Analysis
-
max time kernel
240s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 09:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
INSTALLER.exeINSTALLER.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
MEMZ.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146432" MEMZ.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3056 takeown.exe 5960 icacls.exe -
Executes dropped EXE 7 IoCs
Processes:
Bonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeMEMZ.exeMEMZ.exepid process 6112 Bonzify.exe 6064 INSTALLER.exe 5204 AgentSvr.exe 1892 INSTALLER.exe 2936 AgentSvr.exe 7068 MEMZ.exe 3964 MEMZ.exe -
Loads dropped DLL 18 IoCs
Processes:
INSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeINSTALLER.exeregsvr32.exeregsvr32.exeBonzify.exeAgentSvr.exeMEMZ.exeMEMZ.exepid process 6064 INSTALLER.exe 5624 regsvr32.exe 3112 regsvr32.exe 3452 regsvr32.exe 4600 regsvr32.exe 3812 regsvr32.exe 3184 regsvr32.exe 2580 regsvr32.exe 1892 INSTALLER.exe 1344 regsvr32.exe 1344 regsvr32.exe 5208 regsvr32.exe 6112 Bonzify.exe 2936 AgentSvr.exe 2936 AgentSvr.exe 2936 AgentSvr.exe 7068 MEMZ.exe 3964 MEMZ.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3056 takeown.exe 5960 icacls.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/7044-2756-0x0000000000FC0000-0x0000000000FEA000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
INSTALLER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" INSTALLER.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 110 raw.githubusercontent.com 111 raw.githubusercontent.com 112 raw.githubusercontent.com 115 raw.githubusercontent.com 236 raw.githubusercontent.com 238 drive.google.com 239 drive.google.com -
Drops file in System32 directory 3 IoCs
Processes:
INSTALLER.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SET6B19.tmp INSTALLER.exe File created C:\Windows\SysWOW64\SET6B19.tmp INSTALLER.exe File opened for modification C:\Windows\SysWOW64\msvcp50.dll INSTALLER.exe -
Drops file in Windows directory 57 IoCs
Processes:
INSTALLER.exeINSTALLER.exeBonzify.exedescription ioc process File created C:\Windows\INF\SET6B18.tmp INSTALLER.exe File opened for modification C:\Windows\INF\tv_enua.inf INSTALLER.exe File opened for modification C:\Windows\fonts\andmoipa.ttf INSTALLER.exe File created C:\Windows\msagent\SET66B1.tmp INSTALLER.exe File created C:\Windows\msagent\SET66D7.tmp INSTALLER.exe File opened for modification C:\Windows\help\Agt0409.hlp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\SET6B16.tmp INSTALLER.exe File opened for modification C:\Windows\fonts\SET6B17.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET66B1.tmp INSTALLER.exe File created C:\Windows\msagent\SET66C5.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentMPx.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET66D7.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe INSTALLER.exe File opened for modification C:\Windows\msagent\SET66B0.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SET66C7.tmp INSTALLER.exe File created C:\Windows\msagent\chars\Bonzi.acs Bonzify.exe File opened for modification C:\Windows\msagent\AgentCtl.dll INSTALLER.exe File created C:\Windows\lhsp\help\SET6B16.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentPsh.dll INSTALLER.exe File created C:\Windows\lhsp\tv\SET6B14.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp INSTALLER.exe File opened for modification C:\Windows\msagent\SET66B2.tmp INSTALLER.exe File created C:\Windows\msagent\SET66B0.tmp INSTALLER.exe File created C:\Windows\msagent\SET66C6.tmp INSTALLER.exe File created C:\Windows\help\SET66D8.tmp INSTALLER.exe File created C:\Windows\msagent\SET66EA.tmp INSTALLER.exe File created C:\Windows\msagent\SET66AF.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentAnm.dll INSTALLER.exe File opened for modification C:\Windows\msagent\intl\Agt0409.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgtCtl15.tlb INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tv_enua.dll INSTALLER.exe File created C:\Windows\lhsp\tv\SET6B15.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET66C4.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSR.dll INSTALLER.exe File created C:\Windows\INF\SET66C7.tmp INSTALLER.exe File opened for modification C:\Windows\help\SET66D8.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDp2.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET66C3.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET66C5.tmp INSTALLER.exe File opened for modification C:\Windows\INF\agtinst.inf INSTALLER.exe File created C:\Windows\msagent\intl\SET66E9.tmp INSTALLER.exe File created C:\Windows\fonts\SET6B17.tmp INSTALLER.exe File created C:\Windows\executables.bin Bonzify.exe File opened for modification C:\Windows\msagent\SET66EA.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SET6B18.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\mslwvtts.dll INSTALLER.exe File created C:\Windows\msagent\SET66C3.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\intl\SET66E9.tmp INSTALLER.exe File created C:\Windows\finalDestruction.bin Bonzify.exe File created C:\Windows\msagent\SET66B2.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll INSTALLER.exe File created C:\Windows\msagent\SET66C4.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET66C6.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SET6B14.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SET6B15.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET66AF.tmp INSTALLER.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier firefox.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3312 3964 WerFault.exe MEMZ.exe 2480 3964 WerFault.exe MEMZ.exe 5560 7068 WerFault.exe MEMZ.exe -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icacls.exeregsvr32.exeregsvr32.exeregsvr32.execmd.exetakeown.exeregsvr32.exeAgentSvr.exegrpconv.exeAgentSvr.exeMEMZ.exetaskkill.exeINSTALLER.exeregsvr32.exegrpconv.exeINSTALLER.exeMEMZ.exeBonzify.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonzify.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5060 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
MEMZ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\CoolSwitchColumns = "7" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\CoolSwitchRows = "3" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\MouseHoverHeight = "4" MEMZ.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
