hxxps://download[.]teamviewer[.]com/download/TeamViewer_Setup_x64[.]exe?utm_source=google&utm_medium=cpc&utm_campaign=gb%7Cb%7Cpr%7C22%7Cjul%7Ctv-core-download-sn%7Cnew%7Ct0%7C0&utm_content=Download&utm_term=teamviewer+download

Analysis

max time kernel
1756s
max time network
1505s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.teamviewer.com/download/TeamViewer_Setup_x64.exe?utm_source=google&utm_medium=cpc&utm_campaign=gb%7Cb%7Cpr%7C22%7Cjul%7Ctv-core-download-sn%7Cnew%7Ct0%7C0&utm_content=Download&utm_term=teamviewer+download

Score

8^/10

adware persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000023254-651.dat	acprotect
behavioral1/files/0x0006000000023254-2248.dat	acprotect

Executes dropped EXE 52 IoCs

pid	Process
4396	TeamViewer_Setup_x64.exe
2308	TeamViewer_.exe
5932	TeamViewer_Service.exe
5700	tv_x64.exe
5744	tv_x64.exe
6104	MicrosoftEdgeWebview2Setup.exe
4032	MicrosoftEdgeUpdate.exe
2172	MicrosoftEdgeUpdate.exe
4572	MicrosoftEdgeUpdate.exe
2276	MicrosoftEdgeUpdateComRegisterShell64.exe
884	MicrosoftEdgeUpdateComRegisterShell64.exe
3200	MicrosoftEdgeUpdateComRegisterShell64.exe
5560	MicrosoftEdgeUpdate.exe
5612	MicrosoftEdgeUpdate.exe
5640	MicrosoftEdgeUpdate.exe
5688	MicrosoftEdgeUpdate.exe
4748	MicrosoftEdge_X64_115.0.1901.188.exe
1680	setup.exe
1464	MicrosoftEdgeUpdate.exe
3392	TeamViewer_Service.exe
3784	TeamViewer.exe
3184	tv_w32.exe
5392	tv_x64.exe
2000	msedgewebview2.exe
4816	msedgewebview2.exe
3508	msedgewebview2.exe
5704	msedgewebview2.exe
3712	msedgewebview2.exe
5912	msedgewebview2.exe
5588	TeamViewer.exe
5672	tv_w32.exe
5324	tv_x64.exe
3132	TeamViewer.exe
908	tv_w32.exe
720	tv_x64.exe
5428	MicrosoftEdgeUpdate.exe
816	MicrosoftEdgeUpdate.exe
6096	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
2748	MicrosoftEdgeUpdate.exe
4452	MicrosoftEdgeUpdate.exe
5880	MicrosoftEdgeUpdate.exe
3664	MicrosoftEdgeUpdate.exe
3704	MicrosoftEdgeUpdateComRegisterShell64.exe
3604	MicrosoftEdgeUpdateComRegisterShell64.exe
1272	MicrosoftEdgeUpdateComRegisterShell64.exe
1992	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
3076	MicrosoftEdgeUpdate.exe
4560	MicrosoftEdge_X64_115.0.1901.188.exe
3472	setup.exe
2796	setup.exe
4424	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
4396	TeamViewer_Setup_x64.exe
4396	TeamViewer_Setup_x64.exe
4396	TeamViewer_Setup_x64.exe
4396	TeamViewer_Setup_x64.exe
4396	TeamViewer_Setup_x64.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B44BE66-4A80-4C24-9857-9840D975FA06}\LocalServer32\ = "C:\\Program Files\\TeamViewer\\TeamViewer.exe ToastActivated"	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5B44BE66-4A80-4C24-9857-9840D975FA06}\LocalServer32	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F795C339-932E-4B24-85B3-C7865BE4C1B9}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\notification_helper.exe"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\notification_click_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-664-0x00000000734A0000-0x00000000734AA000-memory.dmp	upx
behavioral1/files/0x0006000000023254-651.dat	upx
behavioral1/memory/2308-737-0x00000000734A0000-0x00000000734AA000-memory.dmp	upx
behavioral1/memory/2308-1222-0x00000000734A0000-0x00000000734AA000-memory.dmp	upx
behavioral1/files/0x0006000000023254-2248.dat	upx

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tvvirtualmonitordriver.inf_amd64_0cd231c957fb8d4b\TVVirtualMonitorDriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\SETBB68.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\SETBB88.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\TVVirtualMonitorDriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tvvirtualmonitordriver.inf_amd64_0cd231c957fb8d4b\TVVirtualMonitorDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\SETBB67.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\TVVirtualMonitorDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\SETBB67.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tvvirtualmonitordriver.inf_amd64_0cd231c957fb8d4b\TVVirtualMonitorDriver.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\SETBB88.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe
File created	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\SETBB68.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33d4871a-caef-7b4a-837e-e533e9d4a9fe}\TVVirtualMonitorDriver.dll	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\115.0.1901.188\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Trust Protection Lists\Sigma\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\sq.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\115.0.1901.188\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\psuser_arm64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\msedgeupdateres_et.dll	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\msedgeupdateres_zh-CN.dll	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\tvfilesx64.7z	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_da.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\115.0.1901.188\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\115.0.1901.188\Trust Protection Lists\Mu\Cryptomining	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\115.0.1901.188\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dll	TeamViewer_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-PipelineConfig.xml	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\show_third_party_software_licenses.bat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\bn-IN.pak	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dll	TeamViewer_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\Locales\cy.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\115.0.1901.188\MicrosoftEdge_X64_115.0.1901.188.exe	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\show_third_party_software_licenses.bat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\115.0.1901.188\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_fr-CA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\edge_feedback\mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\msedgeupdateres_am.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\msedgeupdateres_en.dll	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\msedgeupdateres_it.dll	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\msedgeupdateres_kn.dll	MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	tv_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tv_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000023171-196.dat	nsis_installer_1
behavioral1/files/0x0008000000023171-196.dat	nsis_installer_2
behavioral1/files/0x0008000000023171-290.dat	nsis_installer_1
behavioral1/files/0x0008000000023171-290.dat	nsis_installer_2
behavioral1/files/0x0008000000023171-291.dat	nsis_installer_1
behavioral1/files/0x0008000000023171-291.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3224	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\	TeamViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\115.0.1901.188\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TeamViewer.exe = "11001"	TeamViewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\TeamViewer.exe = "0"	TeamViewer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	tv_w32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	TeamViewer_Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	tv_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	tv_x64.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\teamviewerapi\shell\open	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EDF453E-CD8F-4C56-BBA1-AA63266058E5}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerSession\shell\open	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.177.11\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\teamviewer10\shell	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3COMClassService"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EDF453E-CD8F-4C56-BBA1-AA63266058E5}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{F795C339-932E-4B24-85B3-C7865BE4C1B9}"	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeamViewer_Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
6008	POWERPNT.EXE
6100	POWERPNT.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
2308	TeamViewer_.exe
4032	MicrosoftEdgeUpdate.exe
4032	MicrosoftEdgeUpdate.exe
1468	msedge.exe
1468	msedge.exe
3748	msedge.exe
3748	msedge.exe
2136	identity_helper.exe
2136	identity_helper.exe
4032	MicrosoftEdgeUpdate.exe
4032	MicrosoftEdgeUpdate.exe
4032	MicrosoftEdgeUpdate.exe
4032	MicrosoftEdgeUpdate.exe
5428	MicrosoftEdgeUpdate.exe
5428	MicrosoftEdgeUpdate.exe
5428	MicrosoftEdgeUpdate.exe
5428	MicrosoftEdgeUpdate.exe
816	MicrosoftEdgeUpdate.exe
816	MicrosoftEdgeUpdate.exe
4452	MicrosoftEdgeUpdate.exe
4452	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
3076	MicrosoftEdgeUpdate.exe
3076	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6100	POWERPNT.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
2000	msedgewebview2.exe
3748	msedge.exe
3748	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe
Token: SeShutdownPrivilege	264	chrome.exe
Token: SeCreatePagefilePrivilege	264	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
264	chrome.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3784	TeamViewer.exe
3784	TeamViewer.exe
3784	TeamViewer.exe
3784	TeamViewer.exe
3784	TeamViewer.exe
3784	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
3132	TeamViewer.exe
3132	TeamViewer.exe
3132	TeamViewer.exe
3132	TeamViewer.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
6008	POWERPNT.EXE
6008	POWERPNT.EXE
6008	POWERPNT.EXE
6008	POWERPNT.EXE
6100	POWERPNT.EXE
6100	POWERPNT.EXE
6100	POWERPNT.EXE
6100	POWERPNT.EXE
6100	POWERPNT.EXE
3784	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
5588	TeamViewer.exe
3132	TeamViewer.exe
3132	TeamViewer.exe
3132	TeamViewer.exe
5516	WINWORD.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE
5516	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 4864	264	chrome.exe	41
PID 264 wrote to memory of 4864	264	chrome.exe	41
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 4144	264	chrome.exe	88
PID 264 wrote to memory of 532	264	chrome.exe	89
PID 264 wrote to memory of 532	264	chrome.exe	89
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90
PID 264 wrote to memory of 3780	264	chrome.exe	90

