Analysis Overview
Threat Level: Likely malicious
The file https://hatching.io/blog/triage-insights-ep2/ was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: AppInit DLLs
Disables Task Manager via registry modification
Boot or Logon Autostart Execution: Active Setup
Possible privilege escalation attempt
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Modifies WinLogon
Enumerates connected drives
Checks installed software on the system
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Enumerates physical storage devices
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Uses Volume Shadow Copy WMI provider
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious behavior: AddClipboardFormatListener
Modifies Control Panel
Enumerates system info in registry
NTFS ADS
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-08 23:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-08 23:31
Reported
2024-08-08 23:37
Platform
win11-20240802-en
Max time kernel
352s
Max time network
369s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs
Possible privilege escalation attempt
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Windows\msagent\AgentSvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\000.exe | N/A |
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\Desktop\000.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\Desktop\000.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\Desktop\000.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SET7191.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\SysWOW64\SET7191.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp50.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\Desktop\000.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\msagent\SET6DF6.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DF7.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DF8.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\INF\SET6DFB.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\mslwvtts.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\tv\SET718D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\fonts\SET718F.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\executables.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentSvr.exe | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\chars\Bonzi.acs | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DE3.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentCtl.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDp2.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DF7.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6E0E.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DF6.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentMPx.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DF9.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6E0E.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DF5.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentAnm.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DFC.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\tv\SET717D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DF4.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\SET6DFB.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\help\Agt0409.hlp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SET718D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\help\SET6E0C.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\help\SET6E0C.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\intl\SET6E0D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\lhsp\help\SET718E.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\fonts\SET718F.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\agtinst.inf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DFA.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\tv_enua.inf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\chars\Bonzi.acs | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\executables.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tvenuax.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\SET718E.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\help\tv_enua.hlp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DE3.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\INF\SET7190.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DFA.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DFC.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\fonts\andmoipa.ttf | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\finalDestruction.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\executables.bin | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File created | C:\Windows\msagent\chars\Bonzi.acs | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DF8.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentPsh.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgtCtl15.tlb | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\SET717D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentDPv.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\intl\SET6E0D.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\intl\Agt0409.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\lhsp\tv\tv_enua.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\INF\SET7190.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DF9.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\SET6DF4.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File created | C:\Windows\msagent\SET6DF5.tmp | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| File opened for modification | C:\Windows\msagent\AgentSR.dll | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\000.exe:Zone.Identifier | C:\Windows\explorer.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Mouse\SnapToDefaultButton = "0" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\CaretTimeout = "5000" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Input Method\Hot Keys\00000104\Key Modifiers = 06c00000 | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Keyboard\KeyboardSpeed = "31" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "3000" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\LeftOverlapChars = "3" | C:\Users\Admin\Desktop\000.