Processes:
MEMZ.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" MEMZ.exe -
Processes:
explorer.exeSearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\IESettingSync explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies data under HKEY_USERS 42 IoCs
Processes:
MEMZ.exeMEMZ.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\WindowsLogon\.Default\ = "%SystemRoot%\\media\\Windows Logon.wav" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Names\.Default\ = "@mmres.dll,-800" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\ActiveTitle = "153 180 209" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\nlasvc.dll,-1 = "Network Location Awareness" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SpeechServices\appType = "bpp:system" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\WindowText = "0 0 0" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00ED8322557" MEMZ.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146432" MEMZ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" MEMZ.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\1.7 = 737465724f6e49646c65466561747572654761746544697361626c65645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275536572766963654170695c22203a207b205c225375624e616d657370616365735c22203a207b205c22446f63756d656e74735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207a205c224576656e74466c61675c22203a2032207d207d207d2c205c22506c616365735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224d736f53686172696e675c22203a207b205c224576656e75735c22203a207b205c22434d736f53686172696e675365727669636548656c706572456e64476574486f73744361706162696c69746965735c22203a1f7b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706571456e6447657455736572417474726962757465735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657455736572417474726962757464735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765744c6a6e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e685365727669636548656c7065724765744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e645365744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365744c696e6a735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065724765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636547656c706572456e645365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365745065726d697373696f6f735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675465727669636548656c706572436865636b5065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d737053686172696e675365727669636548656c70657247657453686172696e67496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572426567696d5365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657453686172696e6756647273696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e4261636b73746167655c22203a207b205c224576656e74735c22203a207b205c224261636b737461676550616765436f6e74726f6c55736572437265617465436f6e74726f6c557365725c22203a207b205c224576656e74466c61665c22203a2032207d207d207d2c205c224465736b746f704261636b73746167654e617669676174696f6e5c222039207b205c224576656e74735c22203a207b205c224e617669676174696f6e5461736b496e766f6b655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b496e766f6b654f6e52656164466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f7053686172696e675c22203a207b205c224576656e74735c22203a207b205c22436f6c6c616250616e6555736572536574436f6c6c616250616e654d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572436c69636b53686172696e674c696e6b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572497343757272656e74446f63456e746572707269736550726f7465637465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e7473536861726564576974684d6552657175657374446f63756d656e7473536861726564576974684d654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d6552657175647374436163686564446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d654964656e74697479436163686552657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2d205c22446f63756d656e7473536861726564576974684d6552657175657374436163686564446f63756d656e7473466f724661696c757265735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486973746f727955585c22203a207b205c224576656e74735c22203a207b205c224163746976687479506167654d616e6167657252656769737465725669736962696c697479436f6e74726f6c6c65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224275734261724f70656e4c6f63616c56657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f72496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f7252657475726e4572726f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243437369446f63756d656e74537461746545787465726e616c556e7265676973746572446f63756d656e744c697374656e65725c22203a207a205c224576656e74466c61675c22203a2032207d2c205c2143486973746f727941637469766974696573466163746f727952656672657368416674657252656e616d655c22203a207b205c224576656e74466c61675c2220392032207d2c205c22436f62616c744163746976697469657346696c6556657273696f6e4c697374557064617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243536f61704461746150726f7669646572496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436c6f73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f737950616765436f707956657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436f707956657273696f6e496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f7279516167654372656174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765526573746f726556657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f72795061676553656c65637456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616e654e6f6e436c69636b61626c654974656d53656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c41637469766974696573426567696e526566726573685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6666696365436f6c6c61624163746976697479436f6d6d616e644d534f446f63756d656e7450726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e74436865636b4f757446696c65546f4c6f63616c466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f67676c65486964655c22203a207b205c224576656e74466c61675c22203a2032207d2d205c22546f67676c6553686f775c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225759574143616c6c6f757453686f7743616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f757450726573656e7443616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e4163746a766974794765744c6173745