Malware Analysis Report

2024-11-13 16:19

Sample ID 240828-lhxakatamf
Target https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe
Tags
agilenet defense_evasion discovery execution exploit persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet defense_evasion discovery execution exploit persistence privilege_escalation

Possible privilege escalation attempt

Manipulates Digital Signatures

Event Triggered Execution: AppInit DLLs

Downloads MZ/PE file

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Modifies file permissions

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Drops file in System32 directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Windows directory

Command and Scripting Interpreter: JavaScript

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Modifies registry class

Modifies Control Panel

Suspicious behavior: AddClipboardFormatListener

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer Protected Mode

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-28 09:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-28 09:32

Reported

2024-08-28 09:37

Platform

win10v2004-20240802-en

Max time kernel

240s

Max time network

301s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Downloads MZ/PE file

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Manipulates Digital Signatures

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146432" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SET6B19.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\SysWOW64\SET6B19.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp50.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\SET6B18.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\INF\tv_enua.inf C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\fonts\andmoipa.ttf C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66B1.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66D7.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\help\Agt0409.hlp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\lhsp\help\SET6B16.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\fonts\SET6B17.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66B1.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66C5.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentMPx.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66D7.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\lhsp\tv\tvenuax.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentSvr.exe C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66B0.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\INF\SET66C7.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\chars\Bonzi.acs C:\Users\Admin\Downloads\Bonzify.exe N/A
File opened for modification C:\Windows\msagent\AgentCtl.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\lhsp\help\SET6B16.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentPsh.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\lhsp\tv\SET6B14.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\lhsp\help\tv_enua.hlp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66B2.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66B0.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66C6.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\help\SET66D8.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66EA.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66AF.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentAnm.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\intl\Agt0409.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgtCtl15.tlb C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\lhsp\tv\tv_enua.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\lhsp\tv\SET6B15.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66C4.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentSR.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\INF\SET66C7.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\help\SET66D8.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentDp2.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66C3.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66C5.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\INF\agtinst.inf C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\intl\SET66E9.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\fonts\SET6B17.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\executables.bin C:\Users\Admin\Downloads\Bonzify.exe N/A
File opened for modification C:\Windows\msagent\SET66EA.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\INF\SET6B18.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\mslwvtts.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66C3.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\intl\SET66E9.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\finalDestruction.bin C:\Users\Admin\Downloads\Bonzify.exe N/A
File created C:\Windows\msagent\SET66B2.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\AgentDPv.dll C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File created C:\Windows\msagent\SET66C4.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66C6.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\lhsp\tv\SET6B14.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\lhsp\tv\SET6B15.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
File opened for modification C:\Windows\msagent\SET66AF.tmp C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\msagent\AgentSvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\grpconv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\msagent\AgentSvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\grpconv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Bonzify.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\CoolSwitchColumns = "7" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\CoolSwitchRows = "3" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\MouseHoverHeight = "4" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\WindowsLogon\.Default\ = "%SystemRoot%\\media\\Windows Logon.wav" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Names\.Default\ = "@mmres.dll,-800" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\ActiveTitle = "153 180 209" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\nlasvc.dll,-1 = "Network Location Awareness" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SpeechServices\appType = "bpp:system" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\WindowText = "0 0 0" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00ED8322557" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146432" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\1.7 = 737465724f6e49646c65466561747572654761746544697361626c65645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275536572766963654170695c22203a207b205c225375624e616d657370616365735c22203a207b205c22446f63756d656e74735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207a205c224576656e74466c61675c22203a2032207d207d207d2c205c22506c616365735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224d736f53686172696e675c22203a207b205c224576656e75735c22203a207b205c22434d736f53686172696e675365727669636548656c706572456e64476574486f73744361706162696c69746965735c22203a1f7b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706571456e6447657455736572417474726962757465735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657455736572417474726962757464735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765744c6a6e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e685365727669636548656c7065724765744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e645365744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365744c696e6a735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065724765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636547656c706572456e645365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365745065726d697373696f6f735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675465727669636548656c706572436865636b5065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d737053686172696e675365727669636548656c70657247657453686172696e67496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572426567696d5365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657453686172696e6756647273696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e4261636b73746167655c22203a207b205c224576656e74735c22203a207b205c224261636b737461676550616765436f6e74726f6c55736572437265617465436f6e74726f6c557365725c22203a207b205c224576656e74466c61665c22203a2032207d207d207d2c205c224465736b746f704261636b73746167654e617669676174696f6e5c222039207b205c224576656e74735c22203a207b205c224e617669676174696f6e5461736b496e766f6b655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b496e766f6b654f6e52656164466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f7053686172696e675c22203a207b205c224576656e74735c22203a207b205c22436f6c6c616250616e6555736572536574436f6c6c616250616e654d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572436c69636b53686172696e674c696e6b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572497343757272656e74446f63456e746572707269736550726f7465637465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e7473536861726564576974684d6552657175657374446f63756d656e7473536861726564576974684d654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d6552657175647374436163686564446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d654964656e74697479436163686552657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2d205c22446f63756d656e7473536861726564576974684d6552657175657374436163686564446f63756d656e7473466f724661696c757265735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486973746f727955585c22203a207b205c224576656e74735c22203a207b205c224163746976687479506167654d616e6167657252656769737465725669736962696c697479436f6e74726f6c6c65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224275734261724f70656e4c6f63616c56657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f72496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f7252657475726e4572726f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243437369446f63756d656e74537461746545787465726e616c556e7265676973746572446f63756d656e744c697374656e65725c22203a207a205c224576656e74466c61675c22203a2032207d2c205c2143486973746f727941637469766974696573466163746f727952656672657368416674657252656e616d655c22203a207b205c224576656e74466c61675c2220392032207d2c205c22436f62616c744163746976697469657346696c6556657273696f6e4c697374557064617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243536f61704461746150726f7669646572496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436c6f73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f737950616765436f707956657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436f707956657273696f6e496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f7279516167654372656174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765526573746f726556657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f72795061676553656c65637456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616e654e6f6e436c69636b61626c654974656d53656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c41637469766974696573426567696e526566726573685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6666696365436f6c6c61624163746976697479436f6d6d616e644d534f446f63756d656e7450726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e74436865636b4f757446696c65546f4c6f63616c466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f67676c65486964655c22203a207b205c224576656e74466c61675c22203a2032207d2d205c22546f67676c6553686f775c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225759574143616c6c6f757453686f7743616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f757450726573656e7443616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e4163746a766974794765744c6173745669657754696d655c22203a207b205c224576656e74466c61675c22203a2032207d2d205c22556d7365656e416374697669747946696e6443757272656e74557365724c6f67696e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f7574436c69636b65645c22203b207b205c224576656e74466c61675c22203a2032207d2c205c2253686f77536d606c6c53637265656e435759574144616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275416461707465725c22203a207b205c224576656e74735c22203a207b205c224872416464446