70ccb52e4c78d8b68d562fb7088d143577ad35a4b0bd01581a383c41580f1b2d

Analysis

max time kernel
101s
max time network
137s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea44d48c76296c8ab490e6408b1d0726.exe
Size

619KB
MD5

ea44d48c76296c8ab490e6408b1d0726
SHA1

b3809f6a46816a63bf31136493d312d09f775b36
SHA256

70ccb52e4c78d8b68d562fb7088d143577ad35a4b0bd01581a383c41580f1b2d
SHA512

33a249cb32e51f4f6246f1890ae9fcc90c6093a7e58999bff7c04ae7ceb3b19bcf42db3fbab1527594be560d9074602d2807d9b1837d41ca7aa2f7410922a3a2

Score

10^/10

discovery spyware

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wotsuper1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 2844	716	ea44d48c76296c8ab490e6408b1d0726.exe	70
PID 716 wrote to memory of 2844	716	ea44d48c76296c8ab490e6408b1d0726.exe	70
PID 716 wrote to memory of 2844	716	ea44d48c76296c8ab490e6408b1d0726.exe	70
PID 716 wrote to memory of 2648	716	ea44d48c76296c8ab490e6408b1d0726.exe	71
PID 716 wrote to memory of 2648	716	ea44d48c76296c8ab490e6408b1d0726.exe	71
PID 716 wrote to memory of 2648	716	ea44d48c76296c8ab490e6408b1d0726.exe	71
PID 716 wrote to memory of 1944	716	ea44d48c76296c8ab490e6408b1d0726.exe	72
PID 716 wrote to memory of 1944	716	ea44d48c76296c8ab490e6408b1d0726.exe	72
PID 716 wrote to memory of 1944	716	ea44d48c76296c8ab490e6408b1d0726.exe	72
PID 2648 wrote to memory of 2528	2648	wotsuper1.exe	77
PID 2648 wrote to memory of 2528	2648	wotsuper1.exe	77
PID 2648 wrote to memory of 2528	2648	wotsuper1.exe	77
PID 2528 wrote to memory of 4836	2528	cmd.exe	79
PID 2528 wrote to memory of 4836	2528	cmd.exe	79
PID 2528 wrote to memory of 4836	2528	cmd.exe	79

Loads dropped DLL 2 IoCs

pid	Process
2648	wotsuper1.exe
2648	wotsuper1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wotsuper.reg	ea44d48c76296c8ab490e6408b1d0726.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1944	regedit.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	MicrosoftEdge.exe
Token: SeDebugPrivilege	3932	MicrosoftEdge.exe
Token: SeDebugPrivilege	3932	MicrosoftEdge.exe
Token: SeDebugPrivilege	3932	MicrosoftEdge.exe
Token: SeDebugPrivilege	2216	WerFault.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeRestorePrivilege	4352	WerFault.exe
Token: SeBackupPrivilege	4352	WerFault.exe
Token: SeDebugPrivilege	4352	WerFault.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
2648	wotsuper1.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe
4352	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies control panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Colors	MicrosoftEdge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4836	taskkill.exe

Checks whether UAC is enabled 1 IoCs

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdge.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2216	3932	WerFault.exe	68
4352	2844	WerFault.exe	70

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2216 created 3932	2216	WerFault.exe	68