669657754696d655c22203a207b205c224576656e74466c61675c22203a2032207d2d205c22556d7365656e416374697669747946696e6443757272656e74557365724c6f67696e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f7574436c69636b65645c22203b207b205c224576656e74466c61675c22203a2032207d2c205c2253686f77536d606c6c53637265656e435759574144616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275416461707465725c22203a207b205c224576656e74735c22203a207b205c224872416464446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c215c224872416464506c6163655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e745061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c6163655061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74496e6465785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365496e6465785c22203a207b205c224576656e74466d61675c22203a2032207d2c205c22487252656d6f7665506174685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22417070446f63735c22203a207b205c224576656e74466c61675c221f3a2031207d2c205c22446f63756d656e745c22203a207b205c225475624e616d657370616365735c22203a207b205c2241637469766174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2b205c224c6173744f70656e6564446f63756d656e744d657461646174615c22203a207b1f5c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e446f6354656d706c617465536572766963655c22203a207b205c224576656e74466c61685c22203a2032207d2c205c225361766550726f6d707448656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e74436861745c22203a207b205c224576656e74735c22203a207b215c23446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2031207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795374634c697374656e6572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c23446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e63496e7465726e616c5c222039207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e6352657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6062696c6974795274634c697374656e657253746172745265616c74696d65436f6e6e656373696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456f63756d656e744368617452746342726f6164636173746572436f6e6e65637465644576656e745c222039207c205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744268617452746342726f6164636173746572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a1f32207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61685c22203a2032207d2c205c22446f63756d656e744368617452746342726f6264636173746572526562726f61646361737450657273697374656e7453746174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e745374617465496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526561726f61646361737450657273697374656e74537461746552657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e7453746174655265747279496e6e65724c6f6f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f61646361737465725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746172745265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253686172696e6755495c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f6c6c616250616e65557365725c22203a207b205c224576656e74735c22203a207b205c22536861726550616e65436f6d706c657465446973706c61795c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253686172654469616c6f675c22203a207b205c224576656e74735c22203a207b205c224e61766967617465546f5765624469616c6f675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e6441734174746163686d656d755c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c224544505c22203a207b205c224576656e74735c22203a207b205c22506f6c6963794d657461646174615c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c225369746573536572766963654170695c22203a207c205c224576656e74735c22203a207b205c22526571756573744173796e635c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225265616446726f6d43616368655c22203a207b205c224576656e74466c61675c22203920323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656b656d6574727944796e616d6963436f6e MEMZ.exe Set value (int) \REGISTRY\USER\S-1-5-20\Console\ColorTable03 = "14521914" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData = "%USERPROFILE%\\AppData\\Local" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\RMapi.dll,-1001 = "Radio Management Service" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\WindowsUnlock\ = "Windows Umlock" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\iDate = "0" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\aero_move.cur" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Calling\Setting = "s:tickle,s:lock:toast,s:tile,s:lock:badge,s:banner,s:lock:tile,s:toast,s:badge,s:audio,s:voip,s:listenerEnabled,c:toast,c:ringing" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\NewQuick.Modeless = "0x00000000" MEMZ.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\TapsEnabled = "1" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4f533928b\a37dfe62\@{C:\Program Files\WindowsApps\Microsoft.MixedRe = "Mixed Reality Portal" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.Default\ = "%RystemRoot%\\media\\Windows Background.wav" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\.Default\.Default\ = "%SystemRoot%\\media\\Windows Background.wav" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Document Windows\Maximized = "no" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\Intellegnt.Eudp = "0x00000001" MEMZ.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000011\Target IME = 00000000 MEMZ.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings\FirstTimeHelppaneStartup = "1" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Navigating\ = "Start Navigation" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Environment\TEMP = "%USERPROFILE%\\AppData\\Local\\Temp" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wcmsvc.dll,-4097 = "Windows Connection Manager" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "1000" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Bthprops\wnsId = "System" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "500" MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" MEMZ.