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c215c224872416464506c6163655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e745061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c6163655061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74496e6465785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365496e6465785c22203a207b205c224576656e74466d61675c22203a2032207d2c205c22487252656d6f7665506174685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22417070446f63735c22203a207b205c224576656e74466c61675c221f3a2031207d2c205c22446f63756d656e745c22203a207b205c225475624e616d657370616365735c22203a207b205c2241637469766174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2b205c224c6173744f70656e6564446f63756d656e744d657461646174615c22203a207b1f5c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e446f6354656d706c617465536572766963655c22203a207b205c224576656e74466c61685c22203a2032207d2c205c225361766550726f6d707448656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e74436861745c22203a207b205c224576656e74735c22203a207b215c23446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2031207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795374634c697374656e6572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c23446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e63496e7465726e616c5c222039207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e6352657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6062696c6974795274634c697374656e657253746172745265616c74696d65436f6e6e656373696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456f63756d656e744368617452746342726f6164636173746572436f6e6e65637465644576656e745c222039207c205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744268617452746342726f6164636173746572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a1f32207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61685c22203a2032207d2c205c22446f63756d656e744368617452746342726f6264636173746572526562726f61646361737450657273697374656e7453746174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e745374617465496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526561726f61646361737450657273697374656e74537461746552657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e7453746174655265747279496e6e65724c6f6f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f61646361737465725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746172745265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253686172696e6755495c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f6c6c616250616e65557365725c22203a207b205c224576656e74735c22203a207b205c22536861726550616e65436f6d706c657465446973706c61795c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253686172654469616c6f675c22203a207b205c224576656e74735c22203a207b205c224e61766967617465546f5765624469616c6f675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e6441734174746163686d656d755c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c224544505c22203a207b205c224576656e74735c22203a207b205c22506f6c6963794d657461646174615c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c225369746573536572766963654170695c22203a207c205c224576656e74735c22203a207b205c22526571756573744173796e635c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225265616446726f6d43616368655c22203a207b205c224576656e74466c61675c22203920323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656b656d6574727944796e616d6963436f6e C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\Console\ColorTable03 = "14521914" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData = "%USERPROFILE%\\AppData\\Local" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\RMapi.dll,-1001 = "Radio Management Service" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\WindowsUnlock\ = "Windows Umlock" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\iDate = "0" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\aero_move.cur" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Calling\Setting = "s:tickle,s:lock:toast,s:tile,s:lock:badge,s:banner,s:lock:tile,s:toast,s:badge,s:audio,s:voip,s:listenerEnabled,c:toast,c:ringing" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\NewQuick.Modeless = "0x00000000" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\TapsEnabled = "1" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4f533928b\a37dfe62\@{C:\Program Files\WindowsApps\Microsoft.MixedRe = "Mixed Reality Portal" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.Default\ = "%RystemRoot%\\media\\Windows Background.wav" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\.Default\.Default\ = "%SystemRoot%\\media\\Windows Background.wav" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Document Windows\Maximized = "no" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\Intellegnt.Eudp = "0x00000001" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000011\Target IME = 00000000 C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings\FirstTimeHelppaneStartup = "1" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Navigating\ = "Start Navigation" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Environment\TEMP = "%USERPROFILE%\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wcmsvc.dll,-4097 = "Windows Connection Manager" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "1000" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Bthprops\wnsId = "System" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\Keyboard Response\AutoRepeatRate = "500" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\Schemes\@themeui.dll,-853 = 02000000460000000100000011000000110000001400000014000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000fc7f2214fc7fb0fe120000000000000000009823eb770f0000000f000000f5ffffff000000000000000000010000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000f077002014000000001080051400f01f1400000014001200000012000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000150088fbe87702020000acb9f0770000000020000000f5ffffff00000000000000ff000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000000000000000000000000007c6be87700000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000600000118000000fffffffff04b21fc00c4f077f5ffffff000000000000000000000000bc02000001000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000014000b00000000ff120050000000c0fe12000c100001ffffff00ffffff0000000000ffffff00ffffff00ffffff00000000000001000000000000ffffff0080808000c0c0c0ff8080800000000000ffffff00ffffff0080808000008000000000000000000000c0c0c00000000000c0c0c00000000000ffffff00c0c0c0000000000000000000ffffff00 C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace46d67c10b\a37dfe62\@{C:\Program Files\WindowsApps\microsoft = "Mail" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\Control Panel\Appearance\Schemes\@themeui.dll,-853 = 02000000460000000100000011000000110000001400000014000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000fc7f2214fc7fb0fe120000000000000000009823eb770f0000000f000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000520061006e0073002000530065007200690066000000f077002014000000001080051400f01f1400000014001200000012000000f5ffffff000000000000000000000000bc0200000000ff00000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000140088fbe87702020000acb9f0770000000020000000f5ffffff0000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000000000000000000000000007c6be87700000000f5ffffff000000000000000000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000600000018000000fffffffff04b21fc00c4f077f5ffffff000000000001ff0000000000bc02000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006700000014000b00000000ff120050000000c0fe12000c100001ffffff00ffffff0000000000ffffff00ffffff00ffffff00000000000000000000000000ffffff0080808000c0c0c0008080800000000000ffffff00ffffff0080808000008000000000000000000000c0c0c00000000000c0c0c00000000000ffffff00c0c0c0000000000000000000ffffff00 C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw = "Microsoft Content" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.CloudExperienceHost_10.0.19041.1266_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPr = "icon.png" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileType\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\0\ = "0,4,FFFFFFFF,C3ABCDAB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR\ = "C:\\Windows\\msagent\\AgentSvr.exe\\" C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCtlCommandsEx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ = "IAgentCtlCommandEx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Control 2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575} C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0 C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5} C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Microsoft.Windows.AppResolverUX\Displa = "@{E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms-resource://AppResolverUX/Resources/AppxManifest_DisplayName}" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCommands" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlPropertySheet" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCommandWindow" C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\FLAGS C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575}\TreatAs C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FA9F4D5-A173-11D1-AA62-00C04FA34D72}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97A2762C-403C-4953-A121-7A75ABCE4373}\InprocServer32\Assembly = "Microsoft/Office.Interop.Access.Dao, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWVFile\DefaultIcon C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server\CurVer\ = "Agent.Server.2" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3784866113-3187381476-3433752343-3391928953-3760210436-1684329488-1912184601\DisplayName = "@{Microsoft.Windows.OOBDNetworkConnectionFlow_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://Microsoft.Windows.OOBENetworkConnectionGlow/Resources/AppDisplayName}" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575} C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCharacter" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\msagent\AgentSvr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\AppXe862j7twqs4aww05211jaakwxyfjx4da\Shell\open\command\DelegateExecute = "{4ED3A719-CEA8-4BD9-910D-E252E997AFC2}" C:\Users\Admin\AppData\Roaming\MEMZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\ = "Microsoft Agent Server 2.0" C:\Windows\msagent\AgentSvr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server\ = "Microsoft Agent Server 2.0" C:\Windows\msagent\AgentSvr.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\geometry dash auto speedhack.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\windows-malware-master.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Windows\msagent\AgentSvr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\msagent\AgentSvr.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe N/A
N/A N/A C:\Windows\msagent\AgentSvr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5488 wrote to memory of 2516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/TheDarkMythos/windows-malware/blob/master/Bonzify/Bonzify.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40e387a1-a2bf-4068-9ffb-ca24c5c1b5a9} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ccbf9ae-b9b1-4efb-8965-b2acb1f63ca0} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1392 -childID 1 -isForBrowser -prefsHandle 2640 -prefMapHandle 3296 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5199fa74-c988-42c6-9185-7703a35cde80} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -childID 2 -isForBrowser -prefsHandle 4128 -prefMapHandle 4056 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2989b53-0145-4ed8-a4e8-82da8a9d9820} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4856 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b08b11-ecbd-4611-aa25-4a24c7c48c84} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5332 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08847fd6-f924-445f-96b7-42e23b9f3e75} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e790ff0-17bc-49ca-878f-e402cbdaf0a1} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89badaa1-8457-4f7c-ac02-dde2817e9bf5} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4300,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Bonzify.exe