Checks for installed software on the system 1 TTPs 30 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	wotsuper1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\wotsuper 2.1\DisplayName = "wotsuper 2.1"	ea44d48c76296c8ab490e6408b1d0726.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	wotsuper1.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\wotsuper 2.1\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	wotsuper1.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 113 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000dabd22fc344dba7fa0ca18e557cd3d48ba52fdf98b1e635429a7b4b20549e7d999aef9bd2b9ad0655f8487113ac176037516376ab5f3a3f2c7c63095de098e62dd0c446063a0dd60f512d5a7e136cd19e356bb516852909d894b12c4d99bc63ab0f762c3a8fed61fbd958fb4cfcc1b135634a907c1d9068880552a0b439eeed8fa8f57f7d556480c442e38dbf723cba6dece37e5292ab827210488798cb16fb803f5da97f347b040f7fb6ae829dcb96455461e49d4e3c03523787369d77628443d4736f38871160fe31dec4d2195d96fafbaf467bfa50f3bf5d00fd00a8c73e123a67602cf748f175eb5aed12aef8c4a374cb0e9611174b0a02e93e7e392a2fd1a32ea3275f081ef64e12420e38a3eaf8e1aaf5ef3c598ab47b1941efc2aa4320c0bf9fe3485de54cbc2b675dc06797beb46c37c4263ca1f5179766150f3b1781551ba5378d3aaf98778fb4886033aa96def6431cd89cca98aa5eca8a88ce268142405ce627ac2d771244d487422585df334877f64d94ef0b25772e4f197558e49a4f0bf601ae715e7e4f6a84a01aafc1c37203667f1c391eec450624afc098536b7b622ce36	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{1E50B487-8B3F-4D35-A1C0-19F445913D4F}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 8a978de4d243d601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 8a978de4d243d601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f6ace36be0ef4e3d1893940f6365dd019ebaa5f9f4569448e5ad61921325de447f4baba24b34ac7af065e0ea6a0d2d0ccd63a401a97b35c45fdf01445eb1e21f72474624b3614313be7d62d181bf1964de37da5eaf1bde694781	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ce679114581f6f99a0e437169bd06744f6582938ecdb205efdfef533cb91f3b857e5733dc3c6b7c08e8e0de313a33fd0b4f6c7159e07432c7753	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{83AC348C-0AA9-49D0-B1A7-A35C81A9729C} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 8a978de4d243d601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 8a978de4d243d601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	ea44d48c76296c8ab490e6408b1d0726.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe	ea44d48c76296c8ab490e6408b1d0726.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	ea44d48c76296c8ab490e6408b1d0726.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	ea44d48c76296c8ab490e6408b1d0726.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3932	MicrosoftEdge.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	wotsuper.exe
2648	wotsuper1.exe

C:\Users\Admin\AppData\Local\Temp\ea44d48c76296c8ab490e6408b1d0726.exe
"C:\Users\Admin\AppData\Local\Temp\ea44d48c76296c8ab490e6408b1d0726.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Checks for installed software on the system
- Drops file in Program Files directory
PID:716
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
  2⤵
  - Executes dropped EXE
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1348
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Program crash
    PID:4352
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Checks for installed software on the system
  - Executes dropped EXE
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im wotsuper1.exe /f & erase C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im wotsuper1.exe /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Kills process with taskkill
      PID:4836
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
  2⤵
  - Runs .reg file with regedit
  PID:1944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Modifies control panel
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3932
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3932 -s 3452
  2⤵
  - Enumerates system info in registry
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2216

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-83-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-105-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-13-0x00000228362A0000-0x00000228362A1000-memory.dmp

Filesize
4KB

Download
memory/2216-16-0x00000228366A0000-0x00000228366A1000-memory.dmp

Filesize
4KB

Download
memory/2216-18-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-19-0x0000022836430000-0x0000022836431000-memory.dmp

Filesize
4KB

Download
memory/2216-20-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-22-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-23-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-24-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-25-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-26-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-27-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-28-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-29-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-30-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-31-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-32-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-33-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-34-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-35-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-36-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-37-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-38-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-39-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-40-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-41-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-42-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-43-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-44-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-45-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-46-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-47-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-48-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-88-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-50-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-51-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-52-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-53-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-54-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-55-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-56-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-57-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-58-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-59-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-60-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-61-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-62-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-63-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-64-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-65-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-66-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-67-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-68-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-69-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-70-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-71-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-72-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-73-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-74-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-75-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-76-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-77-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-78-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-79-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-80-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-81-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-82-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-381-0x0000022833AD0000-0x0000022833AD1000-memory.dmp

Filesize
4KB

Download
memory/2216-84-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-85-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-97-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-10-0x0000022835430000-0x0000022835431000-memory.dmp

Filesize
4KB

Download
memory/2216-49-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-89-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-90-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-91-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-92-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-93-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-94-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-95-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-96-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-86-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-98-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-99-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-100-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-101-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-102-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-103-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-104-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-87-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-106-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-107-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-108-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-109-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-110-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-111-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-112-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-113-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-114-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-115-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-116-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-117-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-118-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-119-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-120-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-121-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-122-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-123-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-124-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-125-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-126-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-127-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-128-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-129-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-130-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-131-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-132-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-133-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-134-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-135-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-136-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-137-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-138-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-139-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-140-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-141-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-142-0x0000022833AB0000-0x0000022833AB1000-memory.dmp

Filesize
4KB

Download
memory/2216-144-0x00000228361E0000-0x00000228361E1000-memory.dmp

Filesize
4KB

Download
memory/2216-11-0x0000022835430000-0x0000022835431000-memory.dmp

Filesize
4KB

Download
memory/2844-9-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/2844-7-0x0000000000490000-0x00000000004B0000-memory.dmp

Filesize
128KB

Download
memory/4352-384-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4352-394-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download