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.teamviewer.com/download/TeamViewer_Setup_x64.exe?utm_source=google&utm_medium=cpc&utm_campaign=gb%7Cb%7Cpr%7C22%7Cjul%7Ctv-core-download-sn%7Cnew%7Ct0%7C0&utm_content=Download&utm_term=teamviewer+download
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x74,0x108,0x7ffb0fd99758,0x7ffb0fd99768,0x7ffb0fd99778
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:2
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5404 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 --field-trial-handle=1896,i,16471830242846423559,5080769502370940364,131072 /prefetch:8
  2⤵
  PID:4184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2808

C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe
"C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4396
- C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
  "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F
    3⤵
    - Creates scheduled task(s)
    PID:3224
- - C:\Program Files\TeamViewer\TeamViewer_Service.exe
    "C:\Program Files\TeamViewer\TeamViewer_Service.exe" -install
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:5932
- - C:\Program Files\TeamViewer\tv_x64.exe
    "C:\Program Files\TeamViewer\tv_x64.exe" --action uninstallpnpdriver --inf "C:\Program Files\TeamViewer\x64\TVVirtualMonitorDriver.inf" --log "C:\Program Files\TeamViewer\TeamViewer15_Hooks.log"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5700
- - C:\Program Files\TeamViewer\tv_x64.exe
    "C:\Program Files\TeamViewer\tv_x64.exe" --action installpnpdriver --inf "C:\Program Files\TeamViewer\x64\TVVirtualMonitorDriver.inf" --log "C:\Program Files\TeamViewer\TeamViewer15_Hooks.log"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5744
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
    3⤵
    PID:6036
- - C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe
    "C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe" /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6104
  - - C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Sets file execution options in registry
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4032
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:2276
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:884
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3200
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REVGQzkwMTAtRjc5Ny00ODg2LUJEMkUtMDkwQjc2OTlCNTIyfSIgdXNlcmlkPSJ7MDE5NjA2QkYtMThCQi00QzhCLUE3MUYtOTE5RDAzMDRBMkQzfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0MTU0OEZDOS05NkVFLTQ4QjItOTRCNS1CQjQ5OTFDNDY2QkJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzUuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTczLjQ1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MjQ5ODc2ODYwIiBpbnN0YWxsX3RpbWVfbXM9IjE0NjkiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Executes dropped EXE
        
        PID:5560
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{DEFC9010-F797-4886-BD2E-090B7699B522}"
        5⤵
        Executes dropped EXE
        
        PID:5612

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
PID:1472
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{25dbafa2-a70b-7743-bf0a-d2a7cda1f7f1}\TVVirtualMonitorDriver.inf" "9" "4e60e5847" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\TeamViewer\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:5460

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5640
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REVGQzkwMTAtRjc5Ny00ODg2LUJEMkUtMDkwQjc2OTlCNTIyfSIgdXNlcmlkPSJ7MDE5NjA2QkYtMThCQi00QzhCLUE3MUYtOTE5RDAzMDRBMkQzfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1NzA3OUI5Ni00OEYwLTRGNDgtQTZCNi1GQkY5QkQ5QzREN0V9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MjU5NDQxMTA0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  PID:5688
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EAE3CFE1-42BA-4D7F-9269-676004A30A9D}\MicrosoftEdge_X64_115.0.1901.188.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EAE3CFE1-42BA-4D7F-9269-676004A30A9D}\MicrosoftEdge_X64_115.0.1901.188.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:4748
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EAE3CFE1-42BA-4D7F-9269-676004A30A9D}\EDGEMITMP_755BC.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EAE3CFE1-42BA-4D7F-9269-676004A30A9D}\EDGEMITMP_755BC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EAE3CFE1-42BA-4D7F-9269-676004A30A9D}\MicrosoftEdge_X64_115.0.1901.188.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1680
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REVGQzkwMTAtRjc5Ny00ODg2LUJEMkUtMDkwQjc2OTlCNTIyfSIgdXNlcmlkPSJ7MDE5NjA2QkYtMThCQi00QzhCLUE3MUYtOTE5RDAzMDRBMkQzfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4REU3RjY3RS1FNTQzLTRDQjktOUJFOS1FRDQyNkQyRjkzNjJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjExNS4wLjE5MDEuMTg4IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MjY3Nzc0NjY2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjI2ODAzNTI4NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY0OTgyMTI1NzUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2QzMzUwMzI3LWMzNWItNGE4NC1iMzMzLTJhYjQyOGFmOTVlNj9QMT0xNjkxNTkwNDE0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PU4lMmZIUHNvemFJUm5VclJKRzRSQkg2Z1hxWHNrNGR3dnJhckgyemdMRkZDUjBwdVZka2JuR0ltTCUyZiUyZlA2clYlMmJEUzg5WWRUYVU5T3loZ2klMmZTSWdiVlA3USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE1MTA3MzczNiIgdG90YWw9IjE1MTA3MzczNiIgZG93bmxvYWRfdGltZV9tcz0iMTM5MzEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDk4MzU4NzI0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjUyMTIzNTQ5OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjg1OTcwNDgzMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjM5MSIgZG93bmxvYWRfdGltZV9tcz0iMjMwMTMiIGRvd25sb2FkZWQ9IjE1MTA3MzczNiIgdG90YWw9IjE1MTA3MzczNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMzM4MjkiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaffb446f8,0x7ffaffb44708,0x7ffaffb44718
1⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hackertyper.net/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,821183838289157479,17560392397729954380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5536