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Segoe UI Symbol" | C:\Users\Admin\Desktop\000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\Program Files\\Microsoft Office[Root\\Office16\\ONBttnIE.dll/105" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe\ColorTable06 = "15789550" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\RightClickZoneEnabled = "1" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\coremessaging.dll,-1 = "CoreMessaging" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wersvc.dll,-100 = "Windows Error Reporting Servhce" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe\PopupColors = "243" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup = "C:\\Windows\\SysWOW64\\OneDriveSetup.exe /thfirstsetup" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\tetheringservice.dll,-4097 = "Windows Mobile Hotspot Service" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%Systemroot%\system32\rasmans.dll,-200 = "Remote Access Connection Manager" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\DefaultLanguage = "0x00000001" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Control Panel\Mouse\ActiveWindowTracking = "0" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallpaperOriginX = "0" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.NfpAppLaunch\Setting = "s:tickle,s:lock:toast,s:tile,s:lock:badge,s:banner,s:lock:tile,s:toast,s:badge,s:audio,s:voip,s:listenerEnabmed,c:toast,c:ringing" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe\QuickEdit = "1" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\ColorPrevalence = "0" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@combase.dll,-5010 = "Remote Procddure Call (RPC)" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000071\Target IME = 00000000 | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\aero_working.ani" | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Sound\ExtendedSounds = "yes" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10001 = "TCP/IP Protocol Driver" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Colors\WindowFrame = "0 0 0" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TPMStatus = "2150121487" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm7\ExcludeFromCPL = "1" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Control Panel\Mouse\SmoothMouseYCurve = 0000000000000000fd11010000000000002404000000000000fc12000000000000c0bb0100000000 | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Microsoft.Windows.InputSwitchToastHandler\wnsId = "System" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\EmptyRecycleBin\DispFileName = "@mmres.dll,-5831" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\RMapi.dll,-1001 = "Radio Management Service" | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" | C:\Users\Admin\Desktop\000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\InactiveTitleText = "212 208 200" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Proximity\.Default\ = "%SystemRoot%\\media\\Windows Proximity Notification.wav" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Cache_Update_Frequency = "yes" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\SystemQuestion\DispFileName = "@mmres.dll,-5849" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\EmptyRecycleBin\DispFileName = "@mmres.dll,-5831" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agens" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\TwoFingerTapEnabled = "1" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm9\DispFileName = "@mmres.dll,-5896" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Share\appType = "app:system" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\SystemNotification\ = "System Notification" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\DeviceConnect\DispFileName = "@mmres.dll,-5828" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Colors\InactiveTitleText = "212 208 200" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.Audio\wnsId = "System" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\drivers\partmgr.sys,-100 = "Partition driver" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wercplsupport.dll,-101 = "Problem Reports Control Panel Support" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\windowsudkservices.shellcommon.dll,-100 = "Udk User Service" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\HighContrast\Flags = "126" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\Hand = "%SystemRoot%\\cursors\\aero_link.cur" | C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Console\FontSize = "1048576" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02amjqeuqomxcjfk" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Colors\GradientInactiveTitle = "215 228 242" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call8\.Default\ = "%SystemRoot%\\media\\Ring08.wav" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Devices\appType = "app:system" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call8\.Default\ = "%SystemRoot%\\media\\Ring08.wav" | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Identity\TrustedSiteUrlForUserAgentVersionInfo | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR\ = "C:\\Windows\\msagent\\AgentSvr.exe\\" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentDPv.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\AppX2b728y1f1nn5hvq8ww8qk030g07r87t9\Application\ApplicationCompany = "@{MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy?ms-resource://MicrosoftWindows.Client.CBS/resources/ProductPublisherDisplayName}" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "|00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\Desktop\000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575} | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ = "IAgentCtlUserInput" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\WasEverActivated = "1" | C:\Users\Admin\Desktop\000.