"C:\Users\Admin\Downloads\Bonzify.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im AgentSvr.exe

C:\Windows\SysWOW64\takeown.exe

takeown /r /d y /f C:\Windows\MsAgent

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe

INSTALLER.exe /q

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\AgentSR.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"

C:\Windows\msagent\AgentSvr.exe

"C:\Windows\msagent\AgentSvr.exe" /regserver

C:\Windows\SysWOW64\grpconv.exe

grpconv.exe -o

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe

INSTALLER.exe /q

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll

C:\Windows\SysWOW64\grpconv.exe

grpconv.exe -o

C:\Windows\msagent\AgentSvr.exe

C:\Windows\msagent\AgentSvr.exe -Embedding

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x31c

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "

C:\Windows\system32\cscript.exe

cscript x.js

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "

C:\Windows\system32\cscript.exe

cscript x.js

C:\Users\Admin\AppData\Roaming\MEMZ.exe

"C:\Users\Admin\AppData\Roaming\MEMZ.exe"

C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"

C:\Windows\WinSxS\amd64_microsoft-windows-efs-ui_31bf3856ad364e35_10.0.19041.1_none_ac65d58626f4027c\efsui.exe

"C:\Windows\WinSxS\amd64_microsoft-windows-efs-ui_31bf3856ad364e35_10.0.19041.1_none_ac65d58626f4027c\efsui.exe"

C:\Windows\SysWOW64\CloudNotifications.exe

"C:\Windows\System32\CloudNotifications.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs"

C:\Windows\SysWOW64\ieUnatt.exe

"C:\Windows\SysWOW64\ieUnatt.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 3964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3964 -ip 3964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1224

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9F06.tmp\9F07.tmp\9F08.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\9F06.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\9F06.tmp\eulascr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7068 -ip 7068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 1364

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\CE06.tmp\CE07.tmp\CE08.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\CE06.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\CE06.tmp\eulascr.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4652 -childID 6 -isForBrowser -prefsHandle 6520 -prefMapHandle 5700 -prefsLen 30390 -prefMapSize 244628 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad26905-3d07-4c00-86fb-791d8bf29b47} 2516 "\\.\pipe\gecko-crash-server-pipe.2516" tab

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49857 tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 255.254.81.35.in-addr.arpa udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 140.82.113.22:443 collector.github.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 api.github.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:49864 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 172.217.169.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
GB 172.217.169.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.200.14:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.178.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\cbd8d3e6-2c80-4f4e-b7ea-94af4a4b8181

MD5 f49ee949da93f4c3afece550548f28d8
SHA1 5a437ad80a6faf5eb16c94200e1f986e388ab008
SHA256 8a9cafa42d8e5f5376beeb45521a92f73da4decab9f4d8af4aab719165afe6ef
SHA512 7d043b9a042d72b001001bb308b3bec83b72eee30964fa3155afe7f51b34f9034e463440faa81577c4854d93b7221fa9901add9ddf2284a103d45b1a0c7c265c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\356528e0-023a-4afd-8599-0caedc1b2d0c

