10022e22 |
| SHA1 | b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9 |
| SHA256 | ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a |
| SHA512 | 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\DmiProvider.dll.mui
| MD5 | b7252234aa43b7295bb62336adc1b85c |
| SHA1 | b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f |
| SHA256 | 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c |
| SHA512 | 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\dismprov.dll.mui
| MD5 | 7d06108999cc83eb3a23eadcebb547a5 |
| SHA1 | 200866d87a490d17f6f8b17b26225afeb6d39446 |
| SHA256 | cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311 |
| SHA512 | 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 595dabafa84bf1a93d260b3a78b57d91 |
| SHA1 | 4e3e91e82e67c033c69777d58ae8a61af940d518 |
| SHA256 | 6e6137ede5b4812bf69dd5bc1ac4324c232cedca356b2ff9b6b5f4b8ce2e717f |
| SHA512 | c5bc406fa8f81aeb16c2be3cd457ef896c07fe27adbb6d4d87266bd5e253ccd51c146aa906df2c33569d4ad9d20af89d7e5b58f8b54403ac882d0a55ad739619 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\DismCore.dll.mui
| MD5 | 7a15f6e845f0679de593c5896fe171f9 |
| SHA1 | 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4 |
| SHA256 | f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419 |
| SHA512 | 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\8C40B9E2-12CC-4BB9-ADF8-04FEA9F5F756\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket
| MD5 | 67a8abe602fd21c5683962fa75f8c9fd |
| SHA1 | e296942da1d2b56452e05ae7f753cd176d488ea8 |
| SHA256 | 1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411 |
| SHA512 | 70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6 |
memory/2940-1233-0x0000020FD8BA0000-0x0000020FD8BB0000-memory.dmp
memory/2940-1232-0x0000020FD8BA0000-0x0000020FD8BB0000-memory.dmp
memory/5172-1235-0x0000026D41350000-0x0000026D41360000-memory.dmp
memory/5172-1234-0x0000026D41350000-0x0000026D41360000-memory.dmp
memory/5172-1238-0x0000026D41350000-0x0000026D41360000-memory.dmp
memory/2940-1239-0x0000020FD8BA0000-0x0000020FD8BB0000-memory.dmp
memory/2608-1247-0x0000023735610000-0x0000023735620000-memory.dmp
memory/2608-1246-0x0000023735610000-0x0000023735620000-memory.dmp
memory/3380-1249-0x0000017BE8A50000-0x0000017BE8A60000-memory.dmp
memory/3380-1248-0x0000017BE8A50000-0x0000017BE8A60000-memory.dmp
memory/3380-1252-0x0000017BE8A50000-0x0000017BE8A60000-memory.dmp
memory/2608-1253-0x0000023735610000-0x0000023735620000-memory.dmp
C:\Users\Admin\Downloads\7d706970-e576-4c81-8a30-2360be557b06.tmp
| MD5 | 65259c11e1ff8d040f9ec58524a47f02 |
| SHA1 | 2d5a24f7cadd10140dd6d3dd0dc6d0f02c2d40fd |
| SHA256 | 755bd7f1fc6e93c3a69a1125dd74735895bdbac9b7cabad0506195a066bdde42 |
| SHA512 | 37096eeb1ab0e11466c084a9ce78057e250f856b919cb9ef3920dad29b2bb2292daabbee15c64dc7bc2a48dd930a52a2fb9294943da2c1c3692863cec2bae03d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 22f5cc73e96356e7ce3d9c653a9ab56e |
| SHA1 | 1ebe3ad370d17e5e8ef92d8e24402a33faf4cd6c |
| SHA256 | 744c7dc099d570ee51208adbc9af33425a64519f39b9849713f10170fa538b00 |
| SHA512 | 1b9e0ffca666914926b88f6038251f32b57abb24dfee0c277ebc6c1582f2ce81ddebeff14a15dcaaf9436dd083c9f75c721b3589bce0b768ebf08a10a95f367b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 07a650954d0a2c5af5ee3267e8e92b8f |
| SHA1 | 2b74da4f151ba3d1649ea03fdb63d0162352b9db |
| SHA256 | 4e6a65c77aabd433e54a5f78a8706a8598574ccce43ec0eaf17e0b03dfff5a8a |
| SHA512 | 112a2dfe6cd031e8ff015346c3398c0b77036b75daf67a0fe75e5ab2d5efea21679dee47e4c066bd65ec296d5833ae1ba35352b37011c622705d2449d65fe486 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5ff64dd328553e196854c8e0f06eba7f |
| SHA1 | 41cf5ee328dd7c629738bf9bbf61acf7140b197c |
| SHA256 | e9bea4c655305c240f07488c7a47b16b844cd8178fba505e10bf13603f1336e9 |
| SHA512 | 3f15f38a51116e3416bd179d0e99d55748f7d4f10ace9967d24f63e546e9a67cbbc6ef27de405831e6c14c9cbda6ed8a95f30038924fe4ecde05b92d4546c05d |
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 8e15b605349e149d4385675afff04ebf |
| SHA1 | f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b |
| SHA256 | 803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee |
| SHA512 | 8bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d |
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp
| MD5 | 596cb5d019dec2c57cda897287895614 |
| SHA1 | 6b12ea8427fdbee9a510160ff77d5e9d6fa99dfa |
| SHA256 | e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff |
| SHA512 | 8f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20 |
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp
| MD5 | 7c8328586cdff4481b7f3d14659150ae |
| SHA1 | b55ffa83c7d4323a08ea5fabf5e1c93666fead5c |
| SHA256 | 5eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc |
| SHA512 | aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d |
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp
| MD5 | 4f398982d0c53a7b4d12ae83d5955cce |
| SHA1 | 09dc6b6b6290a3352bd39f16f2df3b03fb8a85dc |
| SHA256 | fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2 |
| SHA512 | 73d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913 |
C:\Windows\msagent\chars\Bonzi.acs
| MD5 | 1fd2907e2c74c9a908e2af5f948006b5 |
| SHA1 | a390e9133bfd0d55ffda07d4714af538b6d50d3d |
| SHA256 | f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95 |
| SHA512 | 8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171 |
C:\Windows\msagent\chars\Peedy.acs
| MD5 | 49654a47fadfd39414ddc654da7e3879 |
| SHA1 | 9248c10cef8b54a1d8665dfc6067253b507b73ad |
| SHA256 | b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5 |
| SHA512 | fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f |
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp
| MD5 | 94e0d650dcf3be9ab9ea5f8554bdcb9d |
| SHA1 | 21e38207f5dee33152e3a61e64b88d3c5066bf49 |
| SHA256 | 026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e |
| SHA512 | 039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3 |
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg
| MD5 | 108fd5475c19f16c28068f67fc80f305 |
| SHA1 | 4e1980ba338133a6fadd5fda4ffe6d4e8a039033 |
| SHA256 | 03f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b |
| SHA512 | 98c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a |
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg
| MD5 | e8f52918072e96bb5f4c573dbb76d74f |
| SHA1 | ba0a89ed469de5e36bd4576591ee94db2c7f8909 |
| SHA256 | 473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82 |
| SHA512 | d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f |