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Win32WebViewHost_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\DPI.SystemAware.AppX64ebpmrryzntbexxxw7yf7 = "28" | C:\Users\Admin\Desktop\000.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FileType\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\ = "Microsoft Agent Character File" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\DefaultIcon\ = "C:\\Windows\\msagent\\AgentDPv.dll,-201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\LocalServer32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Global.IrisService.wwa\Icon = "@{MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy?ms-resource://MicrosoftWindows.Client.CBS/Files/Assets/Square150x150Logo.png}" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "262" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FileType\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\1\ = "0,4,FFFFFFFF,C2ABCDAB" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\TreatAs\ = "{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0" | C:\Windows\msagent\AgentSvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ = "ICreateLibraryCallback" | C:\Users\Admin\Desktop\000.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\shellex | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\ = "IAgentCommandEx" | C:\Windows\msagent\AgentSvr.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\000.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\000.exe:Zone.Identifier | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Bonzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\000.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\000.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://hatching.io/blog/triage-insights-ep2/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa49bccc40,0x7ffa49bccc4c,0x7ffa49bccc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1728,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1724 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2080 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2160 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4668 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4888,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4956 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3240,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5144,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5264 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5252,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5428,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5552 /prefetch:8
C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5308,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4936 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004E4
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2276 -ip 2276
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 708
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\bfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2656 -ip 2656
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 864
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Boot\PCAT\memtest.exe"
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2460 -ip 2460
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BrowserCore\BrowserCore.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\BrowserCore\BrowserCore.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\BrowserCore\BrowserCore.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 884
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\explorer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\explorer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\HelpPane.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\hh.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\hh.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4508 -ip 4508
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 860
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe" /grant "everyone":(f)
C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 644
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3472 -ip 3472
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 864
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe" /grant "everyone":(f)
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4432 -ip 4432
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 880
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\bfsvc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\bfsvc.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\bfsvc.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Boot\PCAT\memtest.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Boot\PCAT\memtest.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Boot\PCAT\memtest.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\BrowserCore\BrowserCore.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\BrowserCore\BrowserCore.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\BrowserCore\BrowserCore.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\explorer.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\explorer.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\explorer.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\HelpPane.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\HelpPane.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\HelpPane.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\hh.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\hh.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\hh.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\ImmersiveControlPanel\SystemSettings.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2472 -ip 2472
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe" /grant "everyone":(f)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 876
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe" /grant "everyone":(f)
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,4392519353248521266,51458478631128134,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3504 /prefetch:8
C:\Users\Admin\Desktop\000.exe
"C:\Users\Admin\Desktop\000.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 688