MD5 fa00c65dacd40840c49d19cfadc096da
SHA1 b0a022e9ac763006efb4299dbc9536788a29fdff
SHA256 7297432be61f3c9a53280366f53208f44e38b63e8ff414e274e8021937928afd
SHA512 8ef67ff97633aeeaf754150ef8bb9313c58e63063cf19042f612935b3dd211880f367f56a1fb68985da1cd373e8a8ba1775e90778cae8a8b7b04459e7a755cd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 5991421f064d1922d6c74109847273e2
SHA1 fd82473dd84b0378614768431bc02111749312de
SHA256 b964f5e2aba857e6c787a39b3fd8dde8b43023f5b3357de8e376f573474c950c
SHA512 394ed185142de4b848f1cd6e724d058becdf5c85c202f779238560ee452d4aaba4d2c22ee85795764a22b2e9d4330d4ab2c292d276f425b721988d5fe1d4403f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\323ac119-69d9-4fae-b719-a3d925a08018

MD5 57d8a2ff866c52ff0992a87caee14529
SHA1 d4ec332578f0ed87f48f8144190f65d8158d7067
SHA256 3406d569e98a4912ad10cf3cc0e6b3902cf83e5ace6797b049fb3b640cb4705f
SHA512 e7b336dfa6cabd5ef64b2ab930eda57581ccdddbe7b929b1bfd4c3399aec7420573b0834814388126a0dd7be4a2954b7967ec68c17dbab21689090d50af3c1e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 b0b992decb12988fb743f9cc26999385
SHA1 088ebc131856af7aeb6abc3a09cdb538b29aef83
SHA256 271a0ea25691631c3801797ca5f5736eca55cefda31788322a29de548a425d31
SHA512 3a81a8c3d634f8c014c0a9f43725b1358565126b5996ebe7dbcdaff6ded2e9039700a334def09adbdef491f4f452b0b7881146c326f006a2847660d90bc6d251

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 a72f2820edc2f05df938f0d851549bda
SHA1 384a44e3fc945038529a218230fbff609b4679c8
SHA256 8609f2312eb69af1229a1205057c7058d2ca990a4c73e75ae2ed91d7470fe19e
SHA512 51d9ac7406869dc6875e66867f21b16b9611b1da39e7183e68defd0f485a8ccde21d8929aca740eeee85db667293d20e77af8dc1f0589d31b5a3cb5490b4a246

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 b93a7837338bd71147bdad7bfaf92aa7
SHA1 ec911e73db4e5b32b7ec8397cb5aee48df04befd
SHA256 7200c06c94a3fd9f940e7890d4cf62f054881276ee757c89438c392deece7ea6
SHA512 5d50b1f24cc766e9f214b1e23598b716a1b6113f828d2b01f92e36f8aea32d4300fd9f4898bf238618a7fce810f2bf751000c8eb426f296b6138c970265df9e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 f717325f5ac0957a6563398466fd7b94
SHA1 a521f6425332e66ca5187a2dc2d8602195033ad7
SHA256 2ef9fe4139fa4d9ab06221e85e9e39712183f5b08991a7bf3761393d773f8c3b
SHA512 9d35128aaef0673dc99acc40c7bd85bca769550455451aa12fa6af439ecfba52263dd7afec06fd0405abbb2d3a06317bbef5fc12d9467a813f8388e08f2f53ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 538c43ab77b0c590f239cf6ba2f2c49e
SHA1 2089ca914a1fa6a1dd0690e4526b2f2dd594ae57
SHA256 f3f08d62c7fdb5645ca8eafd49573e0ae00679fa3c38500d5fe1f44acddeafd9
SHA512 e7e27ca164251e4bc5310bc1b1e4609bfb62047641da717ecb53aea5e518f04db33cb20151e2ad3dfc4e30a473514d42328fec14efffae3c8da8ed09c4458a2d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 fba93d8d029e85e0cde3759b7903cee2
SHA1 525b1aa549188f4565c75ab69e51f927204ca384
SHA256 66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA512 7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

C:\Users\Admin\AppData\Local\Temp\KillAgent.bat

MD5 ea7df060b402326b4305241f21f39736
SHA1 7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256 e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA512 3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 69edc4635ee392e4b47e75c7057e5b05
SHA1 96c82b8c607dab82c5baffb33468ff8f63d1a580
SHA256 d63f984598704e4e686c93825a45f304d42c4a530d05b8c011f718226e56cc34
SHA512 a047fd74f61611f77ba1cd2a085835e842d5eb9f239eef26f449e14a3d6b338a806e8f8aa7efebd8035a1db2fc347118e8190a0f245d38b3c8de10953a814c47

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 021d4df1f4c3da5823e72eda1b3bbcec
SHA1 3811d268c9da558fd45e92cafae6e93a3bc285d6
SHA256 338cc2d59b11ffdea6ac4509f0660a315730d8c8d9ed7b635035d20957acbebb
SHA512 14a19f694a9185b48bd793c2bc854f724f4e24333094eb40f41495924816ecf1caba5c853faed41dd9ac5cf04dc28a602af9940dfb6a5b10299339e46ea46660

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 335b0a0ce983b082a64cde52c99d455d
SHA1 e8267b6befca9c915fd09e165ad3ac1d3fcc0616
SHA256 633de0217f96aecad4179a82afa0fcb73d2f72b04c3ab47cf652860e3120bcd6
SHA512 f15a533fa769ae7d338419a3e83ed6c5bc71196eda73b6d46cf71199f891f89e06ce0ec44b916ce6710ecde39e96f1e6d18557739baf2c27587b074ee9122110

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 9da12c92b0a28fe122dfa9e71a72c864
SHA1 afc101d2fce001bee2801b9e0515aa85be62e3f5
SHA256 b17396af41bc90576691163239949de821fda77326a98346e2f95b574eea97ba
SHA512 75f6cb090d0b95a2c92b62b8a71dcc19292fc1951dbae184861708dc0029c075046e2a0777bc99a68de0c2dac2975d88ae820ec1038da648563bad9c803e2274