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp
| MD5 | b3b7f6b0fb38fc4aa08f0559e42305a2 |
| SHA1 | a66542f84ece3b2481c43cd4c08484dc32688eaf |
| SHA256 | 7fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b |
| SHA512 | 0f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c |
C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE
| MD5 | 8a30bd00d45a659e6e393915e5aef701 |
| SHA1 | b00c31de44328dd71a70f0c8e123b56934edc755 |
| SHA256 | 1e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a |
| SHA512 | daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb |
C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
| MD5 | 73feeab1c303db39cbe35672ae049911 |
| SHA1 | c14ce70e1b3530811a8c363d246eb43fc77b656c |
| SHA256 | 88c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8 |
| SHA512 | 73f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153 |
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
| MD5 | 93f3ed21ad49fd54f249d0d536981a88 |
| SHA1 | ffca7f3846e538be9c6da1e871724dd935755542 |
| SHA256 | 5678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc |
| SHA512 | 7923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f |
C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx
| MD5 | 3d225d8435666c14addf17c14806c355 |
| SHA1 | 262a951a98dd9429558ed35f423babe1a6cce094 |
| SHA256 | 2c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877 |
| SHA512 | 391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1 |
C:\Program Files (x86)\BonziBuddy432\Uninstall.exe
| MD5 | 068ace391e3c5399b26cb9edfa9af12f |
| SHA1 | 568482d214acf16e2f5522662b7b813679dcd4c7 |
| SHA256 | 2288f4f42373affffbaa63ce2fda9bb071fd7f14dbcd04f52d3af3a219b03485 |
| SHA512 | 0ba89fcdbb418ea6742eeb698f655206ed3b84c41ca53d49c06d30baed13ac4dfdb4662b53c05a28db0a2335aa4bc588635b3b205cfc36d8a55edfc720ac4b03 |
C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx
| MD5 | 66551c972574f86087032467aa6febb4 |
| SHA1 | 5ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9 |
| SHA256 | 9028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b |
| SHA512 | 35c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089 |
C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX
| MD5 | 12c2755d14b2e51a4bb5cbdfc22ecb11 |
| SHA1 | 33f0f5962dbe0e518fe101fa985158d760f01df1 |
| SHA256 | 3b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf |
| SHA512 | 4c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf |
C:\Program Files (x86)\BonziBuddy432\MSINET.OCX
| MD5 | 7bec181a21753498b6bd001c42a42722 |
| SHA1 | 3249f233657dc66632c0539c47895bfcee5770cc |
| SHA256 | 73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31 |
| SHA512 | d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc |
C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX
| MD5 | 9484c04258830aa3c2f2a70eb041414c |
| SHA1 | b242a4fb0e9dcf14cb51dc36027baff9a79cb823 |
| SHA256 | bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5 |
| SHA512 | 9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0 |
C:\Program Files (x86)\BonziBuddy432\Regicon.ocx
| MD5 | 32ff40a65ab92beb59102b5eaa083907 |
| SHA1 | af2824feb55fb10ec14ebd604809a0d424d49442 |
| SHA256 | 07e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42 |
| SHA512 | 2cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43 |
C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx
| MD5 | 48c35ed0a09855b29d43f11485f8423b |
| SHA1 | 46716282cc5e0f66cb96057e165fa4d8d60fbae2 |
| SHA256 | 7a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008 |
| SHA512 | 779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99 |
C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX
| MD5 | ce9216b52ded7e6fc63a50584b55a9b3 |
| SHA1 | 27bb8882b228725e2a3793b4b4da3e154d6bb2ea |
| SHA256 | 8e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13 |
| SHA512 | 444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7 |
C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx
| MD5 | 7303efb737685169328287a7e9449ab7 |
| SHA1 | 47bfe724a9f71d40b5e56811ec2c688c944f3ce7 |
| SHA256 | 596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be |
| SHA512 | e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03 |
C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX
| MD5 | 97ffaf46f04982c4bdb8464397ba2a23 |
| SHA1 | f32e89d9651fd6e3af4844fd7616a7f263dc5510 |
| SHA256 | 5db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1 |
| SHA512 | 8c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002 |
C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat
| MD5 | 4877f2ce2833f1356ae3b534fce1b5e3 |
| SHA1 | 7365c9ef5997324b73b1ff0ea67375a328a9646a |
| SHA256 | 8ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff |
| SHA512 | dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6b0709c51429297e948b8ecd1a0ea8c7 |
| SHA1 | 66bceb53a5a8be4c08081ef317750fd63f8cb0e7 |
| SHA256 | 06ea111c8f3136658e36ccecfa23379c381b88e3e780d43cf60c8089673cea17 |
| SHA512 | 84e140d5577a3245ec4bfdbd3e8c07699b5e865bc791baab1a3662235995579bdd1a0421473a2f55cbf6a81f1cc7a864d822bd7bcea897b97c07176c4ba240e8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf
| MD5 | 0a250bb34cfa851e3dd1804251c93f25 |
| SHA1 | c10e47a593c37dbb7226f65ad490ff65d9c73a34 |
| SHA256 | 85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae |
| SHA512 | 8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll
| MD5 | ed98e67fa8cc190aad0757cd620e6b77 |
| SHA1 | 0317b10cdb8ac080ba2919e2c04058f1b6f2f94d |
| SHA256 | e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d |
| SHA512 | ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf
| MD5 | c3e8aeabd1b692a9a6c5246f8dcaa7c9 |
| SHA1 | 4567ea5044a3cef9cb803210a70866d83535ed31 |
| SHA256 | 38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e |
| SHA512 | f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp
| MD5 | 80d09149ca264c93e7d810aac6411d1d |
| SHA1 | 96e8ddc1d257097991f9cc9aaf38c77add3d6118 |
| SHA256 | 382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42 |
| SHA512 | 8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll
| MD5 | 1587bf2e99abeeae856f33bf98d3512e |
| SHA1 | aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9 |
| SHA256 | c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0 |
| SHA512 | 43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll
| MD5 | 497fd4a8f5c4fcdaaac1f761a92a366a |
| SHA1 | 81617006e93f8a171b2c47581c1d67fac463dc93 |
| SHA256 | 91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a |
| SHA512 | 73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll
| MD5 | e7cd26405293ee866fefdd715fc8b5e5 |
| SHA1 | 6326412d0ea86add8355c76f09dfc5e7942f9c11 |
| SHA256 | 647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255 |
| SHA512 | 1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
| MD5 | 81e5c8596a7e4e98117f5c5143293020 |
| SHA1 | 45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081 |
| SHA256 | 7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004 |
| SHA512 | 05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6 |
memory/6076-2189-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
| MD5 | 4be7661c89897eaa9b28dae290c3922f |
| SHA1 | 4c9d25195093fea7c139167f0c5a40e13f3000f2 |
| SHA256 | e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5 |
| SHA512 | 2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL
| MD5 | 7210d5407a2d2f52e851604666403024 |
| SHA1 | 242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9 |
| SHA256 | 337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af |
| SHA512 | 1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF
| MD5 | e4a499b9e1fe33991dbcfb4e926c8821 |
| SHA1 | 951d4750b05ea6a63951a7667566467d01cb2d42 |
| SHA256 | 49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d |
| SHA512 | a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL
| MD5 | 237e13b95ab37d0141cf0bc585b8db94 |
| SHA1 | 102c6164c21de1f3e0b7d487dd5dc4c5249e0994 |
| SHA256 | d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a |
| SHA512 | 9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL
| MD5 | a334bbf5f5a19b3bdb5b7f1703363981 |
| SHA1 | 6cb50b15c0e7d9401364c0fafeef65774f5d1a2c |
| SHA256 | c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de |
| SHA512 | 1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL
| MD5 | 4fbbaac42cf2ecb83543f262973d07c0 |
| SHA1 | ab1b302d7cce10443dfc14a2eba528a0431e1718 |
| SHA256 | 6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5 |
| SHA512 | 4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE
| MD5 | 5c91bf20fe3594b81052d131db798575 |
| SHA1 | eab3a7a678528b5b2c60d65b61e475f1b2f45baa |
| SHA256 | e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175 |
| SHA512 | face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL
| MD5 | 7c5aefb11e797129c9e90f279fbdf71b |
| SHA1 | cb9d9cbfbebb5aed6810a4e424a295c27520576e |
| SHA256 | 394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed |
| SHA512 | df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF
| MD5 | b127d9187c6dbb1b948053c7c9a6811f |
| SHA1 | b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9 |
| SHA256 | bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00 |
| SHA512 | 88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL
| MD5 | b4ac608ebf5a8fdefa2d635e83b7c0e8 |
| SHA1 | d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9 |
| SHA256 | 8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f |
| SHA512 | 2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL
| MD5 | 9fafb9d0591f2be4c2a846f63d82d301 |
| SHA1 | 1df97aa4f3722b6695eac457e207a76a6b7457be |
| SHA256 | e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d |
| SHA512 | ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL
| MD5 | 0cbf0f4c9e54d12d34cd1a772ba799e1 |
| SHA1 | 40e55eb54394d17d2d11ca0089b84e97c19634a7 |
| SHA256 | 6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1 |
| SHA512 | bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP
| MD5 | 466d35e6a22924dd846a043bc7dd94b8 |
| SHA1 | 35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10 |
| SHA256 | e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801 |
| SHA512 | 23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL
| MD5 | 316999655fef30c52c3854751c663996 |
| SHA1 | a7862202c3b075bdeb91c5e04fe5ff71907dae59 |
| SHA256 | ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0 |
| SHA512 | 5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL
| MD5 | 48c00a7493b28139cbf197ccc8d1f9ed |
| SHA1 | a25243b06d4bb83f66b7cd738e79fccf9a02b33b |
| SHA256 | 905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7 |
| SHA512 | c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB
| MD5 | f1656b80eaae5e5201dcbfbcd3523691 |
| SHA1 | 6f93d71c210eb59416e31f12e4cc6a0da48de85b |
| SHA256 | 3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2 |
| SHA512 | e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003 |
memory/6076-2401-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\001416a3-7ea5-4138-b0cc-df8ec97c9b3a.tmp
| MD5 | 9b0671b7272dd0956fb76e3b027b4148 |
| SHA1 | 261803a03b074ceb8ae21eed416bd2c1142e1b85 |
| SHA256 | dff6ff70d1cc917e1aa5293ea8217f5e46140e52047167af7aa5784f66629ce4 |
| SHA512 | 6840970f9fb35ce96204ee3751c3f387eea740a7f16d4a8b3354e4ac94ff14af9a057952fac41038d4a9584795eabeb9a0731ca11f82a01b113266e3def109f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ef638b90fd57b3a164966a3f55a93a4a |
| SHA1 | 7d0131076072562bd0fb59690ed5c74f7fbe81fc |
| SHA256 | da927b0cda65d3dd83ebe68b8b43870001d6d5a2b27170de8eb5298e4529fe9e |
| SHA512 | d165ec2fc4ec2bb78bf759aa59cd761097ba334dc192e0837fe13f72536dcadd03cf9af176c0d8d2a63366bcefe00d3fb4a39291d77fc5ce442aaeb5dc6b6d6d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab9fcffb-9367-4572-b7cd-f11e89f8b266.tmp
| MD5 | 8cc43d42ab9aae2355bf7ade5bf5e9ef |
| SHA1 | bbb832e7910af2766be77d2bd5dd11537e79d00d |
| SHA256 | f75dc9d46b1c1a7af768c795fb72237019d44c9a0e2a302a063886ce2e823c0e |
| SHA512 | e9f05173492b63796375e41487a16f2f811fcc20bfc9eca59dddcd396c9798bf999db514bc5df65077375c4491b6f1bbfbca0a9fcdd4e365e3ad5e24ed0414a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b2046c721cb949b0335dc6993096be0a |
| SHA1 | 3b1e102808c13e48232eca6dc78c528d3493f83a |
| SHA256 | 6dc6f3333ab748744afbd8973ab490711221527124b690d5ee2f7938ce9e100e |
| SHA512 | d788570435c222c324a563d812228432f5cc3d9f5ef8b3f9a21f2bcaf37efd9957af7043b90f4a3d47c5a63c77dea67c9a17c4cf8476e85acda922453eacf96e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f42f3c06360bf160a764e9c870602e4a |
| SHA1 | a8b6ba20101935bc46fe36e817094e7602602c7e |
| SHA256 | 60124c42c94d943b8ea6ae119aa6cbda4f86723d777b954349733be83c79b301 |
| SHA512 | 7d35a6b2be6745319207f2801102d83058abed1b9bd2eb6dc902ca92dae9eeac5a4bb2d0aa76419f6b32e7fd0c2cade7797c89ac0ecab546d50f72281f8967bd |
C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe
| MD5 | c3b0a56e48bad8763e93653902fc7ccb |
| SHA1 | d7048dcf310a293eae23932d4e865c44f6817a45 |
| SHA256 | 821a16b65f68e745492419ea694f363926669ac16f6b470ed59fe5a3f1856fcb |