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3844 -ip 3844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 720
C:\Windows\BrowserCore\BrowserCore.exe
"C:\Windows\BrowserCore\BrowserCore.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\bfsvc.exe
"C:\Windows\bfsvc.exe"
C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe
"C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1192 -ip 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 4852
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3953055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hatching.io | udp |
| NL | 154.61.71.12:443 | hatching.io | tcp |
| NL | 172.217.23.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.71.61.154.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| NL | 154.61.71.12:443 | hatching.io | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| NL | 172.217.23.202:443 | content-autofill.googleapis.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| NL | 172.217.23.202:443 | content-autofill.googleapis.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| NL | 172.217.23.202:443 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 142.250.68.227:443 | beacons.gvt2.com | tcp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 142.250.68.227:443 | beacons.gvt2.com | udp |
| US | 142.250.69.3:443 | beacons.gcp.gvt2.com | udp |
| GB | 95.101.143.219:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 142.250.69.3:443 | beacons.gcp.gvt2.com | udp |
| NL | 172.217.23.206:443 | clients2.google.com | udp |
| NL | 172.217.23.206:443 | clients2.google.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
Files
\??\pipe\crashpad_4924_TDGWOBHSFFZTHEBB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1dd4544812386caf135b094420dfd00f |
| SHA1 | 9e8d386951edb7811bcce821745021461562ec17 |
| SHA256 | a1cef44af312059d68bd6fadea8a20df50af083e50f23acc607ceaa11813de07 |
| SHA512 | 16a23dbf37255b4021f54cfbd8cb89b69124dc6006ca0d6b433531f70b1a3bba0d4d28421f0782be6bf12016cd9d1a7ac45009b2f4c8430fa0648803db78098c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 673f4dbf11940356ebd06f07fb23340f |
| SHA1 | d5cde97c5fd32800e6d6f27d06ce6c9572829670 |
| SHA256 | 71ae0b688e4519e3d391d43dcf38f6f0919fce2d439358441c4438b23d80e1fc |
| SHA512 | bf5e42d2ee7c80bbe9af0e4efd41fa7311eda7e717fc672a4aad60531ffe01a37bb5cac18e558db0386497634dd8f7906a69a7111f57abc11f01f24d29055c07 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f2a0599c94a2946b7e4171440c2eb910 |
| SHA1 | eba5d8eca54e620d51ebd66ae6724bb0765ef0aa |
| SHA256 | 53cae8ce968e263b0bd75cb02f19680b644362dfb8a01b7a8e83610a169a83e8 |
| SHA512 | d2d2e42e2c8db4de548917b2a07ea3a9cd074e8ff4fda56ccb9cf7a565dbc442385570ce5a2a5ea5679809acdb393b5b7d723fc8cffce87a33e063d7108c20e9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e
| MD5 | 48d2860dd3168b6f06a4f27c6791bcaa |
| SHA1 | f5f803efed91cd45a36c3d6acdffaaf0e863bf8c |
| SHA256 | 04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77 |
| SHA512 | 172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 411dfd9dbace6c177b43d5486dd47b49 |
| SHA1 | ca907f90d88e45188940e68e249fc8fa19e99f6c |
| SHA256 | d8755e4e49c9d0222ec2a27c53e60e3054c85e5f8e8c26dfb60568cac848b056 |
| SHA512 | c12a80cac7a01c12689c19205668cf690a1f72b43ed953bc4fac5eb8ebd486bbc8638ac9952e675bb8e38d2e000834324129d0a4e38cca62f5c7ece6d81fc945 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 750d1dbb0300d3825851ec15c172b9af |
| SHA1 | 3348b3aa1b8adf6f7ded417bf002e020d6914a5a |
| SHA256 | ce2a7597a57818746e606c65a4cc0924541dbdaa2128d0a62d0ea01e6d93cc45 |
| SHA512 | 54e29ed7b59ad360d9fb171499b35e860ff7cdae878b05643416395a5501c0046eda2d14da2e7ae0bc6c749bc24a9297faebebd0225685c0559eed56b290c675 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | eee4696df8ed88cca62de57c29cb9ad9 |
| SHA1 | fe4ebc589efc2156977e8996310882bff23afabe |
| SHA256 | b1e106e634195be2da48cd373ece7f360d395f993524efa1120a63f67974e2d0 |
| SHA512 | caaab75206dc0c84cc05da916f8dae6d028c57bb558551931503e05b52a9bc9987fb4b69220915d163a4b6593014946b5e5b0997d5e982b26b144ace43410eef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a1ff977a25a5319639d43f75f61e4b7b |
| SHA1 | 02b1b98c0532a83f26b7dcb737b4ffc182e12194 |
| SHA256 | 6054500cadbbc1a4bcbe4a8ea596348ded509b7e23d71018dcce458d0d5ac100 |
| SHA512 | 2e506c0eb84e830940a38529d44db20d029319472cc20d947bdbbee2c201038f22bf5956d5798e619234b7d43e0f7f4a1097e475867deec311717068758501dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a805d1e627eee45f3391f207cc5f0d85 |
| SHA1 | 439a42d883ff67fde6c344b80b9cbddb7e2137c7 |
| SHA256 | c0fcffc7694642d76d2751add6d6c3811ac18a77f42e243e12fcbc914e32e969 |
| SHA512 | 30fb31328e31887ea6401081d2bf97ec1029f8975692e71e02edd49fba11a09be2679e3269efc026ab4347d6ea5c3047acb3558b772ec608f5ef8e78f051c6a5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c54b70ef274bef452e8324dba0e841f0 |
| SHA1 | 7cdc06a47830d3234c557cb658582b4f76be754a |
| SHA256 | 235c47953fbe88acdd2e45ede65f5d83d58c6a43b0154e34fcb4f43fdcf85c3b |
| SHA512 | db8fc9d09b00bba89a44810effe1b1a3a098f0adbb0cd987c5eb61b3a7c64075da9949ba5546f6d9e0ff85fcb154700f7026b95dd139985075087e9d35a5c035 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 366ff2310cb06a1bc0b171b41ac5a7e6 |
| SHA1 | ee45afd4ee8592bc10696646e15e47cd1d521f61 |
| SHA256 | 6140cef0770b593460d0e235046f0e4d63c817ce9c9fd48c417422daa28d8345 |
| SHA512 | f5c06c61049b303d11685323159759c1045af70ff4f530fd27c8253956cf7d0caddb28be156a6fb5504f1e9596e3e64d14864c24a7fbcd687ade53560b8b1ed0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e1374cfe-32de-4fcc-bd59-a45a7afb391a.tmp
| MD5 | 70d5be8323a985b54ad9818a8471b765 |
| SHA1 | 601e3fabfd6cccd6bf3b585770557cde06808db4 |
| SHA256 | b02453f041d239dbcafc77bcf26d122645810d50da89a34c7c598fb3e51f6575 |
| SHA512 | c5ea2154c2d949845c97d71add142ec32cfc43df78c1e4eb59565feb0ddc5e3a64fdf22f5569ef191941c4cda0deb3e302ec008453dd58d3a86f9eb84fa67232 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022
| MD5 | a2ade5db01e80467e87b512193e46838 |
| SHA1 | 40b35ee60d5d0388a097f53a1d39261e4e94616d |
| SHA256 | 154a7cfc19fb8827601d1f8eda3788b74e2018c96779884b13da73f6b1853a15 |