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\ConnectUndo.pptx" /ou ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:844

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6100

C:\Program Files\TeamViewer\TeamViewer_Service.exe
"C:\Program Files\TeamViewer\TeamViewer_Service.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3392
- C:\Program Files\TeamViewer\TeamViewer.exe
  "C:\Program Files\TeamViewer\TeamViewer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3784
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=TeamViewer.exe --webview-exe-version=15.44.5.0 --user-data-dir="C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msSmartScreenProtection,msWebOOUI,msPdfOOUI,ElasticOverscroll --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --lang=en --mojo-named-platform-channel-pipe=3784.4700.8843982357380783690
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - System policy modification
    PID:2000
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=115.0.5790.114 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=115.0.1901.188 --initial-client-data=0x164,0x168,0x16c,0x140,0x174,0x7ffae163d310,0x7ffae163d320,0x7ffae163d330
      4⤵
      Executes dropped EXE
      PID:4816
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView" --webview-exe-name=TeamViewer.exe --webview-exe-version=15.44.5.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2016 --field-trial-handle=1832,i,13819758962561057424,17716894499073530817,262144 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --disable-features=ElasticOverscroll,msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:3
      4⤵
      Executes dropped EXE
      PID:5704
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView" --webview-exe-name=TeamViewer.exe --webview-exe-version=15.44.5.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=3004 --field-trial-handle=1832,i,13819758962561057424,17716894499073530817,262144 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --disable-features=ElasticOverscroll,msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:8
      4⤵
      Executes dropped EXE
      PID:3712
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView" --webview-exe-name=TeamViewer.exe --webview-exe-version=15.44.5.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3004 --field-trial-handle=1832,i,13819758962561057424,17716894499073530817,262144 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --disable-features=ElasticOverscroll,msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:1
      4⤵
      Executes dropped EXE
      PID:5912
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView" --webview-exe-name=TeamViewer.exe --webview-exe-version=15.44.5.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1816 --field-trial-handle=1832,i,13819758962561057424,17716894499073530817,262144 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --disable-features=ElasticOverscroll,msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:2
      4⤵
      Executes dropped EXE
      PID:3508
- - C:\Program Files\TeamViewer\TeamViewer.exe
    "C:\Program Files\TeamViewer\TeamViewer.exe" restartui
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.teamviewer.com/documents/?lng=en&version=15.44.5%20&cid=1979973535
      4⤵
      PID:3928
- C:\Program Files\TeamViewer\tv_w32.exe
  "C:\Program Files\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:3184
- C:\Program Files\TeamViewer\tv_x64.exe
  "C:\Program Files\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5392
- C:\Program Files\TeamViewer\tv_w32.exe
  "C:\Program Files\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5672
- C:\Program Files\TeamViewer\tv_x64.exe
  "C:\Program Files\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5324
- C:\Program Files\TeamViewer\tv_x64.exe
  "C:\Program Files\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:720
- C:\Program Files\TeamViewer\tv_w32.exe
  "C:\Program Files\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffaffb446f8,0x7ffaffb44708,0x7ffaffb44718
1⤵
PID:2060

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9dfac0c19d324628aa12e70039e5dd5c /t 5620 /p 5588
1⤵
PID:3176

C:\Program Files\TeamViewer\TeamViewer.exe
"C:\Program Files\TeamViewer\TeamViewer.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5516

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\02c6a609dd554403b978ecf1f6baba3e /t 4016 /p 3132
1⤵
PID:4412

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5428

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:816
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2540EA11-83B0-499B-8E13-46F742865DFE}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2540EA11-83B0-499B-8E13-46F742865DFE}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe" /update /sessionid "{4EE9E593-3F43-4780-80B3-0E501A1973EA}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:6096
- - C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUA32E.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{4EE9E593-3F43-4780-80B3-0E501A1973EA}"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4452
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:5880
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:3664
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3704
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3604
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:1272
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEVFOUU1OTMtM0Y0My00NzgwLTgwQjMtMEU1MDFBMTk3M0VBfSIgdXNlcmlkPSJ7MDE5NjA2QkYtMThCQi00QzhCLUE3MUYtOTE5RDAzMDRBMkQzfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7M0U5M0M1RUMtNjc3Qi00RDVELUI0NTgtNzAyMjJCNzY5NjMyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3My40NSIgbmV4dHZlcnNpb249IjEuMy4xNzcuMTEiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE2OTA5ODU2MTAiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2NjE1MDM0MTIxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      PID:1992
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEVFOUU1OTMtM0Y0My00NzgwLTgwQjMtMEU1MDFBMTk3M0VBfSIgdXNlcmlkPSJ7MDE5NjA2QkYtMThCQi00QzhCLUE3MUYtOTE5RDAzMDRBMkQzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBRTAwMzdCMC01MUM1LTQxRkYtQTM1RS03QTkyMUU2QzdEQzd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzMuNDUiIG5leHR2ZXJzaW9uPSIxLjMuMTc3LjExIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IlByb2R1Y3RzVG9SZWdpc3Rlcj0lN0JGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzUlN0QiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk3MTM3ODQyMjEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTcxNDA5NjQ0OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY1ODMxNTk0MTAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9lOWI0MjZiOS0wN2Y4LTRiMjktOTM1Yy1kOTFhNTliYjc4YmE_UDE9MTY5MTU5MDc1OSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1jeFp1RSUyYmhpUFRKSmsyJTJibjhZMmRjNkoyMmI1VWgyTXYlMmZqZzNRcnFNam9lUEhSbSUyYlpsSFluJTJiJTJiVSUyZjdEWTF5bzgyUEVQJTJiR2s2UEt0cm44M29zNVVtWUElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMzEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY1ODMxNTk0MTAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2U5YjQyNmI5LTA3ZjgtNGIyOS05MzVjLWQ5MWE1OWJiNzhiYT9QMT0xNjkxNTkwNzU5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWN4WnVFJTJiaGlQVEpKazIlMmJuOFkyZGM2SjIyYjVVaDJNdiUyZmpnM1FycU1qb2VQSFJtJTJiWmxIWW4lMmIlMmJVJTJmN0RZMXlvODJQRVAlMmJHazZQS3Rybjgzb3M1VW1ZQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE1OTg5NDQiIHRvdGFsPSIxNTk4OTQ0IiBkb3dubG9hZF90aW1lX21zPSI2ODIwNDYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY1ODMzMTUwODUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY1ODg2Mjg5OTAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSIzMCIgcmQ9IjYwMjciIHBpbmdfZnJlc2huZXNzPSJ7RTk2NkMyNTYtNkNDMC00Q0IyLUIzQ0UtN0QyQzAzNUI4RUQ0fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMzU0NTkzMTUxODAzOTIwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9IjMwIiBhZD0iLTEiIHJkPSI2MDI3IiBwaW5nX2ZyZXNobmVzcz0iezM3N0RERTFCLTlEOTgtNDZBRi1CMzYyLUQyMjhDRUQzNTFFM30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTE1LjAuMTkwMS4xODgiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYwNTUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzMzNTQ1OTI4MjA0ODI5MTAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSItMSIgcj0iLTEiIGFkPSItMSIgcmQ9Ii0xIiBwaW5nX2ZyZXNobmVzcz0iezg0NkU2NEJDLTA5QjMtNDU1Ni05QkQxLTIzN0Q4QzY4NkQwM30iLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  PID:2748