| SHA512 | ae35f88623418e4c9645b545ec9e8837e54d879641658996ca21546f384e3e1f90dae992768309ac0bd2aae90e1043663931d2ef64ac541977af889ee72e721a |
memory/232-2598-0x000000000FFD0000-0x000000000FFDE000-memory.dmp
memory/232-2611-0x0000000011AB0000-0x0000000011AD7000-memory.dmp
C:\Program Files (x86)\BonziBuddy432\Reg.nbd
| MD5 | a8ed45f8bfdc5303b7b52ae2cce03a14 |
| SHA1 | fb9bee69ef99797ac15ba4d8a57988754f2c0c6b |
| SHA256 | 375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b |
| SHA512 | 37917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c |
C:\Program Files (x86)\BonziBuddy432\Reg.nbd
| MD5 | b8a59ede9a2f4b5be4d5e98c598ac15d |
| SHA1 | 8618573f777b4c9097dd639dd9d66692348f881a |
| SHA256 | 9863e1f155e12e83ba26d1ca436dcc0a80242de6de714dbd55783469a762e2cd |
| SHA512 | a23e97aefd5da0aa32b343e2b158b0fe8a6c0d4f371d447e665f09ddc24a7d233e1904e773d4c44529bb7b71ef628ead667c168054aafa42207dca54651d73e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ed8ffd060507259835f776ded216f54c |
| SHA1 | e9179310bba1a998b7c2dc31a62a925903d677e6 |
| SHA256 | 9211e535f90f588a54e4d9e1933a0040d93b7b84b8c3631c700f390548abba5b |
| SHA512 | a40aea2f09adf1ffbb0b629c4582fbb84f2e1c7f80fb34d00c8f8659a28c6956086cf8041e85e2219a3c8bef4a2028db119ee431717bb4f1c7dc75ae108a5924 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 197bf7ab525e43a362f2941982623ae2 |
| SHA1 | de2152eed091f892ed92b141f343f3515d015c71 |
| SHA256 | 324942a0cec6ae6c581adc19735bb8c0c1049bf2a1f8dbae3bf316cee7181e56 |
| SHA512 | 0df9431c4d99a95d7945a7d04807445346690bca178df83ef36b0eea0d128ba8aa52b108bd2e51ecf1d4ce61707ef58bd5177c9499339fb92a3d1ebd6bfa0e7a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cb3cad0413f528c99003bae8aef09cde |
| SHA1 | 12a2b963e724a6c0d9f11bb7e591687acefc1e0d |
| SHA256 | 1d6605284b47f8d015ccdbd18f1a79cb44092bb58bc065e2e8980624ba42fce8 |
| SHA512 | ea20c24ac607befd2095ed65aff34541b5bb731698fefd7b351cdb0d85ff6269c9a0bc6062036927200893809202c32b92cadc94c0515a0a858dd60da5a3f9ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4469491d17e6f279d74af1d3ab1f2d8e |
| SHA1 | 1b7aff723e648fc36b928a9c4d761d4530415a45 |
| SHA256 | 5b04306a6b626fde76f5282e15fa432791f9d0967ed144e75fc0deb1c88a110a |
| SHA512 | 1ef32698468328951b0e7d0caac52b28d807d7107afcb317df89abc74f7d06b1d7cefe3d1d4c584352bc6ab310d9bec5922bd9767d4e0ced0965ed6c178bbb56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9b9597f6b61e7ceffca651dff3966599 |
| SHA1 | 7026b08930e9471fff27beff9ef7c2afa5f17316 |
| SHA256 | b527458f782990935877ae36d724e3202862866ea01142460c1c1299e7923db9 |
| SHA512 | 7b4c1b47083d9fa7ec916218a06ed2cab6725922db3f7703c9a3e589087c541ba645e90b4cff0dd959fe00861da0f9fc6295c2928a9023f9ecface4def3033d2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 0060201f9e212ced1bd1a77c62b5beb5 |
| SHA1 | 09ed8466e022c83d6fa3099772afa57342cdcec4 |
| SHA256 | 39fd3109d3e382a4ad76ca56163241424482fc144bd916b588053a623136a6ca |
| SHA512 | 1b552a1119e6e70cd085497fa78a889abf287d00d133edb02ce0cf17537334ec6d9622fca3b54fe6fe34425c386c4ce33e11a5af043b66834dd0803a41f9118d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d637bf41190338c73db8b98eb15ccc03 |
| SHA1 | c816b7503b8158a877669f288ae0cf2105aaceb8 |
| SHA256 | 62050ad212f8d48c316f3465edba66ecd1d084ab05e9e2e6a9444e2e6e230f63 |
| SHA512 | ca56cff3a246de306eeadff19d88e77157f6d4bffca0f50bace6c76b59cbb04a008905448aae8fd1fce21b052d6f15db01765e60572144e1eab5aefcd93aba1f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | aec6cfedc9caa59e9a19b6c02ae48ad2 |
| SHA1 | 79cc8e17c98704d287e6676e9dfcf80c767120a0 |
| SHA256 | 481f144c1d6ea2b6e2a97bd3f4cd03df021f0dfa325181b30f196ba6bd88ae51 |
| SHA512 | 2b67f883039164d1369ae404f62ed73ebf27647978fff07440ba38f0669aa6e96b6abd8edecedd671060e1aa63b2ed9e379c36d938a0307a759b706cbf8df059 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c
| MD5 | b16a03c42d5ac99d7b533019a950e4fb |
| SHA1 | 62c8f567a043c8e8445be7751c86f545d31b9fe5 |
| SHA256 | 32965acf9ca7c39893a604f0c1b57cf2a640cfe8b51926407a4f1d1e55da80ea |
| SHA512 | 0d91dbb39d4d0878be6dc270a947873eedfb19332b3226be66558d54c1d161060af0dd54da7e9e5636e90566da87308a3db146f662149b448a510a57afba8e8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9e5f1ee379cb4fc9dc4e725f98c1380b |
| SHA1 | 16fdaaa3ba74964c013f4dd6a14977af43250232 |
| SHA256 | 8f4892d470329aeac348818afaf1d7520013f30911029469a54b88053f0daa61 |
| SHA512 | a30c3c087eca7a3bdf70aae39a05a99c3d7f07df1452c1b38779c92876da785853a40617bc7369bd6ca667f31c0eab294719eafc7766136b4bd0013acbaabe7b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 06f1918ca8ad13101452c2f8cc75c839 |
| SHA1 | 78aa65d3651b0df993fdb90a014ba82c56bf69c9 |
| SHA256 | 34550a8916c4de86bdd724d097916713cd1948f0fd92092d9290b0d825fc3086 |
| SHA512 | c61a6b285e7bb0a0aa17b31c4725c8990fdc31d54b396be3b1c8dbdd6f19ef128f49e3a3edf94bc9f34171fbf81aa729836860d744e5df5898f97b35e9f144ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 1fbf138c550533f3393c236ad24aa455 |
| SHA1 | a6c62f35978ef6819070fe46c9de64c56449632e |
| SHA256 | 1641179c9ec2d1f3b465de0feb232c6e8df6c626d4b054c6088e8bc6c4cfdf98 |
| SHA512 | 60d8d909b7eb24a3532e14fbb5441d78aa2dcd77a9b1a46f28b2a385dd6e2c3ef73e44c6a96160c7cb7eebf3943a1a66de0b0c36b8e485c0ab14b78f53c94acc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f353a57112b10750c3fe0b930e1f7b44 |
| SHA1 | 68479f5a91fd95847b42f72336b2cd55daee4653 |
| SHA256 | c1879cecf3d24ecb304dbd91e4ae28c0c8b5456abaad6200f05287924d188a07 |
| SHA512 | a7c1792bdd3b0a77c25ac2f9b8dca2dfd40480844f53cc94038d3145e47cf473efbaa4479b452800718be6682b42c0e69179ff185e4723e7e259941726a28a51 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 16:36
Reported
2024-05-19 16:45
Platform
win11-20240426-en
Max time kernel
538s
Max time network
551s
Command Line
Signatures
Wannacry
Deletes shadow copies