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\Schemes\@themeui.dll,-853 = 02000000460000000100000011000000110000001400000014000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000fc7f2214fc7fb0fe120000000000000000009823eb770f0000000f000000f5ffffff000000000000000000010000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000f077002014000000001080051400f01f1400000014001200000012000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000150088fbe87702020000acb9f0770000000020000000f5ffffff00000000000000ff000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000000000000000000000000007c6be87700000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000600000118000000fffffffff04b21fc00c4f077f5ffffff000000000000000000000000bc02000001000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000014000b00000000ff120050000000c0fe12000c100001ffffff00ffffff0000000000ffffff00ffffff00ffffff00000000000001000000000000ffffff0080808000c0c0c0ff8080800000000000ffffff00ffffff0080808000008000000000000000000000c0c0c00000000000c0c0c00000000000ffffff00c0c0c0000000000000000000ffffff00 MEMZ.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace46d67c10b\a37dfe62\@{C:\Program Files\WindowsApps\microsoft = "Mail" MEMZ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" MEMZ.exe Set value (data) \REGISTRY\USER\S-1-5-19\Control Panel\Appearance\Schemes\@themeui.dll,-853 = 02000000460000000100000011000000110000001400000014000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000fc7f2214fc7fb0fe120000000000000000009823eb770f0000000f000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000520061006e0073002000530065007200690066000000f077002014000000001080051400f01f1400000014001200000012000000f5ffffff000000000000000000000000bc0200000000ff00000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000140088fbe87702020000acb9f0770000000020000000f5ffffff0000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000000000000000000000000007c6be87700000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000600000018000000fffffffff04b21fc00c4f077f5ffffff000000000001ff0000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006700000014000b00000000ff120050000000c0fe12000c100001ffffff00ffffff0000000000ffffff00ffffff00ffffff00000000000000000000000000ffffff0080808000c0c0c0008080800000000000ffffff00ffffff0080808000008000000000000000000000c0c0c00000000000c0c0c00000000000ffffff00c0c0c0000000000000000000ffffff00 MEMZ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw = "Microsoft Content" MEMZ.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeexplorer.exeMEMZ.exeregsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeSearchApp.exeexplorer.exeregsvr32.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.CloudExperienceHost_10.0.19041.1266_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPr = "icon.png" MEMZ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileType\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\0\ = "0,4,FFFFFFFF,C3ABCDAB" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR\ = "C:\\Windows\\msagent\\AgentSvr.exe\\" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCtlCommandsEx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ = "IAgentCtlCommandEx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Control 2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0 AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5} AgentSvr.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Microsoft.Windows.AppResolverUX\Displa = "@{E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms-resource://AppResolverUX/Resources/AppxManifest_DisplayName}" MEMZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCommands" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlPropertySheet" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCommandWindow" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\FLAGS AgentSvr.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575}\TreatAs AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97A2762C-403C-4953-A121-7A75ABCE4373}\InprocServer32\Assembly = "Microsoft/Office.Interop.Access.Dao, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" MEMZ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWVFile\DefaultIcon regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server\CurVer\ = "Agent.Server.2" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3784866113-3187381476-3433752343-3391928953-3760210436-1684329488-1912184601\DisplayName = "@{Microsoft.Windows.OOBDNetworkConnectionFlow_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://Microsoft.Windows.OOBENetworkConnectionGlow/Resources/AppDisplayName}" MEMZ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCharacter" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\AppXe862j7twqs4aww05211jaakwxyfjx4da\Shell\open\command\DelegateExecute = "{4ED3A719-CEA8-4BD9-910D-E252E997AFC2}" MEMZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Server 2.0" AgentSvr.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server\ = "Microsoft Agent Server 2.0" AgentSvr.exe -
NTFS ADS 3 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\windows-malware-master.zip:Zone.Identifier firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
explorer.exepid process 4664 explorer.exe 4664 explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Bonzify.exepid process 6112 Bonzify.exe 6112 Bonzify.exe 6112 Bonzify.exe 6112 Bonzify.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4664 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exetaskkill.exeAgentSvr.exeAUDIODG.EXEexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2516 firefox.exe Token: SeDebugPrivilege 2516 firefox.exe Token: SeDebugPrivilege 5060 taskkill.exe Token: 33 2936 AgentSvr.exe Token: SeIncBasePriorityPrivilege 2936 AgentSvr.exe Token: 33 1520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1520 AUDIODG.EXE Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 5072 explorer.exe Token: SeCreatePagefilePrivilege 5072 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe Token: SeCreatePagefilePrivilege 4664 explorer.exe Token: SeShutdownPrivilege 4664 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exeAgentSvr.exeexplorer.exeexplorer.exepid process 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2936 AgentSvr.exe 2936 AgentSvr.exe 5072 explorer.exe 2516 firefox.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 2516 firefox.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 2516 firefox.exe 4664 explorer.exe 4664 explorer.exe 2516 firefox.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 2516 firefox.exe 4664 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exeAgentSvr.exeexplorer.exeexplorer.exepid process 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2936 AgentSvr.exe 2936 AgentSvr.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 5072 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 2936 AgentSvr.exe -