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 84afe4bf71699c2d7302c57e8ccd0c9f
SHA1 5c0499f74d0ff14ac88dc0a0988d3dc905ffa1e6
SHA256 d367e3484be4bf3a6e14e91d9ce245cacd35d4b4776c4a7016692cef18fd1ee7
SHA512 63f679b8d83bc4c5fbb3a44b8d649a98c61f5cccfacb7cc2856449a248e9e51016c56220620455efb93c64415ae4cc01bb074305fff4db38c144c7a2d0d2956c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 c41520b29aafa853c55f5727756c5265
SHA1 1e61ad27981cfdce57caea3189ecfc1fc4815a9a
SHA256 bcc8727450fef84e7a3b7177c79a53f07c2a57ed5e0913a851674ea4050a8fa6
SHA512 6457e52427031d68344e98878a05444393c16ac806203080c232572d4dc363edbaab43b4d46289ae3fbb9c79b418e7cf47f31fdb2a28d3a816d7777ebfe02e27

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe

MD5 66996a076065ebdcdac85ff9637ceae0
SHA1 4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA256 16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512 e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

MD5 e4a499b9e1fe33991dbcfb4e926c8821
SHA1 951d4750b05ea6a63951a7667566467d01cb2d42
SHA256 49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512 a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

MD5 81e5c8596a7e4e98117f5c5143293020
SHA1 45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA256 7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA512 05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

MD5 237e13b95ab37d0141cf0bc585b8db94
SHA1 102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256 d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA512 9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

MD5 7c5aefb11e797129c9e90f279fbdf71b
SHA1 cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256 394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512 df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

MD5 5c91bf20fe3594b81052d131db798575
SHA1 eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256 e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512 face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

MD5 9fafb9d0591f2be4c2a846f63d82d301
SHA1 1df97aa4f3722b6695eac457e207a76a6b7457be
SHA256 e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512 ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

MD5 f1656b80eaae5e5201dcbfbcd3523691
SHA1 6f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA256 3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512 e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

MD5 0cbf0f4c9e54d12d34cd1a772ba799e1
SHA1 40e55eb54394d17d2d11ca0089b84e97c19634a7
SHA256 6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512 bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

MD5 466d35e6a22924dd846a043bc7dd94b8
SHA1 35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256 e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA512 23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

MD5 316999655fef30c52c3854751c663996
SHA1 a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256 ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA512 5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

MD5 b127d9187c6dbb1b948053c7c9a6811f
SHA1 b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256 bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA512 88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

MD5 b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1 d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA256 8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA512 2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

MD5 48c00a7493b28139cbf197ccc8d1f9ed
SHA1 a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256 905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512 c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

MD5 4fbbaac42cf2ecb83543f262973d07c0
SHA1 ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA256 6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA512 4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

MD5 a334bbf5f5a19b3bdb5b7f1703363981
SHA1 6cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256 c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA512 1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe

MD5 3f8f18c9c732151dcdd8e1d8fe655896
SHA1 222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256 709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512 398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

MD5 4be7661c89897eaa9b28dae290c3922f
SHA1 4c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256 e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA512 2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

MD5 7210d5407a2d2f52e851604666403024
SHA1 242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256 337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA512 1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

MD5 0a250bb34cfa851e3dd1804251c93f25
SHA1 c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA256 85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA512 8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

MD5 ed98e67fa8cc190aad0757cd620e6b77
SHA1 0317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256 e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512 ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

MD5 c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA1 4567ea5044a3cef9cb803210a70866d83535ed31
SHA256 38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512 f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

MD5 e7cd26405293ee866fefdd715fc8b5e5
SHA1 6326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256 647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA512 1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

MD5 497fd4a8f5c4fcdaaac1f761a92a366a
SHA1 81617006e93f8a171b2c47581c1d67fac463dc93
SHA256 91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA512 73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

MD5 80d09149ca264c93e7d810aac6411d1d
SHA1 96e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256 382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA512 8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

MD5 1587bf2e99abeeae856f33bf98d3512e
SHA1 aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256 c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA512 43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

C:\Windows\msagent\chars\Bonzi.acs

MD5 1fd2907e2c74c9a908e2af5f948006b5
SHA1 a390e9133bfd0d55ffda07d4714af538b6d50d3d
SHA256 f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95
SHA512 8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\doomed\10787

MD5 08cb9d4060213f208e07f2762dcd878f
SHA1 c0539ebc7502598f55ae8669d22d0e970916a063
SHA256 f4085cd8d802cbda7bcf15e1269aba2f692c8428eab1b135a751730867c10320
SHA512 685f7e2c26f95abd7326da178114f379f044b360eff25138a667c1f40bf1c1bea7808d5e546118403fecb72d22536aa11f06b2c2b45dfa14bb0645fa125d502f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 f13f3524099ae6603102813a0a7922d1
SHA1 08bdd1f02a0efa577c795b81e5079ec4b823b6ff
SHA256 2055c3f072007d1761374aa3ce2a5cf07a86c19b48c6b13e75109725c690b06e
SHA512 5fcb3720e78a87bda215350073c186ad43dc57f1f1633b61894f0251be3f95893e0c8e5c7d8807956c1d63a795b62f61899ce8f2c0b9b1bf367fe6b8d74e1fe7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\C88FE6FE8ED0018995E76FB6B4CAEB37655B5835

MD5 8f7599b7048d6f5568f6dfa5dfc524ff
SHA1 c936eeb0f8a58165e470bcb4909db33890e61677
SHA256 8b261fdf5a517100240d543a8a67835b317fe042a2de25d89a5d9c150c214c8c
SHA512 fca4b9a1b289ae0599615f2aa940c71e869f3da8c256c138c16c0f2fde38b13625b020cdc3200e3a394e8951f7a7ef60a1d07b6138e0586d2e2d62583f16d41a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

MD5 6cb4271318b754f3562448d9bddaa28c
SHA1 5753027230508610fb4f82a998fbe426939e1b64
SHA256 d392bb34871e34950e9502604cdc9ff6be8ebed7f06a3e81afe777f2a66f4d60
SHA512 e4fd505a97761d47623f4c6f002592bfc89cb9ec724bfc51f76e0fd4326fcf484b871da80bd450b7d706a850227e754207ee15e4c8bf8b593cdf993c1974922d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

MD5 c59d8730b4093afb14a74c3aec12f3be
SHA1 4dc227adf95a6a128e4d50f9a9c4033eba447790
SHA256 bcc8b43186ba3c08d1b94ef51f38a5c4302392471fa6b5e91f7b297dc2f08b75
SHA512 20bab07f783fb93567fde582aeb4a7d259dec3c07afb31bf23d02926ffbf3be49528de67a13a43599440fb5725959c1ac4255dc2fbdf2920a9f0a13e919d94b7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