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC467.tmp | C:\Users\Admin\Downloads\WannaCry.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC47E.tmp | C:\Users\Admin\Downloads\WannaCry.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\WannaCry.EXE | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\taskdl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hznvejqxthaqxq163 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\Downloads\WannaCry.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\Downloads\@[email protected] | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000b3586f851100557365727300640009000400efbec5522d60b3586f852e0000006c0500000000010000000000000000003a0000000000e1181d0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 8400310000000000b358a0851300444f574e4c4f7e3100006c0009000400efbe9a581078b358a0852e000000535702000000010000000000000000004200000000002622680044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3062789476-783164490-2318012559-1000\{DC90AF7B-B91B-4517-9510-AA3513F8E2BA} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000b3586f85100041646d696e003c0009000400efbe9a581078b3586f852e0000004b570200000001000000000000000000000000000000e1181d01410064006d0069006e00000014000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StarStacker.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9879b3cb8,0x7ff9879b3cc8,0x7ff9879b3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5236 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:8
C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 234101716137007.bat
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Users\Admin\Downloads\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hznvejqxthaqxq163" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hznvejqxthaqxq163" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6148 /prefetch:8
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16386014739476196268,18289624456427872830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe"
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.153:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 23.62.61.139:443 | r.bing.com | tcp |
| NL | 23.62.61.139:443 | r.bing.com | tcp |
| NL | 23.62.61.147:443 | www.bing.com | tcp |
| NL | 23.62.61.147:443 | www.bing.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 104.86.110.90:443 | tcp | |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| US | 20.189.173.15:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.146:443 | r.bing.com | tcp |
| NL | 23.62.61.112:443 | www.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:52010 | tcp | |
| GB | 178.62.86.96:9001 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| FR | 212.47.229.2:9001 | tcp | |
| DE | 144.76.201.253:4080 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.201.76.144.in-addr.arpa | udp |
| US | 20.189.173.15:443 | browser.pipe.aria.microsoft.com | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 8.8.8.8:53 | t-ring-s.msedge.net | udp |
| US | 8.8.8.8:53 | 254.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.246.107.13.in-addr.arpa | udp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.56:443 | th.bing.com | tcp |
| NL | 23.62.61.56:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s28667145.weebly.com | udp |
| US | 74.115.51.8:443 | s28667145.weebly.com | tcp |
| US | 74.115.51.8:443 | s28667145.weebly.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | cdn2.editmysite.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | 81.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.51.115.74.in-addr.arpa | udp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | tcp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | tcp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | tcp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | tcp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | tcp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | tcp |
| GB | 216.58.201.106:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | fast.fonts.net | udp |
| US | 104.16.41.28:443 | fast.fonts.net | tcp |
| US | 151.101.1.46:443 | cdn2.editmysite.com | udp |
| US | 8.8.8.8:53 | smweebly.pixelbits.io | udp |
| US | 45.79.99.181:443 | smweebly.pixelbits.io | tcp |
| US | 45.79.99.181:443 | smweebly.pixelbits.io | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| US | 8.8.8.8:53 | 46.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.41.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 74.115.51.8:443 | s28667145.weebly.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 704d4cabea796e63d81497ab24b05379 |
| SHA1 | b4d01216a6985559bd4b6d193ed1ec0f93b15ff8 |
| SHA256 | 3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26 |
| SHA512 | 0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d |
\??\pipe\LOCAL\crashpad_2064_TTKWBBXTWNNDMMEK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | de47c3995ae35661b0c60c1f1d30f0ab |
| SHA1 | 6634569b803dc681dc068de3a3794053fa68c0ca |
| SHA256 | 4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7 |
| SHA512 | 852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | caadb18a686e0972f5aedb4b5f072177 |
| SHA1 | 35de04a9e27cce86dabf5729f947306e802f58f9 |
| SHA256 | 021b3138ccfb6741b60a9d32bf2a589cb2be0f81a4a513f814e7365f34316fa7 |
| SHA512 | 70722390bae3ff6121446daabe3b1bb378c1baff809571cc78744973b541c658fa0566697009efe8aa31d373c7644ab73c28582f7463705674d55e262634035a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 379ffedbb320c8a1b6185d7339b28f42 |
| SHA1 | 6ad2ebe34bf12a7c11383ca46cee6fd0ce507fed |
| SHA256 | eb15dbe2c218fb168a7d3cdbd5c93f4082055fad901b61c0729ff36463d55127 |
| SHA512 | 1a82a577ca4ed766a33641caa8026dd1d5928358a96e18b73c89547d3a3f95fb180161be40fc1a6ed4f7d47e08f940505117ccfb1fbbc409165e1bd599cd3169 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 61803835d8f3578a4077f0d3a1d3b6cb |
| SHA1 | 763e92f1a741021bb24845c49f270e7b0b2f67e6 |
| SHA256 | e849d1b8a59c2ceaa9c564f3dbbf7f348b8b2c94c578a2fada3adec3a7c9f8ef |
| SHA512 | 4b351b92fbf0f24facb814e3e0749336773dd8bdb639bba7ca97f094704d6dd9cb38d2b06763943d7798d433fa06c75d02f1445a8683202c71030df9ea84135d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | aac57f6f587f163486628b8860aa3637 |
| SHA1 | b1b51e14672caae2361f0e2c54b72d1107cfce54 |
| SHA256 | 0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486 |
| SHA512 | 0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | 395699fc7fc3283d3bade75dbffa446e |
| SHA1 | c9474c5a587fbd3a25c0992f1dfe7946e3b7abba |
| SHA256 | a184c8951b524d5a22d7bca69a0d775523e8c095d158f80ac4415d87d17acd1c |
| SHA512 | 70749ca5fc0cc5b9b85d13ecde89ffffbc1af7b36a650be842ff303b0ed0ef49e8d9f3edb91324d42462446b882b2558abff235f42e300226e491432196ba8fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | b38fbbd0b5c8e8b4452b33d6f85df7dc |
| SHA1 | 386ba241790252df01a6a028b3238de2f995a559 |
| SHA256 | b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd |
| SHA512 | 546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 153d9573f0f824b040ac13793d95e406 |
| SHA1 | f8a73c205962012c4fa5b93ccbc77d7b1be3b5d8 |
| SHA256 | c70c12b65715e837682baf0eea8ff99a7531d9036b0b5a9d640def85df92d016 |