Suspicious use of SetWindowsHookEx 50 IoCs
Processes:
firefox.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeexplorer.exepid process 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 6112 Bonzify.exe 6064 INSTALLER.exe 5204 AgentSvr.exe 1892 INSTALLER.exe 2936 AgentSvr.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2372 StartMenuExperienceHost.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 436 StartMenuExperienceHost.exe 5616 SearchApp.exe 4664 explorer.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 4664 explorer.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 2516 firefox.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe 4664 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 5488 wrote to memory of 2516 5488 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4380 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 1952 2516 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5488 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40e387a1-a2bf-4068-9ffb-ca24c5c1b5a9} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" gpu3⤵PID:4380
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ccbf9ae-b9b1-4efb-8965-b2acb1f63ca0} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" socket3⤵PID:1952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1392 -childID 1 -isForBrowser -prefsHandle 2640 -prefMapHandle 3296 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5199fa74-c988-42c6-9185-7703a35cde80} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab3⤵PID:5772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -childID 2 -isForBrowser -prefsHandle 4128 -prefMapHandle 4056 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2989b53-0145-4ed8-a4e8-82da8a9d9820} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab3⤵PID:3472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4856 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b08b11-ecbd-4611-aa25-4a24c7c48c84} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" utility3⤵
- Checks processor information in registry
PID:4672 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5332 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08847fd6-f924-445f-96b7-42e23b9f3e75} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab3⤵PID:4716
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e790ff0-17bc-49ca-878f-e402cbdaf0a1} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab3⤵PID:2908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89badaa1-8457-4f7c-ac02-dde2817e9bf5} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab3⤵PID:2084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4652 -childID 6 -isForBrowser -prefsHandle 6520 -prefMapHandle 5700 -prefsLen 30390 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad26905-3d07-4c00-86fb-791d8bf29b47} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab3⤵PID:1720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4300,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:81⤵PID:5416
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:876
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6064 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3812 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5204 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
- System Location Discovery: System Language Discovery
PID:5480
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2936
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x31c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5072
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2372
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "2⤵PID:652
-
C:\Windows\system32\cscript.execscript x.js3⤵PID:6924
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer Protected Mode
- Modifies data under HKEY_USERS
- Modifies registry class
PID:7068 -
C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"4⤵PID:1436
-
C:\Windows\WinSxS\amd64_microsoft-windows-efs-ui_31bf3856ad364e35_10.0.19041.1_none_ac65d58626f4027c\efsui.exe"C:\Windows\WinSxS\amd64_microsoft-windows-efs-ui_31bf3856ad364e35_10.0.19041.1_none_ac65d58626f4027c\efsui.exe"4⤵PID:1888
-
C:\Windows\SysWOW64\CloudNotifications.exe"C:\Windows\System32\CloudNotifications.exe"4⤵PID:6772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 13644⤵
- Program crash
PID:5560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "2⤵PID:1720
-
C:\Windows\system32\cscript.execscript x.js3⤵PID:6724
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"3⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3964 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"4⤵PID:4820
-
C:\Windows\SysWOW64\ieUnatt.exe"C:\Windows\SysWOW64\ieUnatt.exe"4⤵PID:6712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 12164⤵
- Program crash
PID:3312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 12244⤵
- Program crash
PID:2480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs"2⤵PID:6364
-
C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"2⤵PID:6088
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9F06.tmp\9F07.tmp\9F08.vbs //Nologo3⤵PID:6996
-
C:\Users\Admin\AppData\Local\Temp\9F06.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\9F06.tmp\eulascr.exe"4⤵PID:7044
-
C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"2⤵PID:2244
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\CE06.tmp\CE07.tmp\CE08.vbs //Nologo3⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\CE06.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\CE06.tmp\eulascr.exe"4⤵PID:6388
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:436
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5616
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 39641⤵PID:6556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3964 -ip 39641⤵PID:4924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7068 -ip 70681⤵PID:1092
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6564
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:6696
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
4Subvert Trust Controls
2SIP and Trust Provider Hijacking