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3076
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\MicrosoftEdge_X64_115.0.1901.188.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\MicrosoftEdge_X64_115.0.1901.188.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  PID:4560
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\EDGEMITMP_27005.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\EDGEMITMP_27005.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\MicrosoftEdge_X64_115.0.1901.188.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - System policy modification
    PID:3472
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\EDGEMITMP_27005.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\EDGEMITMP_27005.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2796
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzcuMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzRBOTAxNTYtOTRDMC00NUNGLUE5MjktMTlFRDgwQjczMDFBfSIgdXNlcmlkPSJ7MDE5NjA2QkYtMThCQi00QzhCLUE3MUYtOTE5RDAzMDRBMkQzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCM0Q1N0FCMy1GMDZFLTRBNzktQTVFQS1CMDUxOEM3NDk0ODN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgb3NfcmVnaW9uX25hbWU9IlVTIiBvc19yZWdpb25fbmF0aW9uPSIyNDQiIG9zX3JlZ2lvbl9kbWE9IjAiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTc3LjExIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IlByb2R1Y3RzVG9SZWdpc3Rlcj0lN0JGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzUlN0QiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuOTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjYwNTciIHBpbmdfZnJlc2huZXNzPSJ7MUNGQTIxM0YtRUU2RS00QjM0LTkzQzktOUZCNUIzRDZDNzZCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjExNS4wLjE5MDEuMTg4IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzMzNTQ1OTMxNTE4MDM5MjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE5ODE4MTU5MjkzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE5ODE4NDcxNDQzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE5ODQ5NzIxMTQ1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE5ODYzMzE1NDMxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA5IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxOTkwMDE5MDA4OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijg5MSIgZG93bmxvYWRlZD0iMTUxMDczNzM2IiB0b3RhbD0iMTUxMDczNzM2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMiIgaW5zdGFsbF90aW1lX21zPSIzNjU2Ii8-PHBpbmcgYWN0aXZlPSIwIiByZD0iNjA1NyIgcGluZ19mcmVzaG5lc3M9InsyRDNGQjVFQi1FOTNDLTQ4RTItQkI1RS0yMzg2NUYxRDlGRDR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjExNS4wLjE5MDEuMTg4IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2MDU1IiBjb2hvcnQ9InJyZkAwLjU3IiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMzU0NTkyODIwNDgyOTEwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMCIgcmQ9IjYwNTciIHBpbmdfZnJlc2huZXNzPSJ7NTdCRDA3M0UtNUJDRi00NzY2LUE0ODktQ0M0REM3MUZBNENCfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.188\Installer\setup.exe

Filesize
3.5MB

MD5
44bbfb654b9725d2489094512160bf0c

SHA1
6f649fedce1b4b75a9013fef7722e2567dda2a1e

SHA256
b5eb80c0a1ce27616a2444b0379aab08707067feda7782abf03feaf8be1f6a5a

SHA512
b15be6469f94be1c4b7fa5bdece3cc5986f9fb9462a63e8780f104e35af35fa8985ee9db74cc3e6f24f65f73935a49637637e789b22f0316353caa642dfdc611

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\115.0.1901.188\MicrosoftEdge_X64_115.0.1901.188.exe

Filesize
144.1MB

MD5
9322417f73279bf090d5cdea916b9710

SHA1
362f6c104ab1eb1895bcc123d5b7536d9277a1c8

SHA256
301f175d439cc2b1886a9c8e4c31071ac3fcdfb3f500b1f3fa0be5509910741f

SHA512
e5e1bbae4b04f9b0bc7e856401cebeb0f321ccd79973ad39d4e8e98bdb62920436a97a17385755dc9e9f2fb431ee07b71a71671df4827fc770df16c71ecdc9a6

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe

Filesize
1.5MB

MD5
71b072f0a3d4b9e580a8bcd523403d43

SHA1
06bac910ad59cfa7ef323096d2c6728496b5e995

SHA256
a86d9f7c545953074b8b9c18474e953db73a9ba8e9ca50cbb3e5d97a7347fe4d

SHA512
8e668cb63d2b2092c81c8ef8e5eeacc01a34cc8b1eb7959bdd6104337a9a491650e41412dedbc5dca620320223694902d99d4213c95fed90799b262799a6a554

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D42BDDDC-766E-400A-A21B-944E714CC018}\EDGEMITMP_27005.tmp\SETUP.EX_

Filesize
1.5MB

MD5
19207c8798e9ba80f0d8d8ae662a5a02

SHA1
e8161641e2c27f41ee7390198cd84cceb8b75e8d

SHA256
c1724a3fa26dcb99074ec01ca978d09bafc9d5eee28084ffc41f647135f735f2

SHA512
d7b5f9ec555901c2e0467843f336edd33fde7406c42a6f6a9bd8f3b787720d52945490b61f74297fa8bf9f0f3431e56d4d74b328637e377f1e8aef148d11b696

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUC588.tmp\MicrosoftEdgeUpdateSetup.exe