MD5 94a2c5610321b9b81d95fc86c2571597
SHA1 82da5f159025621a105ac3c424122e74147256e1
SHA256 34f9016ed8fb361dc39a8f23b6a989c42c6d113d141a61bdd644c6779108882a
SHA512 0efa9fa30dd9fc78aef9e51b1d57416071982cea6c79647f64a275fa6e5d348db387989f1e3bf35554a3aa062a03bb5d9a40668cc31cd905b646b8cd6b8d204b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

MD5 7ae109550713eb16d8b4b35195c1dd5c
SHA1 38830b16cbeeb39b1d6aae7fbb19b38a0a472929
SHA256 f236f9d2cf5d4efd7642abff0df2b13af9ad3f6c1166ef44941c9d02d1017cad
SHA512 28e106e229ad43dd5340a1fa605dfc9bca9a464558b2e4cfc6f9ee3fa9c490f7d39bd225c0124b3c71b433b404bf2fd13281b3f6596ed34c9d0a8c6e36b9b03d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3

MD5 597ce065c815bf3fd9b1f8c1671edf32
SHA1 a9c2c26153cde5acde8a71a11cfc2c54bbc37e90
SHA256 2d7cd95cc0e659d0fe3db23afdf39833271d015bf77e50c3fb6649320fb84ed8
SHA512 24a47742c9bd0a6762ac716ae8c14050da9bea32de4ed2e9749c7185808a9c17006ec4b0e9437b1c08b9deebbb7bfc6fcdc47546ad63770c65a3f72895e69326

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\49AF65C60E9467DC868F8EFFBC6F0E1FE2D6093D

MD5 389cf3dd652187335dce41dbd977925e
SHA1 69b0ad7fac53bc45f162f85cb2ef95d2cadfe35e
SHA256 4533f6ca738be05972b3f4c486a5fae3945396c3f4a5766e514da1d28cd47416
SHA512 54c325eeb2d7b5d53852d556553e1d8df25ef832686ac9db51c5d4176dd705841335f345a672ea8be4c270067a64af861123113f5c6b880700066c8064994731

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\AC6959268E349C7B5497A3867D6DCDC4D543431E

MD5 9e069b2764d4fd66d267ec04e1032b0c
SHA1 c4f0924408940d6fadbbd7f53bb7eca7c767519f
SHA256 cadf765eaac655b175d65bfe41baf433e3167c7e9081a3929228836c20309c8d
SHA512 07a4d5810df8a30a68004aaee775425dc8fe47956b4c21dc771f3bf0f0600c84860271d8387166dc3e408a3d1559ad213748a68d6211ef2fb649d36a249efd9b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C

MD5 31789dadba55baf8506e3b40722d5768
SHA1 c7001be5f7f1e83036590d6fed10c222033099e3
SHA256 804e045f7360a07aa4ce05ffd5ff96573a70c44624d75901554389847417f013
SHA512 538187b9f76a628572d60b519bc7a2b41619c4f13393a58873aafb0a1cc66f0ce80efb56ad4e9f9d9f73e39e8d764012c2178ed902bd7ec7d599936081a08165

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\2842554DB98F3F407860E172D9087A5CCA96CB21

MD5 4e809ae9a722830957bd63e1af2c1a4f
SHA1 a8f6ab96a959b9b8be3e715ebd7cd87dc24b6e12
SHA256 ac13d2dd2ee4ad5448927b3b33c8ebf313ffec1942f151cfb1ba8085579277f3
SHA512 b02ab121de0a87a4ab887c00718ced473e8fbee2118de15f2d9a7d3dbd5a7657e0a842ed34fb1a31eb416b1ff9ac94e2e55c36580d17546208ff15138ecd4640

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 3f0957868ba488e424e8cacb4add95e9
SHA1 dd85da7cafe2c70c5fef8bd7389d7e12cf7ab7c4
SHA256 0e2c49bfb4296b7e7459e5b09736928d108815eaf4fdcec0c1f334dd5b59a910
SHA512 19f39e9dd38ea3cf0f28af45f079115788672c88c2dcea4174630c21af43cc067668cc71241f42f368b41789aeb076745b65a0cb22c499fb578f4c348941fea5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 6a30fe4a1a3e5460edd8fac787902583
SHA1 559e12f5e253157d23e36b1c6d7edde6e18f6499
SHA256 2965f3225b3d811a63b6a0d3f94e672c8103ce449d3d49790d3db967dead11ff
SHA512 4b9847cb47e5ffeb8aa60b9251f478792bb11dc9b6636e9329332648ab07f104f10a0555406f92bb6cfbda6dd84173df9946a8f20d18620bb5ea6778de84c172

memory/4664-1354-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/5616-1356-0x00000263AA000000-0x00000263AA100000-memory.dmp

memory/5616-1360-0x00000263AAEF0000-0x00000263AAF10000-memory.dmp

memory/5616-1355-0x00000263AA000000-0x00000263AA100000-memory.dmp

memory/5616-1394-0x00000263AB440000-0x00000263AB460000-memory.dmp

memory/5616-1393-0x00000263AAEB0000-0x00000263AAED0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 acd2ff339dde49818a6cb22ca9f63c63
SHA1 181a5e68f7278e8025c97147cd33337a60bea2a8
SHA256 c805c6f627376d84353a2d647569e2e017718268430ff1a4fead680668a09bdf
SHA512 8e9807e2b62e9b45f7835005bdce158b21a4bf06794067fd9e6e88c5dc6660356060436c3c24ee830feabff072dee5d3200f9b86ef9b6f0d3454b77951c3b71f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133693112526851354.txt

MD5 e794932fe0208c1f332174f834e16b95
SHA1 d3a24ca7b3f456b70817648419a88e1b4a497a5e
SHA256 c54a2999cf8cb9f3f19fb0c3f725aa93a77e2555f9fef006edb7c3f58e2e42b3
SHA512 f8ac2106802fc00bf238a136f6ba345fd6db3832e68af070d7a66ef83bc9b7292c6b0dd278c7816142e32c271ec705738eae1e8221a91b6ed8b96ce1120378df