| SHA512 | 1c728558e68ed5c0a7d19d8f264ad3e3c83b173b3e3cd5f53f5f3b216ed243a16944dbe6b2159cfe40ee4a3813ca95a834f162073a296b72bbdedc15546be8f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023
| MD5 | da4c2d9295fbab7844d4f29079dbb8d5 |
| SHA1 | 2e214261c9f3394badf103af57a2b9bd6f89a68c |
| SHA256 | b2f523dc352a436652fdfa66e899f589653015929b1add2da64eeb9650a7febd |
| SHA512 | 83a66de2c3593c960f5e7567f8c315f983245334f63bda67c7490570753bce7e865a1f752d15a5b6f795fb4cc4aa2a122ce6bcfb86bf3e116f00df7a558a92c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021
| MD5 | a6d2a865e9f16ea305950181afef4fcf |
| SHA1 | 082145d33593f3a47d29c552276c88cf51beae8e |
| SHA256 | 2e5d94863281987de0afa1cfd58c86fde38fd3677c695268585161bc2d0448a2 |
| SHA512 | 6aa871d6b2b0d1af0bda0297d164e2d685bc53f09983e5a4e1205f4eb972a2017323c99c3cc627c3fb01381b66816e570f61d013d3775cddad285ac1b604cdc9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030
| MD5 | bd96190c3723c6828cc6601ee39d46d4 |
| SHA1 | 8ec0068e12d9f113b01d6077cf634f19079cbf53 |
| SHA256 | ed8fd1c5a4f0e11544b694ca505105c2a8fb4b643b41bae87b2b4f1ba14f8d1f |
| SHA512 | 7c649fdad52f9fe2bf76af6249b3d7de40ccdde73618c5b929fb16fe32e51873f7a73734e64b54e918a31d42d6430128c8801787e4ff5ee89fd9265ba9875dbd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e0702e56037b820445d21c39cce16107 |
| SHA1 | d6164c3791acfbff2767fa500450bcf6a0c1c23b |
| SHA256 | 0d9393997c622c05ec1876a33e0854e5ec198f8c74247ff336f914b5bcd63a54 |
| SHA512 | e395b5894a3680a2505e08cc1197dfc83a79d7a52f353d6c398dc4954c60fce057a6de6e4d83ed6bf4a05ca7850d5813f2026b6694b008d6a4911125c73ad257 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0685d7f4243c7df013315f3618967eef |
| SHA1 | b2eebc44c79a374e15b9ff99ddc6dc9da750e031 |
| SHA256 | ad5947fcb2792d8db2e689d3a03ed7c6cea4415958f0b95f340a4b182d17be50 |
| SHA512 | 3f2cef60e223ad2baf3e7f8523dd43eb0e9cd544ce57a6d356cd6d9078ceff0cca49bb797420fbbab66283a34e4e950134ce47974f38c0f46b0be9e2823cd02d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | de3676e48ad9221426c7104560794b6d |
| SHA1 | 98db1118fa192d5effeda30ca7a47942bc5bd670 |
| SHA256 | fa7daab4385b5058165afd15dfb242c8e48053bc52bd9761c9a1818fefad4d3b |
| SHA512 | 6dc2702c84cd57e91c7060c92f97ac2b32b183221100b5c99742c6eef30950291d7f51f3a9a71bce3d60ae817d01ec599769e9cf0fc130fc9109ae0a7ee0cab7 |
C:\Users\Admin\Downloads\Unconfirmed 428921.crdownload
| MD5 | 9c352d2ce0c0bdc40c72f52ce3480577 |
| SHA1 | bd4c956186f33c92eb4469f7e5675510d0790e99 |
| SHA256 | d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e |
| SHA512 | c1926d59272df0e049467f4497bcc3631bbc1aa5337e87f4af31bfdba60c9ef460e394380024ffa7e71fef8938761d48d75e9dc93dc7529d2b9c8c638dddae92 |
C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e97fecf5b95f42b865b6a93d27870381 |
| SHA1 | b061be2a898d2361e50c4323ef52fe9c6f82b0a0 |
| SHA256 | 89996e5ad02dca79ae2354ff85ab3779e50045fd8a139657237033f1d8b7dd40 |
| SHA512 | 15e4bf48759479c72a82514ec5954825bcdd4c1508a33077b373db74bf01a82c85efd241c4288bfc947042c689e750d384c1a67535c6588d498a3bae6b1365c0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 90e2c446ce079b8a8538659ed514c268 |
| SHA1 | b0353fd9f156cc19a7e3fec40ee40019e9c0ca47 |
| SHA256 | dd194151edb1cf1574b0a4ca215e7f8ff260bcedf76f0ef34b607bcddf739d69 |
| SHA512 | b46e388a5ed816caa3c52a7d1c43d7efe010837bfbb977d1cea34fa7939e5ac418a8ab3fcc522b6c768d6a45de8c4f78513440a9521331678a519c1fcdcaa8b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | 54230c72237f8c1ceb777d057de35b5c |
| SHA1 | ee14bd6a66fcbb7326043053e5963ce8da929d6d |
| SHA256 | 3e5720ddab9323cbd566216d1a538ef5f2ff42071fa946e36f56a8261613be0f |
| SHA512 | e4bc99a412ef0767220d9916f0ec6115c1276807641fd3b5bcf82f1ce31ddefb9e489ccb2bc755c3d1cff8bfb28accf67d0a4e989f3b6227b245c6503d8ef4c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f807689d0ff40af79970975a38c20242 |
| SHA1 | b598742567f4051cdcaf86bc46014ae2b94139d5 |
| SHA256 | 7dac35deed6578b85c0d026b2a486ea68d4f456adb3c1e47d65444de28371901 |
| SHA512 | c2b7a65a217d27ebeb2c28b949b0a7578c86ef45a37b3447ad2178577e11375e02417979650afead6e5a8b17c7ec4fe309b258a96a448a6edee65ff66c48ad7f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e7cc97488f32555a8ff291e293b603d5 |
| SHA1 | dddca7b94234eb68c970658fb7f89ffd6d12d701 |
| SHA256 | 876408cd2c6a5f451352587144f95f09f0a02ba90b2dc193820617cb2b12b564 |
| SHA512 | d3ae6902fa367347d430fb28f58a975f1689b7dbf15b0010f41184aa6e341277541cdf44f3ba4aeb37656dab8a9d47930dd5f86a62fb85fe44c79ce6d5c7dafa |
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
| MD5 | ea7df060b402326b4305241f21f39736 |
| SHA1 | 7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2 |
| SHA256 | e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793 |
| SHA512 | 3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d6aee4fcf2aa1d4a0e633c991795fd19 |
| SHA1 | 8350e5f06f31914c06c112eff3b99744073b319e |
| SHA256 | 75bcef0ffaf35422744e711c4a9fea1e41e00f4268d0853dce31d12e281ce844 |
| SHA512 | c57045ec87240bdd1345b2a3ee8975137508f1856a4bef2ae23a9793459f0055e35d991bc68d567e0e7e2511af91c708d0b5d2af712bd82a69676348ba7eab1e |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 66996a076065ebdcdac85ff9637ceae0 |
| SHA1 | 4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce |
| SHA256 | 16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa |
| SHA512 | e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
| MD5 | 81e5c8596a7e4e98117f5c5143293020 |
| SHA1 | 45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081 |
| SHA256 | 7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004 |
| SHA512 | 05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF
| MD5 | e4a499b9e1fe33991dbcfb4e926c8821 |
| SHA1 | 951d4750b05ea6a63951a7667566467d01cb2d42 |
| SHA256 | 49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d |
| SHA512 | a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL
| MD5 | 237e13b95ab37d0141cf0bc585b8db94 |
| SHA1 | 102c6164c21de1f3e0b7d487dd5dc4c5249e0994 |
| SHA256 | d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a |
| SHA512 | 9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE
| MD5 | 5c91bf20fe3594b81052d131db798575 |
| SHA1 | eab3a7a678528b5b2c60d65b61e475f1b2f45baa |
| SHA256 | e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175 |