| SHA512 | 5e0f64f8d333be4fff5b869952fe18f3189d6af97bfce10aad8acae96153b790108351083f1b80c40d76cebdca35e5d7e0f3371c588a02c74e6ea0055a3d2b20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | adebe5e807183e5ce4ef847dad8d4e7a |
| SHA1 | 52eb02f7d99f60dcdd911a3da64faebfb0df64ac |
| SHA256 | c1f762dd73318ce7d535a240dca774f363a67dcfd0a7a2d4e416595b3749c036 |
| SHA512 | 00d2ee14c49f9b5b28be92f5788677ee1bf13ef16647896def8d17a781b67b521b2210d85cf5b7b7622bd63e75bbde15a6f281972d36083a92a659775c1fca7b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0da3aa65c238307554c58684d068eab4 |
| SHA1 | d16bc2eff5370ce64f26fa5c45b2c99f3cd28409 |
| SHA256 | c132d76fb45e6d9ea0973a777c52b65b8e62517e8bc140bed2f0c16bfbf1c3f0 |
| SHA512 | 773aa113792237d739a6375f61e5bbf16580119ff4aee4a79261a222f1f25f33a55969bdf0b1096e582ca0bc1855779c89644f299da475521f742ef077610691 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594fbc.TMP
| MD5 | 6c520b528dca3f5affc2caa410f4cac7 |
| SHA1 | 283743b9fbca012bafd1c4a18a82d1e2aff3c8df |
| SHA256 | 54532d550d2df1a074bdb254322fa27cd137ba30a8d28a671f6d4a29641a7113 |
| SHA512 | 4e01fd76289b5dce66bd7d1695afeb7786709e3b0cefa79de1b33a6e6e09d98c62b42161db62ab3362a34b34cb80307dc32cb7a2f1bdc3c661e07226d01973fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b9b8e0ff849cbc505e182876f1de2606 |
| SHA1 | a842cca5046bf2031f4b5a5771982cf025594ca6 |
| SHA256 | d3378ff3e15821bdd637d92e954ce209b91f0df2c7851d6c3cd8b74463b81f1f |
| SHA512 | 4b75209b73278c66d376318b77dd8bcca999a0720dba9cf3215ff6d38fee07d47693a0c1732b1992fabcaf39f2b46988f73759a0cff661aa877171dd630ac83d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1d7bb9ff9c69ab7a7b61f5fdc8fa6e58 |
| SHA1 | 1ca7a13d90e13ce95a9095eb2e1fdaaa20852851 |
| SHA256 | 708b4f5b933ea6f8695d8aeb88dca04a4c32abb709c77315d3c1b8668069cc06 |
| SHA512 | b1ef050434ce0828bba291a5542e17087546c75b61c42d7017280789815c61b7e06f543469b597ea6dd22026ba75b8e703a9434cadcdd3c7f0a4e3cad4905f8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3b9ba838feb3add87a3e7a4ef9ccae1a |
| SHA1 | 5a10b6280eb22a1e3e90689543e81ef51270fb9c |
| SHA256 | 89aae101e3643c89bcef6ddfb3154602bde7ca5ce55ff3c505fe928f56c4b7bf |
| SHA512 | 000d31026298455115dd6529c1906cfee617ff6a6db1b54f0fd5f3d29bc152743368497838bb7db36de5a22106f6ac6f498ea6ab5329d30e471c2cacd1f4faab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 1a122163f14b9d6658036b93264b28f1 |
| SHA1 | d403a524f18e0ca2e1016a8c48be0dea7cfe2a8e |
| SHA256 | 9d69b1bd37f12de308749ff9e43dfc46243ce8f42532512370bbf8d642dbe694 |
| SHA512 | 406bb674744f026bd620a3252491e136a1173c52d15dac0240136465cbd98f67d565728fbf4f939ed4666acb15913e6e3b8183f2cbf99d4461a252e63584e62c |
C:\Users\Admin\Downloads\WannaCry.EXE
| MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
| SHA1 | 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 |
| SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
| SHA512 | 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244 |
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier
| MD5 | c468d761bfd63f03014b7e7440e6bfb7 |
| SHA1 | 4b6052dcc9353864064d355f2e6a90b439c427fb |
| SHA256 | 633f8ca368d31807fb9c154a6bbab475ac05a6587824bbfe013274270ed20c6e |
| SHA512 | b8ca48bc2ae7b8503a4707777d9ee385986a1c066b989cbef6fa43da83c10d0a54cc58b9db390b2646c1ff3e0025de0307c1de05daad4a439513a3410a70f650 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d8c409eb1ce4fd793fc2f68cca5bde99 |
| SHA1 | fe94c9a71886e4f39a1f0bdfe8ca6a8461d71311 |
| SHA256 | 6e7842256fbae1fed59595938711f23fa22625abcd425a957276c4f7e7cfe373 |
| SHA512 | cd317c9d4e3d53960df39ba33fd4ce789db8d315a483541d046964732358a55d95d92e1e792dcc05593e55acd33dce48e1f5f72516a17ebad73897c82b908c3c |
C:\Users\Admin\Downloads\msg\m_finnish.wnry
| MD5 | 35c2f97eea8819b1caebd23fee732d8f |
| SHA1 | e354d1cc43d6a39d9732adea5d3b0f57284255d2 |
| SHA256 | 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e |
| SHA512 | 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf |
memory/2852-711-0x0000000010000000-0x0000000010010000-memory.dmp
C:\Users\Admin\Downloads\u.wnry
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\Downloads\taskse.exe
| MD5 | 8495400f199ac77853c53b5a3f278f3e |
| SHA1 | be5d6279874da315e3080b06083757aad9b32c23 |
| SHA256 | 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d |
| SHA512 | 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4 |
C:\Users\Admin\Downloads\taskdl.exe
| MD5 | 4fef5e34143e646dbf9907c4374276f5 |
| SHA1 | 47a9ad4125b6bd7c55e4e7da251e23f089407b8f |
| SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
| SHA512 | 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5 |
C:\Users\Admin\Downloads\t.wnry
| MD5 | 5dcaac857e695a65f5c3ef1441a73a8f |
| SHA1 | 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd |
| SHA256 | 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 |
| SHA512 | 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2 |
C:\Users\Admin\Downloads\s.wnry
| MD5 | ad4c9de7c8c40813f200ba1c2fa33083 |
| SHA1 | d1af27518d455d432b62d73c6a1497d032f6120e |
| SHA256 | e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b |
| SHA512 | 115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617 |
C:\Users\Admin\Downloads\r.wnry
| MD5 | 3e0020fc529b1c2a061016dd2469ba96 |
| SHA1 | c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade |
| SHA256 | 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c |
| SHA512 | 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf |
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry
| MD5 | 8419be28a0dcec3f55823620922b00fa |
| SHA1 | 2e4791f9cdfca8abf345d606f313d22b36c46b92 |
| SHA256 | 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8 |
| SHA512 | 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386 |
C:\Users\Admin\Downloads\msg\m_turkish.wnry
| MD5 | 531ba6b1a5460fc9446946f91cc8c94b |
| SHA1 | cc56978681bd546fd82d87926b5d9905c92a5803 |
| SHA256 | 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415 |
| SHA512 | ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9 |
C:\Users\Admin\Downloads\msg\m_swedish.wnry
| MD5 | c7a19984eb9f37198652eaf2fd1ee25c |
| SHA1 | 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae |
| SHA256 | 146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4 |
| SHA512 | 43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020 |
C:\Users\Admin\Downloads\msg\m_spanish.wnry
| MD5 | 8d61648d34cba8ae9d1e2a219019add1 |
| SHA1 | 2091e42fc17a0cc2f235650f7aad87abf8ba22c2 |
| SHA256 | 72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1 |