Filesize
1.5MB

MD5
b32d72daeee036e2b8f1c57e4a40e87a

SHA1
564caa330d077a3d26691338b3e38ee4879a929d

SHA256
65f6efdf6df4095971a95f4bf387590ae63109388344632a22458265ab7dd289

SHA512
b5d62ce1462d786c01d38e13d030ad6236ce63321819cf860cc6169f50f6309e627bc7709b305422851779e37dbae9fb358008aad8d6c124cd33cdec730288d5

Download Submit
C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe

Filesize
54.4MB

MD5
b98c6dfcbb6756bfd04a8eae3c4c4994

SHA1
a73380f8a71f20a67d761b2b7abfb9ad6349b180

SHA256
accf334e4f1ce9588d65fe0d8a1ea2965fdb917f8009c9235277987c0ce94c20

SHA512
c4f983d1f231cdb6612a9d189e193959e12cb29aca9dda5f5a5978fd96e3a2cc8fb5513b122ee84dbf8fb2e44643c1f7fb10d6a8727d6287ecab1eeba01a14f3

Download Submit
C:\Program Files\TeamViewer\TeamViewer.exe

Filesize
77.1MB

MD5
eea623e533bcbea1476ae8b0e271ef96

SHA1
a14f81c81d8580a12dbf9a9a6da25b3f2b5b4b39

SHA256
eaa7b072710d221b2e8bd40c38dd120da727cf7e86ab352dd9d54d60ca5052c0

SHA512
03a61cccb97a8f30cb70699e49e4ebc24a8aa3558abd551eafc108b9fbfd228f467f49ba643515274259f0e73c53535804f8e1675085fc3f4814d6c52f9ad83c

Download Submit
C:\Program Files\TeamViewer\TeamViewer15_Logfile.log

Filesize
38KB

MD5
c273c8d539c46240adc98aaa1e2d4b86

SHA1
5d5358348988429358144fe58a4dcccfa85e2b43

SHA256
3f04e244b9bf0e24f6f3ab9d6da8e578ff9937956d84ba08e13d533399cc081a

SHA512
eb915e461874ad3be0f77bb28c03f10f5df2b8c68673f05c98077b546c1fd6a48ddae6fc0fc4041b0a6c6bc2e5524547233bd84a5aa75502f70e0bb78c64c4cc

Download Submit
C:\Program Files\TeamViewer\TeamViewer_Service.exe

Filesize
19.8MB

MD5
45f78f965d72f96b8c4a41a7ac2a53af

SHA1
e48ef1db271b8b7ed311da338fc162cdc3c04e74

SHA256
aa60bceae3b9fafa2077ecab476043d34ab6548d02fec446cd83a9d5fe7d2590

SHA512
3da2ecfbbdd0242b1be7ab07c86114706f959cac501857ae4a2bbad6ca1e519d17af4f7301084bf9ffe1ae1452b5f6effa919deb34e31e769be2bbd4fa31e9bb

Download Submit
C:\Program Files\TeamViewer\tvinfo.ini

Filesize
265B

MD5
9ebe965ec4bf854a24539b44fdce20a6

SHA1
0bda51d38d4a0872b5088e67016576b4f0f6260e

SHA256
851f7bd42023a31437b8e009582a00895ee83561c3ccd7760190622404c7fcc3

SHA512
ec1b24c91df505de33abd8610ee9d7ae1e61a2f20a746dfa1224f345543d449b46d2708f351e12596431a9874e934d75f0349be5e8d4f35931cb3034a9c14af5

Download Submit
C:\Program Files\TeamViewer\x64\TeamViewerVPN.sy_

Filesize
45KB

MD5
6317a1890582d5abb3e3e3ee6b217411

SHA1
78f44d94212467fc61b98efbda91f2bc701e1a39

SHA256
3a09c3a24ec480ba4ad466760996e0f3ced30c1499abda32da6ead9de5d08836

SHA512
6241dc81ef29736972d2e8ce3fe0c52371445cf80e5ebf22630d9f29b1953470a0f2c15a57262e400f90773eb74428af4521c744acfe7d202f19ebf9b7ae3e03

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
121KB

MD5
f0673fc7ec23793bb48a7da06820aaf9

SHA1
cc38b87a8b122f9aa03d22ab190ae02978480a8c

SHA256
bbd4e9ad29ee3f7389348502d44d6aff7d7f0f443f036c93d05bf25e41181d0e

SHA512
d94e0a6d76f4ef01e72593d042d86df92a761831890ee0059bc8d778b3e8a05f81899e97fc801e20de5aee5c15247958cbe6d87643f1faa917149aaaf4a78694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c3f1d68db4e5fd05d53eab2ee1e54bcb

SHA1
aae988c2d4e3f7893b3811deef6faf50fb9a9c63

SHA256
c6019354a0e5bca6aa3fdebbde95e925d0fe2d2c805f82d2997ccfccce9fa471

SHA512
c8f86b13a8bfd62650b00dde11a153ac80229222358b6c3a73fa4c22e88636749758b4b0a1b4d5d747ccf2693260ceb61a38148b867749e82051f84bfb58ad0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aba0ec65f11147e5a7d242f98b9bbc8b

SHA1
04d0f870812e959c606c5be73d0341bc627186aa

SHA256
70d408a35e473ae2483b2d1ff7aeaac1557051c0ddde1a3efc03fa1eced568bf

SHA512
d3f5dc4659909c0ba230ecb50090c4107a3641530c57232dd41c3ce8d27173bf3bf15c018be8d6895c1125738bd58ea218655c13187907c8ba4e779f7e79c53f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
9686fbfc157a57ac1bd717a8be4ac31d

SHA1
b41b0b9f7259c4fa2d43f39305109ae8623a6133

SHA256
20ecab8bb5ad937f8134db055905389110b51b58659696dbf4e968b157757dfd

SHA512
f1cddc4ae6b4b5d8d787755a3d72ea46855c982f39cdea236c1f025b7b2a1112d8b33d4fd5989ac0df2c8d16401c77c61ba2211ec6425fca6ae95fa80c2ce70c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a46ad9174cc00e6c2139e74a7689ea3c

SHA1
b989a256fa6f6e23e2fe1363db605a7c0436c3f9

SHA256
95f355712ac736a5ebc400da11442eb60eac00b43e14f068711675e9dddb8f82

SHA512
0cff092844e37fa52dcbe4beef33267b5ae3cc95a9174d023772e0ab0997f50db4ecb48c3324635fa10c3c78ad278c81dc528aca2af96e7f4fb6e0f08067fcb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d77b6bfabcd13cfbcb2e72cd737e596

SHA1
e0d23f002806902dc588a297203aaca38b8106c0

SHA256
a4a3033cad06862bb36c4be8754ec6bbfc94b4ebd11291740e36ced086b1bccc

SHA512
13205642c4d6958f2159ff831f38c6d1a19409f033fb8a1896878de36febb599a92b53bfd7716094a12663ad7dbad271518622731c89178e80203db9bf6bf733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c06fa131d66433b44b0b19df4bdd086d