| SHA512 | face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB
| MD5 | f1656b80eaae5e5201dcbfbcd3523691 |
| SHA1 | 6f93d71c210eb59416e31f12e4cc6a0da48de85b |
| SHA256 | 3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2 |
| SHA512 | e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL
| MD5 | 0cbf0f4c9e54d12d34cd1a772ba799e1 |
| SHA1 | 40e55eb54394d17d2d11ca0089b84e97c19634a7 |
| SHA256 | 6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1 |
| SHA512 | bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP
| MD5 | 466d35e6a22924dd846a043bc7dd94b8 |
| SHA1 | 35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10 |
| SHA256 | e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801 |
| SHA512 | 23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL
| MD5 | 316999655fef30c52c3854751c663996 |
| SHA1 | a7862202c3b075bdeb91c5e04fe5ff71907dae59 |
| SHA256 | ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0 |
| SHA512 | 5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF
| MD5 | b127d9187c6dbb1b948053c7c9a6811f |
| SHA1 | b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9 |
| SHA256 | bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00 |
| SHA512 | 88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL
| MD5 | b4ac608ebf5a8fdefa2d635e83b7c0e8 |
| SHA1 | d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9 |
| SHA256 | 8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f |
| SHA512 | 2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL
| MD5 | 48c00a7493b28139cbf197ccc8d1f9ed |
| SHA1 | a25243b06d4bb83f66b7cd738e79fccf9a02b33b |
| SHA256 | 905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7 |
| SHA512 | c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL
| MD5 | 4fbbaac42cf2ecb83543f262973d07c0 |
| SHA1 | ab1b302d7cce10443dfc14a2eba528a0431e1718 |
| SHA256 | 6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5 |
| SHA512 | 4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL
| MD5 | 9fafb9d0591f2be4c2a846f63d82d301 |
| SHA1 | 1df97aa4f3722b6695eac457e207a76a6b7457be |
| SHA256 | e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d |
| SHA512 | ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL
| MD5 | a334bbf5f5a19b3bdb5b7f1703363981 |
| SHA1 | 6cb50b15c0e7d9401364c0fafeef65774f5d1a2c |
| SHA256 | c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de |
| SHA512 | 1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL
| MD5 | 7c5aefb11e797129c9e90f279fbdf71b |
| SHA1 | cb9d9cbfbebb5aed6810a4e424a295c27520576e |
| SHA256 | 394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed |
| SHA512 | df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 3f8f18c9c732151dcdd8e1d8fe655896 |
| SHA1 | 222cc49201aa06313d4d35a62c5d494af49d1a56 |
| SHA256 | 709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331 |
| SHA512 | 398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
| MD5 | 4be7661c89897eaa9b28dae290c3922f |
| SHA1 | 4c9d25195093fea7c139167f0c5a40e13f3000f2 |
| SHA256 | e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5 |
| SHA512 | 2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL
| MD5 | 7210d5407a2d2f52e851604666403024 |
| SHA1 | 242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9 |
| SHA256 | 337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af |
| SHA512 | 1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf
| MD5 | 0a250bb34cfa851e3dd1804251c93f25 |
| SHA1 | c10e47a593c37dbb7226f65ad490ff65d9c73a34 |
| SHA256 | 85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae |
| SHA512 | 8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll
| MD5 | ed98e67fa8cc190aad0757cd620e6b77 |
| SHA1 | 0317b10cdb8ac080ba2919e2c04058f1b6f2f94d |
| SHA256 | e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d |
| SHA512 | ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll
| MD5 | e7cd26405293ee866fefdd715fc8b5e5 |
| SHA1 | 6326412d0ea86add8355c76f09dfc5e7942f9c11 |
| SHA256 | 647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255 |
| SHA512 | 1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999 |
C:\Windows\SysWOW64\SET7191.tmp
| MD5 | 497fd4a8f5c4fcdaaac1f761a92a366a |
| SHA1 | 81617006e93f8a171b2c47581c1d67fac463dc93 |
| SHA256 | 91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a |
| SHA512 | 73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf
| MD5 | c3e8aeabd1b692a9a6c5246f8dcaa7c9 |
| SHA1 | 4567ea5044a3cef9cb803210a70866d83535ed31 |
| SHA256 | 38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e |
| SHA512 | f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp
| MD5 | 80d09149ca264c93e7d810aac6411d1d |
| SHA1 | 96e8ddc1d257097991f9cc9aaf38c77add3d6118 |
| SHA256 | 382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42 |
| SHA512 | 8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll
| MD5 | 1587bf2e99abeeae856f33bf98d3512e |
| SHA1 | aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9 |
| SHA256 | c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0 |
| SHA512 | 43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a |
C:\Windows\msagent\chars\Bonzi.acs
| MD5 | 1fd2907e2c74c9a908e2af5f948006b5 |
| SHA1 | a390e9133bfd0d55ffda07d4714af538b6d50d3d |
| SHA256 | f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95 |
| SHA512 | 8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 01c4d648393e2c2ac9f6b4d12d83e3ff |
| SHA1 | e3c1a2d779ebc3685fe0033b28df4b05253dc9c2 |
| SHA256 | 05e147641a39a47f90c1032a0d6f55f0b6d1a2d3fce8b9b568bc629b37eaba94 |
| SHA512 | 9b94640e6438103c3732e3a43575e56f2c238b8290989dc27cb156af22d6ce7aedd4401f0a36bd2562cfc410393a018936308626eb0e94b70ba096b06f7f8e74 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 20791bf6be750800480390f0fad12805 |
| SHA1 | 68cda24305a8676fba472fac05fefdb441fdfdbb |
| SHA256 | fb218b5178b60578a143086bfc97085ae5f37fde8a4b1433cdd9beb28f3bbc2b |
| SHA512 | 5a3896b442b9aaec3dd1285685a30ef2d34895b4b02a2594e144ad1671595866885df4bdf19350fc7d1251d81fed0083783f81128a44e3c6e0cfee53f94d9f4a |
memory/3276-1107-0x00000161ADAA0000-0x00000161ADBA0000-memory.dmp
memory/3276-1106-0x00000161ADAA0000-0x00000161ADBA0000-memory.dmp