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\jumpListCache\RTyx9aoWY3rL8cW+DSnor2kExnF29j82iQZUKU5dpxk=.ico

MD5 6b120367fa9e50d6f91f30601ee58bb3
SHA1 9a32726e2496f78ef54f91954836b31b9a0faa50
SHA256 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512 c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 bd3012813308607b291fd35ed3f76093
SHA1 5de997f0de6e074a93b30aca9e585588d04095dd
SHA256 bcd07acf75815b04c09acc9884ef27a254614968a381ab4981b2fdee05709c40
SHA512 25be4177070eb7bed1ae64471469a87e99243ca05d03b6ff7057b8aac25430feef56294a96bf99435ed8921e1d5dbcb06b5323980c405d284f1082b414ff174f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\A18246B61C8E4C36C72806D7717A9856D0ADA529

MD5 3e214d494666a04c57621a57e76f5f7b
SHA1 a58d1a5c695e527e578b549f55b6d42f6c115ffc
SHA256 c7839105affe9d19ef2e963bec2da5c46bb663d7bbd5d8386e0f0c11bf819ae7
SHA512 40684d6f2bf1552810d61fe5b01791fe3f95d65a25a0514c5cd069c756e2339fac2240fcda62d69bff42fce6e13267edbb99bd39f0b0d3adcf50d0baae48574d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

MD5 3e842851e97e352c058cbf2cfebf4148
SHA1 3dd84cacbee6d64e8043788caf5a974e43dd0f1a
SHA256 e3f434c3f27d38b6ec3f658ce8d20bc65b40f147a40eaf27fa741cc52a4ba3ae
SHA512 4b786f0a2fb0931604208adbff0e2b377ea76698342e31aefa03c0fba90efede1de533d47389a9bef64dcd73d17bcb8608481d8a1d22a38bfb1f1b34f5c220a4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\087F96B189611952C6B30E20692EACCCD08B35EE

MD5 f9a2553a9d1105f708303714caaef0b7
SHA1 6b5cb4cd24b47032f9679bf29c344620ed99fc4e
SHA256 09c5e8ba5d5b9c93dee4a1849e3e8e951126efebce571fdc440e08442faabb76
SHA512 8bf5d97ecee2fc8953a9b5e3171b6afff9113d7beca400e3e1ea707612442e1cf644a20f3245f326f24d32b0b8e90ca474d874728b541259a189c7dbee0d81b5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\4263B1A2D70C7C417487FECC88693B6E7E40E2B7

MD5 892821a014d919ee591b0a11b6e9ae6e
SHA1 d510524dc7d895a08cbac920c80c2858ba5731f1
SHA256 6a43b092713f21fb3dcf8a036c10f0edfd574fac1d77955fc5e504ace435a85e
SHA512 3ae03f3f678481a5d908193e16f41f8e475679309948c60642debf6aaa1ac00a46828156be827ab31800eb0c5b5a22bc97692f31eb248fd8ac90ac13a0db4ba8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 29cab38f7c4de521e8664870f6bace26
SHA1 3fe9ecf415e544451702f379fdf44bd55cdc4bca
SHA256 3424be1f0d40856519cb00c37bfb2ff53820b5bedf63c6edf599235cc45f2131
SHA512 6e1757e4c973b6b95e54c05de7e6f3ee48e52236b65285cdcb8fd93769985df4381f2b22ac721dad6ddbbcc20cdce52705ca908e94971be1647f5e7fef150ed7

C:\Users\Admin\Downloads\geometry dash auto speedhack.exe

MD5 19dbec50735b5f2a72d4199c4e184960
SHA1 6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256 a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512 aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\downloads.json

MD5 b4e90794b249ebaa01a1982e0be6c087
SHA1 8239ff7e5c83f489af3f9fe32e7d73993437ee9f
SHA256 b9d66693560fe5d5f876852511a3868231b3b76c9912d6c2d78b9877db575901
SHA512 cea515c8f90f15d82a3cc5d8d78e5b6ebc85f9a8e24dfc95ea1d2508a909c9f60b566c08e526705911cc6df7313e158f4ac1db71a663e54b857aa38f5e5e683f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 0f0551647e17023cbf39567fb18e685c
SHA1 1a6b95eb9d4ee935f63f7102ddbf9a58bf6919ea
SHA256 5e7b9513b0041d1552aaf923492727eb0b957317df22417356cabb24bde5d89d
SHA512 92589e32d38746636d210b643abd69811e146bbf4e535d5a0e3b3cc1b4acb196e4d345cc5a4091ff1cc5cb0f473eb8723487b4b195a914f061ab3197f9611620

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 db1c9fda6ab164deb4b68edd84e48fd1
SHA1 59f2ae8aeea5282b2731b4df8717832d56e106e9
SHA256 f1637cee07a54617f890c2f4762847547559d1938d665f7e0d09e5e90d49fcb4
SHA512 0ffa1cd8ca40266583b883eba113828ac79950ba50ea07484cd31bf3c6640aaf4b549d2d9d5e1818503e4fb069489350cd71fac414ff3bd207857ee4b8bece4e

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat

MD5 63c6ec6b042bcb00d2d832c0e4f25dca
SHA1 a904a7c3fc89ff497e91384a63db3282e00d31ce
SHA256 dae968f47476ef79b122e771ccd0a2bacde2ac3535f68047239682fefa3dfe50
SHA512 1454cd79a59f0603ae083abb7f3b1438e18c7858ab04dfc3df1a725cee72be48274c289d5c0a44ce415f4bdf8a2c316312453862381fdbf0f4af97a62234e41a

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\x

MD5 ecd4d8524d6549e8a5d86d650bc48f10
SHA1 50637a0859e670ef11080dee3020cdba67ed03f7
SHA256 f46852d7cb44dacf5ea1361aeab224e7a4569545df577772722c6e5fa8287dd8
SHA512 c58111af5fa3c8ae10eb55a28788e9796c317743152065e4dd750dbeff661084e0c4d289b12f58a457edaad3bb1179c29699bb9ad88ac74eb002d5434dce83be