| SHA512 | 68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079 |
C:\Users\Admin\Downloads\msg\m_slovak.wnry
| MD5 | c911aba4ab1da6c28cf86338ab2ab6cc |
| SHA1 | fee0fd58b8efe76077620d8abc7500dbfef7c5b0 |
| SHA256 | e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729 |
| SHA512 | 3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a |
C:\Users\Admin\Downloads\msg\m_russian.wnry
| MD5 | 452615db2336d60af7e2057481e4cab5 |
| SHA1 | 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6 |
| SHA256 | 02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078 |
| SHA512 | 7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f |
C:\Users\Admin\Downloads\msg\m_romanian.wnry
| MD5 | 313e0ececd24f4fa1504118a11bc7986 |
| SHA1 | e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d |
| SHA256 | 70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1 |
| SHA512 | c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730 |
C:\Users\Admin\Downloads\msg\m_portuguese.wnry
| MD5 | fa948f7d8dfb21ceddd6794f2d56b44f |
| SHA1 | ca915fbe020caa88dd776d89632d7866f660fc7a |
| SHA256 | bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66 |
| SHA512 | 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a |
C:\Users\Admin\Downloads\msg\m_polish.wnry
| MD5 | e79d7f2833a9c2e2553c7fe04a1b63f4 |
| SHA1 | 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff |
| SHA256 | 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e |
| SHA512 | e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de |
C:\Users\Admin\Downloads\msg\m_norwegian.wnry
| MD5 | ff70cc7c00951084175d12128ce02399 |
| SHA1 | 75ad3b1ad4fb14813882d88e952208c648f1fd18 |
| SHA256 | cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a |
| SHA512 | f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19 |
C:\Users\Admin\Downloads\msg\m_latvian.wnry
| MD5 | c33afb4ecc04ee1bcc6975bea49abe40 |
| SHA1 | fbea4f170507cde02b839527ef50b7ec74b4821f |
| SHA256 | a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536 |
| SHA512 | 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44 |
C:\Users\Admin\Downloads\msg\m_korean.wnry
| MD5 | 6735cb43fe44832b061eeb3f5956b099 |
| SHA1 | d636daf64d524f81367ea92fdafa3726c909bee1 |
| SHA256 | 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0 |
| SHA512 | 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e |
C:\Users\Admin\Downloads\msg\m_japanese.wnry
| MD5 | b77e1221f7ecd0b5d696cb66cda1609e |
| SHA1 | 51eb7a254a33d05edf188ded653005dc82de8a46 |
| SHA256 | 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e |
| SHA512 | f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc |
C:\Users\Admin\Downloads\msg\m_italian.wnry
| MD5 | 30a200f78498990095b36f574b6e8690 |
| SHA1 | c4b1b3c087bd12b063e98bca464cd05f3f7b7882 |
| SHA256 | 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07 |
| SHA512 | c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511 |
C:\Users\Admin\Downloads\msg\m_indonesian.wnry
| MD5 | 3788f91c694dfc48e12417ce93356b0f |
| SHA1 | eb3b87f7f654b604daf3484da9e02ca6c4ea98b7 |
| SHA256 | 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4 |
| SHA512 | b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd |
C:\Users\Admin\Downloads\msg\m_greek.wnry
| MD5 | fb4e8718fea95bb7479727fde80cb424 |
| SHA1 | 1088c7653cba385fe994e9ae34a6595898f20aeb |
| SHA256 | e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9 |
| SHA512 | 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb |
C:\Users\Admin\Downloads\msg\m_german.wnry
| MD5 | 3d59bbb5553fe03a89f817819540f469 |
| SHA1 | 26781d4b06ff704800b463d0f1fca3afd923a9fe |
| SHA256 | 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61 |
| SHA512 | 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac |
C:\Users\Admin\Downloads\msg\m_french.wnry
| MD5 | 4e57113a6bf6b88fdd32782a4a381274 |
| SHA1 | 0fccbc91f0f94453d91670c6794f71348711061d |
| SHA256 | 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc |
| SHA512 | 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9 |
C:\Users\Admin\Downloads\msg\m_filipino.wnry
| MD5 | 08b9e69b57e4c9b966664f8e1c27ab09 |
| SHA1 | 2da1025bbbfb3cd308070765fc0893a48e5a85fa |
| SHA256 | d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324 |
| SHA512 | 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4 |
C:\Users\Admin\Downloads\msg\m_english.wnry
| MD5 | fe68c2dc0d2419b38f44d83f2fcf232e |
| SHA1 | 6c6e49949957215aa2f3dfb72207d249adf36283 |
| SHA256 | 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5 |
| SHA512 | 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810 |
C:\Users\Admin\Downloads\msg\m_dutch.wnry
| MD5 | 7a8d499407c6a647c03c4471a67eaad7 |
| SHA1 | d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b |
| SHA256 | 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c |
| SHA512 | 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12 |
C:\Users\Admin\Downloads\msg\m_danish.wnry
| MD5 | 2c5a3b81d5c4715b7bea01033367fcb5 |
| SHA1 | b548b45da8463e17199daafd34c23591f94e82cd |
| SHA256 | a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6 |
| SHA512 | 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3 |
C:\Users\Admin\Downloads\msg\m_czech.wnry
| MD5 | 537efeecdfa94cc421e58fd82a58ba9e |
| SHA1 | 3609456e16bc16ba447979f3aa69221290ec17d0 |
| SHA256 | 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150 |
| SHA512 | e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b |
C:\Users\Admin\Downloads\msg\m_croatian.wnry
| MD5 | 17194003fa70ce477326ce2f6deeb270 |
| SHA1 | e325988f68d327743926ea317abb9882f347fa73 |
| SHA256 | 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171 |
| SHA512 | dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c |
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry
| MD5 | 2efc3690d67cd073a9406a25005f7cea |
| SHA1 | 52c07f98870eabace6ec370b7eb562751e8067e9 |
| SHA256 | 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a |
| SHA512 | 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c |
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry
| MD5 | 0252d45ca21c8e43c9742285c48e91ad |
| SHA1 | 5c14551d2736eef3a1c1970cc492206e531703c1 |
| SHA256 | 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a |
| SHA512 | 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755 |
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry
| MD5 | 95673b0f968c0f55b32204361940d184 |
| SHA1 | 81e427d15a1a826b93e91c3d2fa65221c8ca9cff |
| SHA256 | 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd |
| SHA512 | 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92 |