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5b2ca1151f83573bc172ddaa172f20c3d
SHA11d1f37de1726055f2f4f7e04fb40ba16404776ba
SHA256448a89afddb9bfd9d19efed398d9102a8e80405ff720d9562b5e2ba2a36bfbf3
SHA512c146e9389fcb66553db632d48a9fb76253f6c52a2037547a242d5b31fa55cebb72f5554257b2fd58639896f3df08985a66dfd76c35ef4103db5b7e2c0a7c8d1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD53f0957868ba488e424e8cacb4add95e9
SHA1dd85da7cafe2c70c5fef8bd7389d7e12cf7ab7c4
SHA2560e2c49bfb4296b7e7459e5b09736928d108815eaf4fdcec0c1f334dd5b59a910
SHA51219f39e9dd38ea3cf0f28af45f079115788672c88c2dcea4174630c21af43cc067668cc71241f42f368b41789aeb076745b65a0cb22c499fb578f4c348941fea5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD56a30fe4a1a3e5460edd8fac787902583
SHA1559e12f5e253157d23e36b1c6d7edde6e18f6499
SHA2562965f3225b3d811a63b6a0d3f94e672c8103ce449d3d49790d3db967dead11ff
SHA5124b9847cb47e5ffeb8aa60b9251f478792bb11dc9b6636e9329332648ab07f104f10a0555406f92bb6cfbda6dd84173df9946a8f20d18620bb5ea6778de84c172
-
Filesize
41KB
MD508cb9d4060213f208e07f2762dcd878f
SHA1c0539ebc7502598f55ae8669d22d0e970916a063
SHA256f4085cd8d802cbda7bcf15e1269aba2f692c8428eab1b135a751730867c10320
SHA512685f7e2c26f95abd7326da178114f379f044b360eff25138a667c1f40bf1c1bea7808d5e546118403fecb72d22536aa11f06b2c2b45dfa14bb0645fa125d502f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\087F96B189611952C6B30E20692EACCCD08B35EE
Filesize87KB
MD5f9a2553a9d1105f708303714caaef0b7
SHA16b5cb4cd24b47032f9679bf29c344620ed99fc4e
SHA25609c5e8ba5d5b9c93dee4a1849e3e8e951126efebce571fdc440e08442faabb76
SHA5128bf5d97ecee2fc8953a9b5e3171b6afff9113d7beca400e3e1ea707612442e1cf644a20f3245f326f24d32b0b8e90ca474d874728b541259a189c7dbee0d81b5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0
Filesize63KB
MD57ae109550713eb16d8b4b35195c1dd5c
SHA138830b16cbeeb39b1d6aae7fbb19b38a0a472929
SHA256f236f9d2cf5d4efd7642abff0df2b13af9ad3f6c1166ef44941c9d02d1017cad
SHA51228e106e229ad43dd5340a1fa605dfc9bca9a464558b2e4cfc6f9ee3fa9c490f7d39bd225c0124b3c71b433b404bf2fd13281b3f6596ed34c9d0a8c6e36b9b03d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2842554DB98F3F407860E172D9087A5CCA96CB21
Filesize70KB
MD54e809ae9a722830957bd63e1af2c1a4f
SHA1a8f6ab96a959b9b8be3e715ebd7cd87dc24b6e12
SHA256ac13d2dd2ee4ad5448927b3b33c8ebf313ffec1942f151cfb1ba8085579277f3
SHA512b02ab121de0a87a4ab887c00718ced473e8fbee2118de15f2d9a7d3dbd5a7657e0a842ed34fb1a31eb416b1ff9ac94e2e55c36580d17546208ff15138ecd4640
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\4263B1A2D70C7C417487FECC88693B6E7E40E2B7
Filesize16KB
MD5892821a014d919ee591b0a11b6e9ae6e
SHA1d510524dc7d895a08cbac920c80c2858ba5731f1
SHA2566a43b092713f21fb3dcf8a036c10f0edfd574fac1d77955fc5e504ace435a85e
SHA5123ae03f3f678481a5d908193e16f41f8e475679309948c60642debf6aaa1ac00a46828156be827ab31800eb0c5b5a22bc97692f31eb248fd8ac90ac13a0db4ba8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\49AF65C60E9467DC868F8EFFBC6F0E1FE2D6093D
Filesize18KB
MD5389cf3dd652187335dce41dbd977925e
SHA169b0ad7fac53bc45f162f85cb2ef95d2cadfe35e
SHA2564533f6ca738be05972b3f4c486a5fae3945396c3f4a5766e514da1d28cd47416
SHA51254c325eeb2d7b5d53852d556553e1d8df25ef832686ac9db51c5d4176dd705841335f345a672ea8be4c270067a64af861123113f5c6b880700066c8064994731
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770
Filesize14KB
MD5c59d8730b4093afb14a74c3aec12f3be
SHA14dc227adf95a6a128e4d50f9a9c4033eba447790
SHA256bcc8b43186ba3c08d1b94ef51f38a5c4302392471fa6b5e91f7b297dc2f08b75
SHA51220bab07f783fb93567fde582aeb4a7d259dec3c07afb31bf23d02926ffbf3be49528de67a13a43599440fb5725959c1ac4255dc2fbdf2920a9f0a13e919d94b7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C
Filesize169KB
MD531789dadba55baf8506e3b40722d5768
SHA1c7001be5f7f1e83036590d6fed10c222033099e3
SHA256804e045f7360a07aa4ce05ffd5ff96573a70c44624d75901554389847417f013
SHA512538187b9f76a628572d60b519bc7a2b41619c4f13393a58873aafb0a1cc66f0ce80efb56ad4e9f9d9f73e39e8d764012c2178ed902bd7ec7d599936081a08165
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\A18246B61C8E4C36C72806D7717A9856D0ADA529
Filesize66KB
MD53e214d494666a04c57621a57e76f5f7b
SHA1a58d1a5c695e527e578b549f55b6d42f6c115ffc
SHA256c7839105affe9d19ef2e963bec2da5c46bb663d7bbd5d8386e0f0c11bf819ae7
SHA51240684d6f2bf1552810d61fe5b01791fe3f95d65a25a0514c5cd069c756e2339fac2240fcda62d69bff42fce6e13267edbb99bd39f0b0d3adcf50d0baae48574d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AC6959268E349C7B5497A3867D6DCDC4D543431E
Filesize13KB
MD59e069b2764d4fd66d267ec04e1032b0c
SHA1c4f0924408940d6fadbbd7f53bb7eca7c767519f
SHA256cadf765eaac655b175d65bfe41baf433e3167c7e9081a3929228836c20309c8d
SHA51207a4d5810df8a30a68004aaee775425dc8fe47956b4c21dc771f3bf0f0600c84860271d8387166dc3e408a3d1559ad213748a68d6211ef2fb649d36a249efd9b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7
Filesize14KB
MD56cb4271318b754f3562448d9bddaa28c
SHA15753027230508610fb4f82a998fbe426939e1b64
SHA256d392bb34871e34950e9502604cdc9ff6be8ebed7f06a3e81afe777f2a66f4d60
SHA512e4fd505a97761d47623f4c6f002592bfc89cb9ec724bfc51f76e0fd4326fcf484b871da80bd450b7d706a850227e754207ee15e4c8bf8b593cdf993c1974922d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3
Filesize16KB
MD5597ce065c815bf3fd9b1f8c1671edf32
SHA1a9c2c26153cde5acde8a71a11cfc2c54bbc37e90
SHA2562d7cd95cc0e659d0fe3db23afdf39833271d015bf77e50c3fb6649320fb84ed8
SHA51224a47742c9bd0a6762ac716ae8c14050da9bea32de4ed2e9749c7185808a9c17006ec4b0e9437b1c08b9deebbb7bfc6fcdc47546ad63770c65a3f72895e69326
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\C88FE6FE8ED0018995E76FB6B4CAEB37655B5835
Filesize147KB
MD58f7599b7048d6f5568f6dfa5dfc524ff
SHA1c936eeb0f8a58165e470bcb4909db33890e61677
SHA2568b261fdf5a517100240d543a8a67835b317fe042a2de25d89a5d9c150c214c8c
SHA512fca4b9a1b289ae0599615f2aa940c71e869f3da8c256c138c16c0f2fde38b13625b020cdc3200e3a394e8951f7a7ef60a1d07b6138e0586d2e2d62583f16d41a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC
Filesize39KB
MD53e842851e97e352c058cbf2cfebf4148
SHA13dd84cacbee6d64e8043788caf5a974e43dd0f1a
SHA256e3f434c3f27d38b6ec3f658ce8d20bc65b40f147a40eaf27fa741cc52a4ba3ae
SHA5124b786f0a2fb0931604208adbff0e2b377ea76698342e31aefa03c0fba90efede1de533d47389a9bef64dcd73d17bcb8608481d8a1d22a38bfb1f1b34f5c220a4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080
Filesize14KB
MD594a2c5610321b9b81d95fc86c2571597
SHA182da5f159025621a105ac3c424122e74147256e1
SHA25634f9016ed8fb361dc39a8f23b6a989c42c6d113d141a61bdd644c6779108882a