SHA1
7286ba3d54daccb340064bac0d98fd406cdb2033

SHA256
381e735f88d98259de25515917ec120fcf1510276d5206f9564fd79f0612c079

SHA512
3ffcf42e4d3a02cbe88e4f5ab46931cc931683e69be9c120dcafeafa772b8a27f4dbe0b103e89c52f417199f12e38a6cd9377c7216dfc850fa7de0f8ccfe6bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
c2b5d61181aaceb29741d2f73317c63d

SHA1
aaeb93c559c560d21e62200df045ca43a8cfe3e2

SHA256
bb4e87f08a0eaa05e308d9b6b1168b59227a373bca5b99d30782a80608423008

SHA512
e89b5447a70f2968d379d8f277880dd4407d8c058b21211a7c4f2b7f07f470da8e536b0821e63ad29947e705f6221e60b0a53791bbaacbc03c8810e02f7d734e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
dc4c52e5cb5f043813c97b4292736389

SHA1
6dc8fbc6807e1e162e3d05d4663dcaf662d2a0f6

SHA256
10eca69269a7f2e542ec5c55aab9c0e26a18a102c96f4da83cec407de7a394e8

SHA512
849e9d21a0061bcefb466bac8b4f9f2c191731086050e3b2d8eba0bd4e70477e69be1b55e9123982cd543267549b4da6260b720b0957f4360250fee2fe2d9d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c0a1495e6fdd982d62143f5e4bf185f6

SHA1
2cb34bbe16f0c31366740f216bd328e46c53380d

SHA256
dfa1ac1b5ed95059f9e9e931e3a6edf69f345b9e59ec5a46d5dac615188dcf62

SHA512
23bcbcb08d34b84ade0674f752c03e9ee4fd0d126e6ac81dcfdb146c40d2536483911f9527dcdc99184ece066cc6d568af957377d08f16edf6affaaef084129b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
173KB

MD5
d3d1aff7a71e5f6f4537a0b3cbbd5c23

SHA1
82bbaa35980290986094ec5b2f33da17fe0e1ca8

SHA256
d3ac13e9bebf6119830ea38adf6715f42a193e7cc5834087abcd77bec3c07291

SHA512
9f5a8f657438a49e2b60db1372ced7edca4ca714efc63ff8791ff232d4252178b5a148a02b049f279007f095e7ac5b649367a2fb3dbffa14b39b637f1d30d42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
11df34e0f6b3e59201bfae8bc6a52413

SHA1
78f9da27d3b085c706646d119c53ab0b43046a80

SHA256
9dc698f2ea2ac2c6fcdc695aa356253faff22f5b3707206e1be9773ab7a5f2a7

SHA512
7543ad1e9eac82862b82fc04fd13fd1843c6ed09e187a63111b4296f5c5bbfbbaaefa0687bcf19cfb2cfce1888f3cc566c9c6e734d6d93bdbaa0a5bbd076c70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
0064a11965c509f34ee94ea3d442f55f

SHA1
1a92eba0e30b7d8b8fa10f694b3cbb021f2e783f

SHA256
8c3e5b58b3362f268f88a61e8064584ac1d8017882a506c8216e9aba8ff9b1fa

SHA512
949432ace6f7dfdb4fd6bba6a7efd714a8ef2240b67cfb1c2148ef6547711d489579874ebef7b27e948bec18f3ba7b086cc38f13c02d64f79349f651c17a532c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1b020e01404042ef314f54513afada44

SHA1
6d11043807513616fc5fce39fd0bb92eccf1bc88

SHA256
ea4222d676f19a5db5773c0606ed555a739dc456c113601cf2bbbf7c50660277

SHA512
657155eb5cd4cd8a56a2d680bacbede489e61a9f9bdce53987b8e24f9b0c7d2458dbf91bf594cb04a7cc96bf9589b016a666722c12e22d00259d48c095ebce7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
457B

MD5
0749bcd843373f179de6fa654e2fd777

SHA1
077098bf54e195272a935a0a9e61d8ab1b01a9d2

SHA256
4678cb5146a99521d65ab40d1d60a94fa6715734bd72143438f7f455fda0836b

SHA512
f8b7ff124f336446e6b6de72ee75d017d78c9da3ac0a611032d5223b253e0d86896c49b87d4657cf68cfb63e41fa283a416c11eccdb7e69082b058285098e2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8fe1ff902d13050e500037ff2252d4e9

SHA1
a6159dc168674fe32b9aeac8de7c1bd51fb627ed

SHA256
66e7a224a9eeedd2168b30731cbb2f74490c070ec354ea04310459231e8419d4

SHA512
80bd4bd8830af0b7339ae65273d488c353c0c2db98e4108aba76b203d95bb4e0a94e513d709dc110e1d7e1f2a634c3879e2b778cc13e18e94c08ca2c277549df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
69bdefd718aaab12ba3af0bde2fb5052

SHA1
a794617d1bd9f173cae01fcb73fe71f7ba38b238

SHA256
a5b2a530a0bb0a500e6cd25421aa217e74070eb1e5fedf6c09aebc269ab80331

SHA512
e02258e6b2d9f12cef3ef5850a0bd72e4d857c74bc2f15ff91f2a65ed8302c801fb6537cb2b81c70f9f3e7e32a963323dd2d2740a0eed99d3ffd0a46787532d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c5a644f3d288c6a222a5b17fb586665

SHA1
e618043eebd92ec5b85db6cb21a8d8579c1ba696

SHA256
c688a401ff803be790d8a15b6b7ada65a497f37d7ac9aa4b0142858897114ce5

SHA512
74a7f280c309d052e000524598fe24b62f024adeea095eb249e43130132b6eaf39e9fe2d99eaa670c449fe3eac6ea4e07a61d79eb2ee281012ec210775ecf300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
07b06d99961ef3c4961cf514f015ed8d

SHA1
3e5073360e6dd99c67c9dce21b1bb61aa51340b4

SHA256
aa05f49b0b1fdc7ae8215fe42020194b85601d5172abb5590cfa00d2caa2304a

SHA512
56ffbe8f3acc6c64a3a10b24d229cde70bd86e197b1b89151575b402a76525a68e2f125aa5ebf36d9cad6e1fd9c3f77a07d179a4163932205ce36e5182051e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e78f9a3ece93ae9434c64ea2bff51dc

SHA1
a0e4c75fe32417fe2df705987df5817326e1b3b9

SHA256
5c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68

SHA512
9d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aee5f36403d9c7ddfa3de97fdab1997e