memory/3276-1118-0x00000161CF4D0000-0x00000161CF5D0000-memory.dmp
memory/3276-1145-0x00000161E1220000-0x00000161E1240000-memory.dmp
memory/3276-1170-0x00000161E14B0000-0x00000161E15B0000-memory.dmp
memory/3276-1188-0x00000161E1490000-0x00000161E14B0000-memory.dmp
memory/3276-1189-0x00000161E1350000-0x00000161E1370000-memory.dmp
memory/3276-1273-0x00000161E5380000-0x00000161E5480000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ab6200f973247e3b740ac3eec022d6bc |
| SHA1 | 9a896f27f0029a8bc23021006cdeb52a26fda509 |
| SHA256 | 25217da3e4db550ee9720432811a8b4a71dd81a60e1168e2347f8923cb6f7c2b |
| SHA512 | e59632d58c2b733e33a6efdf31ab8b1bfac13f16c420f3882b9cb896a4dc451c079847a85e46ae7cbe2e7e0c22f18f54e546d23ac89fc3165c89952e12fa00de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 832ada86dd35938db8ce2b89bd1b1a70 |
| SHA1 | 53bfd8630fcec9f00ccc6d51b2f53f03d9be5051 |
| SHA256 | 2f0c8f94b50229873fb5a16dec3641766dabde3774a3f023c045047735200a02 |
| SHA512 | 72d4f2e2b794afa43d4c03c3cee9554379ba0127b5906316c7e48ab1ccb6fcfa8059ebd282b2259d74c34dc083c574d84f6a42667dd6b3c5ee7df713f74def00 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fd7fbfcae2145a2762c1ce4b97691cbe |
| SHA1 | e980350c9b7fa48383f72f6316fb2929562ae07d |
| SHA256 | 4dfbc325e0bc9e6e0d73d10c6cd90aca31a75d63f38558e3d569cda9a05a865d |
| SHA512 | 6152cb8fcf7980da79cd7cf344fa6156eb7ca0a53a595cd0074c9302bec1474aed4b66a08399d1e301dad12827da2c82ac095efc098f472c59f38d1f1dfb435e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9accbe94759f6d2c7b797154e05af342 |
| SHA1 | b0a56f2c577137f5eaedb9af917e1e205b175174 |
| SHA256 | 71ee134844c27211a72dbecf5c6c0625d0e0612a82c94f1655439bf73f2ddb3c |
| SHA512 | 403bf4f64757e19ed7e2018f81edfeabf3036c08b135aa0cf92046e507ec8a1fb84b445435039f6520e393c7639c9f4ab5f1a999790524d41ddb324245b4a2fa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5304181c51bf01eeb61f064949c9d547 |
| SHA1 | e787445e4dcc1f76410915281f3b30ad26b4b2dd |
| SHA256 | 35ae2ff360d4566c94ec33a5dfef970b74fbd76014d59a058967aca575ae05f7 |
| SHA512 | f9f739d85b9964709ab3420383c370cb7b5d3b49ae353c530abc72645405a8d88c11ed62985794288c3916566295ff6143a9f6e545c00a3f9acd85404cb724de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a0eeae8b90ccb4c221e25fdb1d1e4ad2 |
| SHA1 | a0629dd915b7c7072263f4ddef94f2149adc02e2 |
| SHA256 | 620a6e2488b903f02e1c019e9660aca1476d0e78733e8ac3fcad1a5f4be1d641 |
| SHA512 | e5fa21d091edd174e55e8ff0ef8a6e8ddc6651ab90d08538cb873ebb0f8332bc3fcff6af9a7cf58c63d6311f3a15a41274e6ef657bb2fb4d802a2cb0088d920a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c92afdffd5bdde849887ad54e5666da3 |
| SHA1 | 7d4dbd6f983931987f9910dcbff892c282031751 |
| SHA256 | b2b0782e4f2a85c2aa8955e0821f00981bb5f02343adc417d09ecb38f22f1290 |
| SHA512 | da11a1211e5b0e0bc82dc765731a2bdba3a5b593fdeb22ba93c744352d7c1c2b1902e7e8a04381726f940391f889a11d0fb84b56150ab488304a0c85ea528a5c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8fff97afd10524646172dbf792b90a55 |
| SHA1 | 57afdeb460774da56b3ea0c9f7c5ede0d252e447 |
| SHA256 | 63292ec4a68fb7df4630f20105574f0d1920e094512c5e1a30667294638bfd21 |
| SHA512 | 95e593c449544c29f854833c3ffaa0d7cc1d22389b0ab7a06f042220a55aee5708e671b9286addc1579d3c1e896e2f3160d379ff16e1231c823ff0690d9f5803 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 88dda15ea7eaa1e03b55a2ed06440739 |
| SHA1 | 50fb56f5d237ccca4e138a43b5a21327257fa516 |
| SHA256 | ba00bfda2e6a5ff73120d89d0851782cb1930466c23a268a5b23e9c9def50cc9 |
| SHA512 | f25e45df074f577497d86dd0ba04831a3c4b21eea4c49121abc9afc6d273fc9ea5e2376cecb7f50f559f1fada1bc162babc5de3079481357f32eb16c5164ebb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 10626ee36a776db796072bf02b57fef6 |
| SHA1 | 6fc2953e3cf2cf24c13a939a5233bcf46040f0f1 |
| SHA256 | e7f822691cadd3c8de8878809adaae946ff25cac9d7f34bb24667548b1743746 |
| SHA512 | 5c6017ea2cbb0ed3b9cc2e09de0953e137f46de1df3a5b76c664285eb75a5bd01cd139cc2cf5a271c7ad5398b460d6ffcd1bee3d970a74be82394252915ecab6 |
C:\HookDLL.dll
| MD5 | 999225434cdbb7bd18f35a1cc588aae7 |
| SHA1 | 0c66f98e346337c779fecd911fbf3b894c335f8b |
| SHA256 | fab2f350fadc87c2d4e3f826e0d5b237a2e07be768104a19bcdf32f77ff360ba |
| SHA512 | 55232a390a1e1152071658dccbf1bee283c13d9e77f34c0b1e5e8960fde9c92487898c75ce97e6fac76ab6b520dfead36e4ddc81f8b26717c452e97f623ff8e7 |
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
| MD5 | f80e36cd406022944558d8a099db0fa7 |
| SHA1 | fd7e93ca529ed760ff86278fbfa5ba0496e581ce |
| SHA256 | 7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7 |
| SHA512 | 436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2 |
memory/4508-1497-0x0000000075670000-0x0000000075C72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXT
| MD5 | 7070b77ed401307d2e9a0f8eaaaa543b |
| SHA1 | 975d161ded55a339f6d0156647806d817069124d |
| SHA256 | 225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712 |
| SHA512 | 1c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552 |
memory/2460-1581-0x00000000747E0000-0x0000000074862000-memory.dmp
memory/4508-1618-0x0000000074890000-0x000000007497A000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d593d59ca93730b22dedf116744a2edb |
| SHA1 | 7a9e8eacaacada8dd5801ed2b25c2c7b15ee7a64 |
| SHA256 | 5febbf9232c2fb664cac5429daa84ee609214887709df5ea3852d13f6612f926 |
| SHA512 | 740dca4d94643ae2ee5aaa0f07b7ef8187433ef6b535ec2ec1110cb62cffdbe1c3f5e913eb7c1624ab4c9879c9bc47d1c3ba6b65dc68278daab4c46c9303d0b1 |
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
| MD5 | 1d14d36c933b07891bda1f66cabf95c8 |
| SHA1 | 1e4f7f1f8b8973240870daef2010d4cc861d8ec4 |
| SHA256 | cad39c3a99e3621dbea48b91a24d23202626ca1147792c73771d23b32198d613 |
| SHA512 | 69c3088765877f855f0c89cc3a9bc31be4538f8c09856274509d2cc00a5f025f4a4db677d209dfdda1c69b4217eb3e90f1f9e83fdc87f7ffd78376d83f4c62f2 |
memory/2472-1768-0x0000000074980000-0x0000000075022000-memory.dmp
memory/2472-1769-0x00000000766E0000-0x0000000076932000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7d1edaa077c250a1b5066fd4b60ad05d |
| SHA1 | 00b0691e6d42390e387d6888565b6ee3f35223a0 |
| SHA256 | 9e6a5441e28449b5ab762f03546da0b815a3af57a146e04737f280a77b893ee7 |