SHA5120efa9fa30dd9fc78aef9e51b1d57416071982cea6c79647f64a275fa6e5d348db387989f1e3bf35554a3aa062a03bb5d9a40668cc31cd905b646b8cd6b8d204b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\jumpListCache\RTyx9aoWY3rL8cW+DSnor2kExnF29j82iQZUKU5dpxk=.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133693112526851354.txt
Filesize76KB
MD5e794932fe0208c1f332174f834e16b95
SHA1d3a24ca7b3f456b70817648419a88e1b4a497a5e
SHA256c54a2999cf8cb9f3f19fb0c3f725aa93a77e2555f9fef006edb7c3f58e2e42b3
SHA512f8ac2106802fc00bf238a136f6ba345fd6db3832e68af070d7a66ef83bc9b7292c6b0dd278c7816142e32c271ec705738eae1e8221a91b6ed8b96ce1120378df
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
Filesize
997KB
MD53f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
76KB
MD5e7cd26405293ee866fefdd715fc8b5e5
SHA16326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA5121114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999
-
Filesize
552KB
MD5497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
29KB
MD5c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA14567ea5044a3cef9cb803210a70866d83535ed31
SHA25638ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e
-
Filesize
1.2MB
MD5ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
Filesize
11KB
MD580d09149ca264c93e7d810aac6411d1d
SHA196e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA5128813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9
-
Filesize
2KB
MD50a250bb34cfa851e3dd1804251c93f25
SHA1c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA25685189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA5128e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795
-
Filesize
40KB
MD51587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
Filesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize10KB
MD5db1c9fda6ab164deb4b68edd84e48fd1
SHA159f2ae8aeea5282b2731b4df8717832d56e106e9
SHA256f1637cee07a54617f890c2f4762847547559d1938d665f7e0d09e5e90d49fcb4
SHA5120ffa1cd8ca40266583b883eba113828ac79950ba50ea07484cd31bf3c6640aaf4b549d2d9d5e1818503e4fb069489350cd71fac414ff3bd207857ee4b8bece4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize11KB
MD5356afdf5082d980d4289e3964b7f9432
SHA1bbe74ff8abce3f3608312d2c2ffe7174ca660cab
SHA2561002316b0b6aba7454dccf15fbb851c95a1ecd7aadd7f7a703f80b0f2a9bfaeb
SHA5126be0f1185b23ba91978500a278c43ba68b8c598d86adbbaa0b19be7ae00f3c371d7c68611daa28f83ce36e8f45d6aa019fdced28f07d6c8827488d2cea2485f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A3LB4N31FM0KF9EDAKBG.temp
Filesize20KB
MD5b3cbc1013c7132b2c72611b095435e25
SHA1a98e6bdcce56ab924f37c05dad0f6d3f64a11804
SHA256deebf9401e45639da1583a0aaf699ecf349fa950a092de08765dfe5334b4a007
SHA512b74087c1c97b5e614be15bd5bb8846664104cfd9d990490346f5c99ee6d83a7c1e1b76c6c046a4320221a7cbf1892c3846bb67eba0ab844ee4ee10df641e0efb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize8KB
MD59da12c92b0a28fe122dfa9e71a72c864
SHA1afc101d2fce001bee2801b9e0515aa85be62e3f5
SHA256b17396af41bc90576691163239949de821fda77326a98346e2f95b574eea97ba
SHA51275f6cb090d0b95a2c92b62b8a71dcc19292fc1951dbae184861708dc0029c075046e2a0777bc99a68de0c2dac2975d88ae820ec1038da648563bad9c803e2274
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55991421f064d1922d6c74109847273e2
SHA1fd82473dd84b0378614768431bc02111749312de
SHA256b964f5e2aba857e6c787a39b3fd8dde8b43023f5b3357de8e376f573474c950c
SHA512394ed185142de4b848f1cd6e724d058becdf5c85c202f779238560ee452d4aaba4d2c22ee85795764a22b2e9d4330d4ab2c292d276f425b721988d5fe1d4403f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a72f2820edc2f05df938f0d851549bda
SHA1384a44e3fc945038529a218230fbff609b4679c8
SHA2568609f2312eb69af1229a1205057c7058d2ca990a4c73e75ae2ed91d7470fe19e
SHA51251d9ac7406869dc6875e66867f21b16b9611b1da39e7183e68defd0f485a8ccde21d8929aca740eeee85db667293d20e77af8dc1f0589d31b5a3cb5490b4a246
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f717325f5ac0957a6563398466fd7b94
SHA1a521f6425332e66ca5187a2dc2d8602195033ad7
SHA2562ef9fe4139fa4d9ab06221e85e9e39712183f5b08991a7bf3761393d773f8c3b
SHA5129d35128aaef0673dc99acc40c7bd85bca769550455451aa12fa6af439ecfba52263dd7afec06fd0405abbb2d3a06317bbef5fc12d9467a813f8388e08f2f53ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize17KB
MD569edc4635ee392e4b47e75c7057e5b05
SHA196c82b8c607dab82c5baffb33468ff8f63d1a580
SHA256d63f984598704e4e686c93825a45f304d42c4a530d05b8c011f718226e56cc34
SHA512a047fd74f61611f77ba1cd2a085835e842d5eb9f239eef26f449e14a3d6b338a806e8f8aa7efebd8035a1db2fc347118e8190a0f245d38b3c8de10953a814c47
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5b0b992decb12988fb743f9cc26999385
SHA1088ebc131856af7aeb6abc3a09cdb538b29aef83
SHA256271a0ea25691631c3801797ca5f5736eca55cefda31788322a29de548a425d31
SHA5123a81a8c3d634f8c014c0a9f43725b1358565126b5996ebe7dbcdaff6ded2e9039700a334def09adbdef491f4f452b0b7881146c326f006a2847660d90bc6d251
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\323ac119-69d9-4fae-b719-a3d925a08018
Filesize27KB
MD557d8a2ff866c52ff0992a87caee14529
SHA1d4ec332578f0ed87f48f8144190f65d8158d7067
SHA2563406d569e98a4912ad10cf3cc0e6b3902cf83e5ace6797b049fb3b640cb4705f
SHA512e7b336dfa6cabd5ef64b2ab930eda57581ccdddbe7b929b1bfd4c3399aec7420573b0834814388126a0dd7be4a2954b7967ec68c17dbab21689090d50af3c1e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\356528e0-023a-4afd-8599-0caedc1b2d0c
Filesize671B
MD5fa00c65dacd40840c49d19cfadc096da
SHA1b0a022e9ac763006efb4299dbc9536788a29fdff
SHA2567297432be61f3c9a53280366f53208f44e38b63e8ff414e274e8021937928afd
SHA5128ef67ff97633aeeaf754150ef8bb9313c58e63063cf19042f612935b3dd211880f367f56a1fb68985da1cd373e8a8ba1775e90778cae8a8b7b04459e7a755cd0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\cbd8d3e6-2c80-4f4e-b7ea-94af4a4b8181
Filesize982B
MD5f49ee949da93f4c3afece550548f28d8
SHA15a437ad80a6faf5eb16c94200e1f986e388ab008
SHA2568a9cafa42d8e5f5376beeb45521a92f73da4decab9f4d8af4aab719165afe6ef
SHA5127d043b9a042d72b001001bb308b3bec83b72eee30964fa3155afe7f51b34f9034e463440faa81577c4854d93b7221fa9901add9ddf2284a103d45b1a0c7c265c
-
Filesize
802B
MD5b4e90794b249ebaa01a1982e0be6c087
SHA18239ff7e5c83f489af3f9fe32e7d73993437ee9f
SHA256b9d66693560fe5d5f876852511a3868231b3b76c9912d6c2d78b9877db575901
SHA512cea515c8f90f15d82a3cc5d8d78e5b6ebc85f9a8e24dfc95ea1d2508a909c9f60b566c08e526705911cc6df7313e158f4ac1db71a663e54b857aa38f5e5e683f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5538c43ab77b0c590f239cf6ba2f2c49e