SHA1
32634183e28808488ee997d02d31c2499d186ea2

SHA256
65ea3371c171faca4c1e695bde349a1cf55ac59d72e2544747d7346c25241b09

SHA512
4eb08d5886bcfe53c6e0c4cc76c35bb3518a99d86874f53f32390d7ddd403a9494f474069e76a4bbe189a406878bc75dd174ddc0fa2babf09560530c8dedd06f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b86c0.TMP

Filesize
203B

MD5
f1dd2fbccdc1c91f9a192cd47d95d6d2

SHA1
4f6078ede0c525d42c15fe08fe8fab3c28367856

SHA256
5ac7b213b30bf7fc2cfba843f046a9788dcbe90f2cf28539516bec73e7d597f6

SHA512
6cc00d4db5f1c9140fdba8dacc21edcc6abbd92f1eaef9faf020c74aaf1e2a09f1a6ae536d44989ee69a8e108ff28b4b2d9a84ee4f7c5cce2af30dfe88c7d8b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5cff002bfc44f0ebcf583d013e87bae7

SHA1
49f886a46f995a07cec3352f100a0f3f5c7feb4e

SHA256
d5cf8e0058d2da44d8d125d50f89d8788a54dcdbc1a89af2f2c0d38e9650b82a

SHA512
fafef8c8b894cdb52ebd5556db84ba8a3081d560af0fc83acaed68b5287fa8854a14ad7fe8cbf5f4c63676eff4829359a9b1aa0236611062f82ea843ce1d2e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bd2ff0aca33e81d2182fe98f4f25c0cf

SHA1
c5386a6a0dbb8638c024eecbab3d91851f68b392

SHA256
451192449ef2aa553a28dd04c1e548f8d295a5809db5961bf541c882d7a67be1

SHA512
5c3e9ba9f1e3ca69393e58cd73f4f763a04b078a448fa0c538122e20d9637645ea64d312477b6f4aca10590bcef38eee043aad58def4cdad31ef59b1b9990ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
30a61a3afdc32584caceddae6175c5f6

SHA1
5938dba925816db865efd4ad0b257c5bcab1aaa6

SHA256
bef1589f520f29119fcfc44d73c61276a2d479a815348179a5f79d0ab6f92a0b

SHA512
75d87e7df2632c1f883758e5b70637ea43eed7454ac9a0903d80b40cbfee83a17559845aa67dbfd7704e799cf988ff8bbe0d36bcc5358bcbf78a4515c1909e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
f1e4eb3bb6ef388669394cba84150682

SHA1
a17335e768297d55a5364b2aa770abacd91b90e9

SHA256
a323fc390ed9509ca36d6e891e1b14cf1055a1be89d61a121ae8bec79284a8c5

SHA512
e00a9e39578f6fe734dab510e0416f6ca0905159a6894055c67d1f280ab9ef72ee1fdbf553901af4dd3970e3d3579bb77b358e4152bd5fad0e49c350e111b326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f2a05829424ffa04e45937076b419633

SHA1
d5daea24d992f25dc812b94fa75d0fef01b96431

SHA256
85dba4ad5b01bdf470c8471682f9a4110709fb4781b1104a6b981a3f6f4b2975

SHA512
7fa836b1e80fffaed9ac81621ab9e810493b661b1e4eb5840c134034fec146f9562e140867fd553f7beec74189bba23c869c915caaa5d4687cf881d964742672

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
0a524a170f1a132f3b911003976b4772

SHA1
8ab847758b5c38fbf0f8ca1579cb63de57edada5

SHA256
a2302705892f064638a32c813737d0d368af588a7821cee61049047f952d7c9c

SHA512
1a88e5344b514a8f6264b8b84c61db1052ab0016b78cc99065bfb6d80f719c14042ffee83246674c8a983ddb2f96f8e03da5b65c77ab7a759cf6081f28e5be48

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
3529999f0b374b4fcbe39d2584a5075b

SHA1
4b77469cfe5a6785f9f7bcb82abb4ca2568b06d8

SHA256
90d70c1d3151a2dcd67783a9a74a82f6e86cb8191262a8eb76ff299d3603c111

SHA512
8ea3915d6d8e62e8cf8e307d26483dda363e67f227d8197411dee8d26f3c1bf097d590a924c20e1725f1685db8532c403c0c7058b3a49f3c93cbee8487b03054

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
15dcb12aeaebf4ee5045aabfbda9af1d

SHA1
57b1fadd2be1e84d97b05dbab6369e363c30a085

SHA256
abf11cd7c3f9ed7625b7489ca8c67c7675d4e6899bfcfbf03786a4ffdd762ed4

SHA512
c0d8ef8af387754d7360584ce3903487fd88c831ea94ecc96fdf5aae8887cd15a81f32fe3c645884d04bd4d835eb4de952a8353e83546cc8132e1000e6452f13

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe5b4e1c.TMP

Filesize
48B

MD5
e97df648a1903da8148eb6858a1acb2c

SHA1
f7a5d0094afe15b57c97ac6c0083a9aba37cc772

SHA256
531c481aea7f064a07b598abfa574cedc6edf3241ff3aa87a998ac1f716e6d40

SHA512
75e320aa49bad254b22d2f3827b0efd5610bd186ee2097aaa7649029e8460ff8eb066c1599c06caad57e38b053f0b8cb8a2de35213503999b25ba63553e43926

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Extension Rules\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Network\Network Persistent State~RFe5b688a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Preferences

Filesize
7KB

MD5
922c3847b282550d27e864964b332467

SHA1
119823fe2a2a820c094068e12fec37ecc480806c

SHA256
b9816699d73f555fffc3c1d2f11fe23b8d8b57f7335c1a9c530afbcb18cb2fe2

SHA512
ed73ab03e9d779cc225f3ac4d4a79f0e46338e3058baff294c4ff9e00c109994837860922976ab3fb119156ebaf1f08966f3082c993c9db64cb2c4a19bad28a4

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\Preferences~RFe5b684c.TMP

Filesize
5KB

MD5
bc8ea06c3318c248f42bb87dfe7c3082

SHA1
d85454534a0b991d0350918a2dc5d7d8972d351c

SHA256
c568611966cfb33364e085ab21285eaffa22e048e1ceeffbde7578d0b2a03853

SHA512
0005d10dc284f50f7ed1fde0f939f04b18202ad4f72896427b588a9db13c9f4a3076efec2b3dbaed087150c70589aff03ddc6b8011e16e0890b7d1875b9f4090

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Local State

Filesize
1KB

MD5
8738ac1ae4e1faa1e3a6369348c06942

SHA1
dca6b458354ac11ebc0a74506d2aebb3dd67a0ec

SHA256
f2c964b7be5bd39c3359241f5f229c02430aa4aea6b0f088f4363626320e5824

SHA512
3cf4bb536d869718ebd844b09a86741024d54c148eec3c08f52dcc726fc9e694d784aafd41fdbb599da913dee06c7915e140ff596a6b672805e5ce4f46ab0f3b