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\x.js

MD5 8eec8704d2a7bc80b95b7460c06f4854
SHA1 1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256 aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512 e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\x

MD5 1882f3dd051e401349f1af58d55b0a37
SHA1 6b0875f9e3164f3a9f21c1ec36748a7243515b47
SHA256 3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0
SHA512 fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\z.zip

MD5 63ee4412b95d7ad64c54b4ba673470a7
SHA1 1cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA256 44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA512 7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

C:\HookDLL.dll

MD5 b2ca1151f83573bc172ddaa172f20c3d
SHA1 1d1f37de1726055f2f4f7e04fb40ba16404776ba
SHA256 448a89afddb9bfd9d19efed398d9102a8e80405ff720d9562b5e2ba2a36bfbf3
SHA512 c146e9389fcb66553db632d48a9fb76253f6c52a2037547a242d5b31fa55cebb72f5554257b2fd58639896f3df08985a66dfd76c35ef4103db5b7e2c0a7c8d1b

memory/7068-1906-0x00000000766F0000-0x000000007676A000-memory.dmp

memory/7068-2189-0x0000000054DD0000-0x0000000054DD1000-memory.dmp

memory/7068-2196-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2197-0x0000000004B10000-0x0000000004B70000-memory.dmp

memory/7068-2198-0x0000000004B10000-0x0000000004B70000-memory.dmp

memory/7068-2199-0x0000000074EB0000-0x0000000074F4B000-memory.dmp

memory/7068-2204-0x0000000074F80000-0x00000000751FE000-memory.dmp

C:\Windows\executables.bin

MD5 41e0416603e70c7037d40083b6e7e9b7
SHA1 4c9e8ec43afe113d4856a34627f0b2b34fd204b2
SHA256 1f8828c0d7a35cc93e46b9eb17125b9bcb082e8e6e79c7dabd73861750454f8e
SHA512 fb20cbb005d58cb094f7f201e95a5d11eee9aeadb806f0d7adc45ddf06505280583cfca789cfc2e3a080e259615604a4a3a9acd0248d128f455d08461d989500

memory/7068-2210-0x0000000004B10000-0x0000000004B70000-memory.dmp

memory/1436-2213-0x00000000011D0000-0x00000000011DE000-memory.dmp

memory/1436-2211-0x000000001B710000-0x000000001B73C000-memory.dmp

memory/7068-2214-0x0000000004B10000-0x0000000004B70000-memory.dmp

memory/7068-2218-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2221-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2226-0x0000000076D60000-0x0000000076D79000-memory.dmp

memory/7068-2229-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2232-0x00000000773D0000-0x0000000077570000-memory.dmp

memory/7068-2235-0x00000000773D0000-0x0000000077570000-memory.dmp

memory/7068-2236-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2238-0x0000000004B10000-0x0000000004B70000-memory.dmp

memory/7068-2249-0x0000000075D60000-0x0000000075DBF000-memory.dmp

memory/7068-2259-0x0000000077030000-0x00000000772B1000-memory.dmp

memory/7068-2260-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2268-0x0000000074F80000-0x00000000751FE000-memory.dmp

memory/7068-2269-0x0000000077770000-0x00000000777D3000-memory.dmp

memory/3964-2276-0x00000000035E0000-0x000000000362A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A3LB4N31FM0KF9EDAKBG.temp

MD5 b3cbc1013c7132b2c72611b095435e25
SHA1 a98e6bdcce56ab924f37c05dad0f6d3f64a11804
SHA256 deebf9401e45639da1583a0aaf699ecf349fa950a092de08765dfe5334b4a007
SHA512 b74087c1c97b5e614be15bd5bb8846664104cfd9d990490346f5c99ee6d83a7c1e1b76c6c046a4320221a7cbf1892c3846bb67eba0ab844ee4ee10df641e0efb

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs

MD5 48ac397b96a30da6d67ffcf5b555e69c
SHA1 6b509435d7ab375d40231081417a340910da513c
SHA256 b6dc96d48ee73fda299a8f8dac2335ed4bf710f5166ce093aa8734256a205569
SHA512 4dd6ca7a18b7dceac16a8cec892f658a2389efe3b6a936ac9bf26f20a99a7a65d76dec1a412988e9a5be59276a7f7c0bca08583a474c8a9609799a4bab4ed5f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 356afdf5082d980d4289e3964b7f9432
SHA1 bbe74ff8abce3f3608312d2c2ffe7174ca660cab
SHA256 1002316b0b6aba7454dccf15fbb851c95a1ecd7aadd7f7a703f80b0f2a9bfaeb
SHA512 6be0f1185b23ba91978500a278c43ba68b8c598d86adbbaa0b19be7ae00f3c371d7c68611daa28f83ce36e8f45d6aa019fdced28f07d6c8827488d2cea2485f0

C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 3.0\MrsMajor3.0.exe

MD5 35a27d088cd5be278629fae37d464182
SHA1 d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512 eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

memory/7044-2756-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/7044-2774-0x000000001DBF0000-0x000000001DDB2000-memory.dmp

memory/7044-2775-0x000000001E2F0000-0x000000001E818000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 76ab64d5a2a2827244bc671fb6b7f275
SHA1 19ab8a39ea9e764d5c6a1446b226835160ccdd99
SHA256 cbfe22d044caa52eeeb6529e8cae637117b385a71b59b7091271e11cd31e71a3
SHA512 061e0a9efbd6a0ccee39619d78c361a013ae61b095bbb48539d0811576049fcd2d233d7597f558562cf451c345710a93e129d53fecc27b2fd6993e4c7b5e8959

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 b803a5726def9986f28da43e7fc07b95
SHA1 44006a3f135616448839c388a866caa765f6b78e
SHA256 3b61252268f721302fc359189461b22538f4b49db6c81681b9e6ac3d00c459cb
SHA512 cc9843a46daf77b0dbca40fd7acbe0649f72ba9d08d06271acb88ba2e98f99762bbf6536419e5f1eb807f2003faec8bd4cd95680b0490c856847a9fe18dbb189