SHA12089ca914a1fa6a1dd0690e4526b2f2dd594ae57
SHA256f3f08d62c7fdb5645ca8eafd49573e0ae00679fa3c38500d5fe1f44acddeafd9
SHA512e7e27ca164251e4bc5310bc1b1e4609bfb62047641da717ecb53aea5e518f04db33cb20151e2ad3dfc4e30a473514d42328fec14efffae3c8da8ed09c4458a2d
-
Filesize
11KB
MD5b93a7837338bd71147bdad7bfaf92aa7
SHA1ec911e73db4e5b32b7ec8397cb5aee48df04befd
SHA2567200c06c94a3fd9f940e7890d4cf62f054881276ee757c89438c392deece7ea6
SHA5125d50b1f24cc766e9f214b1e23598b716a1b6113f828d2b01f92e36f8aea32d4300fd9f4898bf238618a7fce810f2bf751000c8eb426f296b6138c970265df9e7
-
Filesize
11KB
MD5335b0a0ce983b082a64cde52c99d455d
SHA1e8267b6befca9c915fd09e165ad3ac1d3fcc0616
SHA256633de0217f96aecad4179a82afa0fcb73d2f72b04c3ab47cf652860e3120bcd6
SHA512f15a533fa769ae7d338419a3e83ed6c5bc71196eda73b6d46cf71199f891f89e06ce0ec44b916ce6710ecde39e96f1e6d18557739baf2c27587b074ee9122110
-
Filesize
12KB
MD576ab64d5a2a2827244bc671fb6b7f275
SHA119ab8a39ea9e764d5c6a1446b226835160ccdd99
SHA256cbfe22d044caa52eeeb6529e8cae637117b385a71b59b7091271e11cd31e71a3
SHA512061e0a9efbd6a0ccee39619d78c361a013ae61b095bbb48539d0811576049fcd2d233d7597f558562cf451c345710a93e129d53fecc27b2fd6993e4c7b5e8959
-
Filesize
11KB
MD5021d4df1f4c3da5823e72eda1b3bbcec
SHA13811d268c9da558fd45e92cafae6e93a3bc285d6
SHA256338cc2d59b11ffdea6ac4509f0660a315730d8c8d9ed7b635035d20957acbebb
SHA51214a19f694a9185b48bd793c2bc854f724f4e24333094eb40f41495924816ecf1caba5c853faed41dd9ac5cf04dc28a602af9940dfb6a5b10299339e46ea46660
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD584afe4bf71699c2d7302c57e8ccd0c9f
SHA15c0499f74d0ff14ac88dc0a0988d3dc905ffa1e6
SHA256d367e3484be4bf3a6e14e91d9ce245cacd35d4b4776c4a7016692cef18fd1ee7
SHA51263f679b8d83bc4c5fbb3a44b8d649a98c61f5cccfacb7cc2856449a248e9e51016c56220620455efb93c64415ae4cc01bb074305fff4db38c144c7a2d0d2956c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5f13f3524099ae6603102813a0a7922d1
SHA108bdd1f02a0efa577c795b81e5079ec4b823b6ff
SHA2562055c3f072007d1761374aa3ce2a5cf07a86c19b48c6b13e75109725c690b06e
SHA5125fcb3720e78a87bda215350073c186ad43dc57f1f1633b61894f0251be3f95893e0c8e5c7d8807956c1d63a795b62f61899ce8f2c0b9b1bf367fe6b8d74e1fe7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5bd3012813308607b291fd35ed3f76093
SHA15de997f0de6e074a93b30aca9e585588d04095dd
SHA256bcd07acf75815b04c09acc9884ef27a254614968a381ab4981b2fdee05709c40
SHA51225be4177070eb7bed1ae64471469a87e99243ca05d03b6ff7057b8aac25430feef56294a96bf99435ed8921e1d5dbcb06b5323980c405d284f1082b414ff174f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5b803a5726def9986f28da43e7fc07b95
SHA144006a3f135616448839c388a866caa765f6b78e
SHA2563b61252268f721302fc359189461b22538f4b49db6c81681b9e6ac3d00c459cb
SHA512cc9843a46daf77b0dbca40fd7acbe0649f72ba9d08d06271acb88ba2e98f99762bbf6536419e5f1eb807f2003faec8bd4cd95680b0490c856847a9fe18dbb189
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD50f0551647e17023cbf39567fb18e685c
SHA11a6b95eb9d4ee935f63f7102ddbf9a58bf6919ea
SHA2565e7b9513b0041d1552aaf923492727eb0b957317df22417356cabb24bde5d89d
SHA51292589e32d38746636d210b643abd69811e146bbf4e535d5a0e3b3cc1b4acb196e4d345cc5a4091ff1cc5cb0f473eb8723487b4b195a914f061ab3197f9611620
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5c41520b29aafa853c55f5727756c5265
SHA11e61ad27981cfdce57caea3189ecfc1fc4815a9a
SHA256bcc8727450fef84e7a3b7177c79a53f07c2a57ed5e0913a851674ea4050a8fa6
SHA5126457e52427031d68344e98878a05444393c16ac806203080c232572d4dc363edbaab43b4d46289ae3fbb9c79b418e7cf47f31fdb2a28d3a816d7777ebfe02e27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize2KB
MD5acd2ff339dde49818a6cb22ca9f63c63
SHA1181a5e68f7278e8025c97147cd33337a60bea2a8
SHA256c805c6f627376d84353a2d647569e2e017718268430ff1a4fead680668a09bdf
SHA5128e9807e2b62e9b45f7835005bdce158b21a4bf06794067fd9e6e88c5dc6660356060436c3c24ee830feabff072dee5d3200f9b86ef9b6f0d3454b77951c3b71f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD529cab38f7c4de521e8664870f6bace26
SHA13fe9ecf415e544451702f379fdf44bd55cdc4bca
SHA2563424be1f0d40856519cb00c37bfb2ff53820b5bedf63c6edf599235cc45f2131
SHA5126e1757e4c973b6b95e54c05de7e6f3ee48e52236b65285cdcb8fd93769985df4381f2b22ac721dad6ddbbcc20cdce52705ca908e94971be1647f5e7fef150ed7
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs
Filesize14KB
MD548ac397b96a30da6d67ffcf5b555e69c
SHA16b509435d7ab375d40231081417a340910da513c
SHA256b6dc96d48ee73fda299a8f8dac2335ed4bf710f5166ce093aa8734256a205569
SHA5124dd6ca7a18b7dceac16a8cec892f658a2389efe3b6a936ac9bf26f20a99a7a65d76dec1a412988e9a5be59276a7f7c0bca08583a474c8a9609799a4bab4ed5f2
-
C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat
Filesize13KB
MD563c6ec6b042bcb00d2d832c0e4f25dca
SHA1a904a7c3fc89ff497e91384a63db3282e00d31ce
SHA256dae968f47476ef79b122e771ccd0a2bacde2ac3535f68047239682fefa3dfe50
SHA5121454cd79a59f0603ae083abb7f3b1438e18c7858ab04dfc3df1a725cee72be48274c289d5c0a44ce415f4bdf8a2c316312453862381fdbf0f4af97a62234e41a
-
Filesize
4KB
MD5ecd4d8524d6549e8a5d86d650bc48f10
SHA150637a0859e670ef11080dee3020cdba67ed03f7
SHA256f46852d7cb44dacf5ea1361aeab224e7a4569545df577772722c6e5fa8287dd8
SHA512c58111af5fa3c8ae10eb55a28788e9796c317743152065e4dd750dbeff661084e0c4d289b12f58a457edaad3bb1179c29699bb9ad88ac74eb002d5434dce83be
-
Filesize
11KB
MD51882f3dd051e401349f1af58d55b0a37
SHA16b0875f9e3164f3a9f21c1ec36748a7243515b47
SHA2563c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0
SHA512fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
8KB
MD563ee4412b95d7ad64c54b4ba673470a7
SHA11cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA25644c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA5127ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7
-
Filesize
381KB
MD535a27d088cd5be278629fae37d464182
SHA1d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA2564a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5
-
Filesize
1.1MB
MD541e0416603e70c7037d40083b6e7e9b7
SHA14c9e8ec43afe113d4856a34627f0b2b34fd204b2
SHA2561f8828c0d7a35cc93e46b9eb17125b9bcb082e8e6e79c7dabd73861750454f8e
SHA512fb20cbb005d58cb094f7f201e95a5d11eee9aeadb806f0d7adc45ddf06505280583cfca789cfc2e3a080e259615604a4a3a9acd0248d128f455d08461d989500
-
Filesize
5.0MB
MD51fd2907e2c74c9a908e2af5f948006b5
SHA1a390e9133bfd0d55ffda07d4714af538b6d50d3d
SHA256f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95
SHA5128eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171