C:\Users\Admin\Downloads\c.wnry
| MD5 | 93f33b83f1f263e2419006d6026e7bc1 |
| SHA1 | 1a4b36c56430a56af2e0ecabd754bf00067ce488 |
| SHA256 | ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4 |
| SHA512 | 45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac |
C:\Users\Admin\Downloads\b.wnry
| MD5 | c17170262312f3be7027bc2ca825bf0c |
| SHA1 | f19eceda82973239a1fdc5826bce7691e5dcb4fb |
| SHA256 | d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa |
| SHA512 | c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c |
C:\Users\Admin\Downloads\@[email protected]
| MD5 | 7e6b6da7c61fcb66f3f30166871def5b |
| SHA1 | 00f699cf9bbc0308f6e101283eca15a7c566d4f9 |
| SHA256 | 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e |
| SHA512 | e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
| MD5 | 43bda79f57c9485cf36f7f3eb2c13114 |
| SHA1 | 279feafc5871c1a58f1aba1e279a72b46ddcd513 |
| SHA256 | c6ef1de65bc79c571fcea85bc7ff6e6360db8ee7cd3527baa7ce9f1951e54b0d |
| SHA512 | a2fe61f170aab40d45e3e3f5e58447898310e1aedb5b64a52d3b43aec55cc4d903b4d4f63e831cffa753026f28c4670f31efe79699c2acccf2c52ee26e9fabb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 13ff7df86d2f74d85e6809c87e3277ff |
| SHA1 | 099df0a6d1f0ac181c2adf21c95f173463f6c274 |
| SHA256 | 8d2f6db18bb8c1563a371e18fa280f98ce576ccc95b3fa2f680ba8f2471c381b |
| SHA512 | 4e3c3154bad794bd63556220e0195b78f6a42a505be0f94e80a3aad3811e9f0bdc769469d6d5c42cc0d6d713d366951745acf4a01ea0c38584511b910bab9430 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 279346be285768b075c6a4da936a278e |
| SHA1 | f8b1b572dfe1b9933d10d7332d45b83356b097ce |
| SHA256 | 0366063ae65217913ac693c16a15c8a76c370aa578d23a8011c0b67d804f2233 |
| SHA512 | 437a31490cda0061a36aa2867fdf60a4e4800cf50db1b79cfe8ce336a26363fbe4d930bbfe0cb50b112e49e31c2b9d76e5393eb56c7962967020417decc0b548 |
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 90fad46a02cf5c83e947e7381f0f70af |
| SHA1 | ec988555f166be37b11f73b589aa4c1a8afc0021 |
| SHA256 | 53f84b0c584735beddd2b4b8e881ed88fe00be4a5471b40b2f3bc4a371135438 |
| SHA512 | 029cb0c4c10d652d81272c9fdd4d08ecf82477148ca0a534d8ac8f94724f71b09ebd5409696726e60e887a682c2a32aeb3961696df6938126088dc7018d20650 |
memory/1664-2194-0x0000000073780000-0x0000000073802000-memory.dmp
memory/1664-2197-0x0000000073400000-0x0000000073422000-memory.dmp
memory/1664-2196-0x0000000073650000-0x00000000736D2000-memory.dmp
memory/1664-2195-0x0000000073430000-0x000000007364C000-memory.dmp
memory/1664-2198-0x00000000002C0000-0x00000000005BE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 80f8d587ba56aa3be9518e536171d0dd |
| SHA1 | f61abc79782d227a1bdf4078dae333a26efc0a20 |
| SHA256 | 81445d54a5f64e00cf9e7a768a728622ac8adb9181a2610fa66855c8cb0f6905 |
| SHA512 | 815faf8dff48ae4e336bb1c3388a264e6eb9cbcf6243fff896587757ae0c8dfdbad15c0e8f158f4fa378a6d3374d4c0fad7a6c1a10313cfe60d1f6f451d1092a |
memory/1664-2220-0x00000000002C0000-0x00000000005BE000-memory.dmp
memory/1664-2226-0x0000000073400000-0x0000000073422000-memory.dmp
memory/1664-2225-0x0000000073430000-0x000000007364C000-memory.dmp
memory/1664-2224-0x0000000073650000-0x00000000736D2000-memory.dmp
memory/1664-2223-0x00000000736E0000-0x0000000073757000-memory.dmp
memory/1664-2222-0x0000000073760000-0x000000007377C000-memory.dmp
memory/1664-2221-0x0000000073780000-0x0000000073802000-memory.dmp
memory/1664-2230-0x00000000002C0000-0x00000000005BE000-memory.dmp
memory/1664-2238-0x00000000002C0000-0x00000000005BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 9b00ab437a639d849acff856271fa90c |
| SHA1 | 7ecf04b2f145995430cb9e9c770ab885059e1fea |
| SHA256 | bc9a8e68c519276d5d5f5918ce5e340436e20e07ce0cf6509ebb68e57fb3e5e0 |
| SHA512 | c2f513ca3fbcc55540aace6d5407329e30041a956ea52ace0f3bb64da465e4beee27907c92c07304b63258314543e858ca514240a4b2c8513c3fcc0353740318 |
memory/1664-2263-0x00000000002C0000-0x00000000005BE000-memory.dmp
memory/1664-2268-0x0000000073430000-0x000000007364C000-memory.dmp
memory/1664-2308-0x00000000002C0000-0x00000000005BE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a597da8048b9d6a13859023f2aa6a2c5 |
| SHA1 | cfa3e52c415059d7f69d74c165807cc823f1386b |
| SHA256 | 154eee682db88c78b522569b71376a458b6b2bdde21f77128d1290dc628bdab7 |
| SHA512 | dc0ada35a675e7e4c45e33e0ab790c59f2f9df31e940a4d77a27ddfb4e33c45b7eda1684f816b6be358b71c68a6bcfbe66e8b092da7940b8f9ed1c0dbb7c95d9 |
memory/1664-2326-0x00000000002C0000-0x00000000005BE000-memory.dmp
memory/1664-2334-0x00000000002C0000-0x00000000005BE000-memory.dmp
memory/1664-2339-0x0000000073430000-0x000000007364C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | 3cd0f2f60ab620c7be0c2c3dbf2cda97 |
| SHA1 | 47fad82bfa9a32d578c0c84aed2840c55bd27bfb |
| SHA256 | 29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b |
| SHA512 | ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
| MD5 | cf989be758e8dab43e0a5bc0798c71e0 |
| SHA1 | 97537516ffd3621ffdd0219ede2a0771a9d1e01d |
| SHA256 | beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615 |
| SHA512 | f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 89a5c78c688e01485b27ad5d032a8e0d |
| SHA1 | dd298b62f2be9164e5bdf89754bc905feda13f6b |
| SHA256 | fb30af5cfe11fb7a71e8b6434b786d2428e005b137418246c3b3a44792ff6273 |
| SHA512 | 8b3a6f61f6c32abc0c5e95cf34b1f5b99e2576bb108aa66bd15719e06429394fb637666443ead02c4062d642b75f71bee0e1ba24b3085236139e5678dfd644bb |
memory/1664-2562-0x00000000002C0000-0x00000000005BE000-memory.dmp
C:\Users\Admin\Downloads\memz-master.zip
| MD5 | 4790677e05d72ef7429dddf35562bf4a |
| SHA1 | 4243d6ea53db7e8cc0c355e70d6cffb54787b90b |
| SHA256 | 319bf6087040d17b87f46cd05f5ee064c291ba9ca46e1910f28d1f4c57cb3d96 |
| SHA512 | a93c5f691938bc1bdd9ef20b975f0b22cf494543e7df82ec31838bf811552ead5cd855959be4e47186ee7de944be005030f52f58b9dc85e7cde719cb97b794e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c09496884b94df7a67bcea4fb4d43e60 |
| SHA1 | 9c71cd66e072282922b872aab2914a5c1ef0e0e2 |
| SHA256 | 490277f4e39a208797959ec1a6aa909325c627577ddfcc111d4ab65cf0644d3c |
| SHA512 | 133daac9bc0bc5b35a3d7f7bfd6936a937e3b5ef2f1737e163b8f73c911a4a870fd885c8c3d687962cc028a12c09a2df9ccfe6d42e0c1017cd542e4daf2aacb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4f000af56a5cf77db9e8ab5e2a524ef4 |
| SHA1 | 3c18b9a0c2f3c95eb434825c5aeae3be62e52815 |
| SHA256 | 4d30f1257e0dfaab8b1b1052cf83acd982b45727ed0bb9a5f214c81c39c726fb |
| SHA512 | 9abfddae9b07606996258c5b15c229238c1b19a12edf04c2c1bffec1ce27aeb99a460799d6537ffbefd197f40f202c46bbbf375835ee6291010a756e86f50ff8 |