| SHA512 | 6c6c154e8805258cfb8e1cf60f42055ce80ec1b8744c927860e17d4d8ccb2fb387a701f0e5f9498b943f4268e229b5df7dff55789a38d2ab5a8d5853fee3e1a3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7d69fa64905ccc91ea62e499ba923ce8 |
| SHA1 | e37009bb3c3d3a396362e75dd8158c9df016db26 |
| SHA256 | af32230b0c500217848d9b3861ebaf1e5fa8c1d32238b1a84efe1c371ee98b6a |
| SHA512 | 678b04e02393fca0b19afc784b3c6161c09bb2a8e46f74cabcf19454a73f87682ddbc7a517f8b83d9675446ca060bb612ad1fc35f645b31acda70e22bd345009 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f7281d3b5a1c690781c700e01027dbf2 |
| SHA1 | 8bd6f92d9ade3e4025f1b462c9d51b295b2d5e8b |
| SHA256 | 70d36a44abf9757a888e4efdd6a3b8f413ad3f25996c0c34c1f5dddf9abf7997 |
| SHA512 | 48551d14b40a0271191e48a42326a7ddd8f0099fbe6a14e0ef60dca9f91ae0c068180720811b9876b9b155710c4284b1c66246c27eed3568c17f847831f0baf8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6d4056e90fb62f12b73df3d427bee97d |
| SHA1 | 0e2369ad1d9ce898db6a1d6347d3cdf46a58d570 |
| SHA256 | 3a21b07150ec666d439b9cd17f003978da9a508a2146fb07c2ab778fee3f84f2 |
| SHA512 | 644ecaeaba42bb66b8a6659c9256b62036939c7799df13578bc812cd22385ce9254327a875fc47502e64ef96f83cb726fb56c2524a929ebb963c6a6985962165 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ab441fabdc96fd3c3991d1706d84b0da |
| SHA1 | 3c0f96d180fd55856c79078f94a2b536385b9334 |
| SHA256 | 98066a9c6cfb012e39ff42b5244d295953327865eecd914aedf43689b7ef18f6 |
| SHA512 | f168e2ef8a9dab5f9ab46fec9eb0e6011e5eeb5b63c089c2011478cb382f605ba61a01b0bd880e74b0f7d1bfa3a925acac50dd20d8f643ab287d9c02d6bc0cca |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4d2d6ffe61fffb9090a107807b4f2fd6 |
| SHA1 | 17d4c23cef2e97f8ae70b24c5ab1ea91ac544753 |
| SHA256 | 8e763575fdff9ed6f9de6679daf55e260e73b8b10a82b831d2a722262460a941 |
| SHA512 | c1dd682380b9eea36db1f4800a966692dbe39f8ab99db3ebc3c015a26e806f15b102034070c358c2e22f70d8cd7bbfdb76b9f5bfbac2b6bf869fbf64b629e02b |
C:\Users\Admin\Desktop\000.exe
| MD5 | d5671758956b39e048680b6a8275e96a |
| SHA1 | 33c341130bf9c93311001a6284692c86fec200ef |
| SHA256 | 4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47 |
| SHA512 | 972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 12bdcf8980aa33d4a340d5c4849fce78 |
| SHA1 | f2d0d7103267d4e4f1220efd2d56891e01a9490a |
| SHA256 | bb92a216efd03bc4512a6be11d33661d518380acfdb6791ecdf9b18cf4d467be |
| SHA512 | 346ff2867b0652f8bc10702de599cb6bd18a72b7e6ba8e66527988f343da3657785b173ba3887fd1928ae476aa5c32613e48c2cb206d3e789c6d639608a30833 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a0d1884ed5baec4e41ad6f1280180cba |
| SHA1 | b3086650fd9511df9c8768121942d6451cc107d0 |
| SHA256 | af79f50b9992e3860af2179619ce3e5f36e18e9d2031b3c586b527c535d9e9a6 |
| SHA512 | b22d7a9fb496d210fa08452e7006711e3c38947e2b1538c2d4c0dbae37e81f8fbca2e6b7c5f0fcb7e4af1f14b74e58ef5d1c46c5d8370eb716bbcba1d7fe3255 |
C:\Users\Admin\Desktop\000.exe:Zone.Identifier
| MD5 | e6a602a9dd6e7986706bf3a960b7f9ad |
| SHA1 | 5ebc95f8613323b88625c61dc8fe38e66ec52c3c |
| SHA256 | 8c415625ec2105d4cd2f882eb23b07c029574f529d2d764de09b652320333ec2 |
| SHA512 | 689f6191252a5f5173151e157debad7d3a86afb25a7c3be19fad871931b4641efa3e12d50883a28706cfb435a0d21fab5b5d2612d01ecc8f54f3a116fb35eb50 |
memory/1192-1904-0x0000000000020000-0x00000000006CE000-memory.dmp
memory/1192-1907-0x0000000005EA0000-0x0000000006446000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/1192-1925-0x0000000009280000-0x000000000928E000-memory.dmp
memory/1192-1924-0x00000000092C0000-0x00000000092F8000-memory.dmp
memory/1192-1941-0x0000000009410000-0x0000000009420000-memory.dmp
memory/1192-1940-0x0000000009410000-0x0000000009420000-memory.dmp
memory/1192-1942-0x0000000009410000-0x0000000009420000-memory.dmp
memory/1192-1939-0x0000000009410000-0x0000000009420000-memory.dmp
memory/1192-1947-0x00000000093D0000-0x00000000093E0000-memory.dmp
memory/1192-1946-0x0000000009410000-0x0000000009420000-memory.dmp
memory/1192-1944-0x00000000093D0000-0x00000000093E0000-memory.dmp
memory/1192-1945-0x0000000009410000-0x0000000009420000-memory.dmp
memory/1192-1943-0x00000000093D0000-0x00000000093E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 8a410ca32cfa68b6af87dd2a15895e22 |
| SHA1 | 78218033b8278df0e23513baaffdfc346efaf5cb |
| SHA256 | 078710f879b2d154a2ca8d9983b4ba9a90fc0be52a52c98658ad9c2c5fa5592c |
| SHA512 | de46b955a9e9ca25d045efae4f34367a5b5832d36e49291d0c5e237381af12045a479b0d53777ab135db15b7af09f24152d48210ba24e4ffe0bc815b9936972e |
memory/1192-1983-0x0000000073E90000-0x0000000074641000-memory.dmp
memory/1192-1988-0x0000000073E90000-0x0000000074641000-memory.dmp
memory/3660-1999-0x0000000000AA0000-0x0000000000AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v.mp4
| MD5 | d2774b188ab5dde3e2df5033a676a0b4 |
| SHA1 | 6e8f668cba211f1c3303e4947676f2fc9e4a1bcc |
| SHA256 | 95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443 |
| SHA512 | 3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 23a59726319223c836860ab069bcee7e |
| SHA1 | 51ad9952e932bc15e32940631e2766546e690750 |
| SHA256 | a241d401883c451ea931f4abad57fc59c8fc531c92b64ac243f09c2ad949a446 |
| SHA512 | 9f89f9a5a1e1ea9bdada7057d426941ca43ff1783cd02938e193a07539a232e361eb4cef97e262731dbfceabf97db71d15ef5e590bc00e3ad995ddc77711bcbb |
memory/1272-2033-0x00000000763A0000-0x000000007654C000-memory.dmp
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
| MD5 | 9037ebf0a18a1c17537832bc73739109 |
| SHA1 | 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60 |
| SHA256 | 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48 |
| SHA512 | 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b617fc20b7305442e2baed5fcdb9b66d |
| SHA1 | 2cdc3e8e3a7233d113223e14b1a25aa615fa4781 |
| SHA256 | b4860ac9e36b7eccab0342dfaed51d4de9d890d16de955cbdfe4275f011fd8de |
| SHA512 | 0103b8c3b4cf39452183d70a473553e4913abc40b26652d7444b43b6dda17ce00e9cd019884d02e83134d215b942ca0963090df12cebee451f0371b2fa90e124 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7c513a262db2621314ec9097b7c51f1c |
| SHA1 | 997e42a5a1a6f013a707e7e00c0f0c716dec61f1 |
| SHA256 | 776d9a1b4761e589ed8b53eb33ff2fbc81b82bc98d9a42179ff70b87be3cd7a8 |
| SHA512 | 2f15cad38b55f9a7d80ca5c1dea381c8916b940f51b07893570dc3c70fbb4a942a1ffdb7929d5061e926959c1be67e916f6be9fe3ef70db4ec6ef5674e946813 |