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Local State

Filesize
14KB

MD5
d6cf87d73448670223ca716fc9fdc85a

SHA1
415e51f6ae2f406406f4ecdffd8dcc9331b175e0

SHA256
2dafcb8f1c7e4e31b7b6d8abf6710ee16b8aff43d065a1e64394d131713ea09f

SHA512
21997e41a56e2272641a8f01960fc27cd7577e6fd0b8e52e21da648167a7526f38e25c810523978ba18fcd22c0e5b478e4ad60b79be8f831e1982c48c6cae39b

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\Local State~RFe5af2fc.TMP

Filesize
930B

MD5
627bb67459a87c9dde928469a8f4da89

SHA1
b887e08a696f1832dcb04dcc0668a865d97ed21d

SHA256
91bdf73dc2f9e585a290690f4e3f0e9b0134e29d14ac441fd9ce033c44608ee7

SHA512
94cf838d95896f329966d006c38c522be78de139738c1bc2b9c6182ec74ca1832197e20eef1d43f06402221a65a28fe3bddeaf377ce79fbd04cd80bcf1a264a6

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\EdgeBrowserControl\Temporary\8b4a8879473e4d2fa56e453fb5eda9da\EBWebView\f3e5d7bd-ce9f-4927-8a3a-d5f74226bada.tmp

Filesize
14KB

MD5
c11abfccac7919c7117c5b7edc3d9aac

SHA1
9f9fd2a7c3d960699bdb83515721a8ea8bd17a40

SHA256
656ba5395bcdffb62814601b427349598aad23ed433bc5d9eea822d7d44b4753

SHA512
fb9d2643d3b5e189063a8605247c0a95228488a752637e27d3570311aa2d13be45c71fa87192143b601e9aaaf688c319a98cfa6985fa13407947af5a2fb0bae6

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\Logs\TeamViewer15_Logfile.log

Filesize
4KB

MD5
5bd4e24c43e1e74ca8d942aafcfefcec

SHA1
2fcfa93c2afef95797714d18213f8f518fb2154b

SHA256
c5d2103d5a1a98dc00741174629d7369565b405632a12c275c44eb33f8e90c70

SHA512
e50807fccfc3a854a3d9376be3ae1416d14fd2bb3d2ec76e6bccfd3aca3f7bbb4339f3174a604ed150c2a279cf0cb0bae41bdc41b6684623c70b476813882a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV15Install.log

Filesize
4KB

MD5
ad554d717a953e4e228a2f93343223b0

SHA1
ab5ea1459509e0fefdf48922ba8ca284b26bbdfa

SHA256
95b9259edec25a019ae16790b45327a81bbb2a85ff5661b0895647901c62cae5

SHA512
c63e5361f1f23681e7a6aead4dfd84e7dc88d39f9e461bbe0c819b8b594fa544040e5ba35f9b6512e86c799d2c8a8c2e7c9d6f72eee95719e6cb4331c5d8b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV15Install.log

Filesize
1KB

MD5
82c75863f632197c077f55475dde0a56

SHA1
c75a7df2869cc514c281ba9dd60dedca768a3a70

SHA256
264e13126c34b1274dab9d3cfd70d5394fdd91a6262c2723ddf27e096805e88c

SHA512
a48c90f2fddd04dd4fbcde93dae58d4cd3fec793562136002906bead191d9ec46ff918e64ac960ecc91219a806b7728471f5590037211c2666bc860efeb8883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV15Install.log

Filesize
2KB

MD5
08c3007b9303bf9c1261aa0cc35d97a7

SHA1
9e7c748a8760ec4aaf9bc682ed7ad6ffdb9644e7

SHA256
7bfdac4ed644e084882cb7f6bfea75e2d6546207fbefd59d00aff30fa3162b97

SHA512
543230e04009d0c6b1b5d43639039c062865645b6616101bf2f32a39e3bb8b06bd62feeaf788f281fe1c851ff323b726a5c943b706787974960a6456b39dd5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
54.4MB

MD5
b98c6dfcbb6756bfd04a8eae3c4c4994

SHA1
a73380f8a71f20a67d761b2b7abfb9ad6349b180

SHA256
accf334e4f1ce9588d65fe0d8a1ea2965fdb917f8009c9235277987c0ce94c20

SHA512
c4f983d1f231cdb6612a9d189e193959e12cb29aca9dda5f5a5978fd96e3a2cc8fb5513b122ee84dbf8fb2e44643c1f7fb10d6a8727d6287ecab1eeba01a14f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
54.4MB

MD5
b98c6dfcbb6756bfd04a8eae3c4c4994

SHA1
a73380f8a71f20a67d761b2b7abfb9ad6349b180

SHA256
accf334e4f1ce9588d65fe0d8a1ea2965fdb917f8009c9235277987c0ce94c20

SHA512
c4f983d1f231cdb6612a9d189e193959e12cb29aca9dda5f5a5978fd96e3a2cc8fb5513b122ee84dbf8fb2e44643c1f7fb10d6a8727d6287ecab1eeba01a14f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\install.ini

Filesize
78B

MD5
a3c26dd25fc88922e9297e2a9d04ac53

SHA1
807b0ca16c4080b6ce7ae8b09e7dcce7e52d5c19

SHA256
1c5231379c3025a42d51f956f649c445ebc550f9ad9b9f5cc4ae5e627ef456b3

SHA512
1d36ee7b43d82b72000520c0b0c37585576363fcd506aeab362c544000b0bf9702a357e118b2ae3499d8f8c9a7529f56169cc14e5281a5246ae9efd342c4fa59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
265B

MD5
9ebe965ec4bf854a24539b44fdce20a6

SHA1
0bda51d38d4a0872b5088e67016576b4f0f6260e

SHA256
851f7bd42023a31437b8e009582a00895ee83561c3ccd7760190622404c7fcc3

SHA512
ec1b24c91df505de33abd8610ee9d7ae1e61a2f20a746dfa1224f345543d449b46d2708f351e12596431a9874e934d75f0349be5e8d4f35931cb3034a9c14af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\CustomerTools.dll

Filesize
1003KB

MD5
3e051bed735927ebd7b91605967f6ee9

SHA1
8e306560a0b8ff0e54023d047e0a86e640704406

SHA256
1ec876c7d9b08b171d6d7242b90c43727d08d7ade52978551d656f0132ad0669

SHA512
66aa35e2fe78207fd5e52e4c0b2a5f08d2d84fe847bd884b89209ce9f33a631c384d82e0ce9b226ff7464e2fb7f6789838ae6aa15a1c6af88c33f4a1b74fee96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\CustomerTools.dll

Filesize
1003KB

MD5
3e051bed735927ebd7b91605967f6ee9

SHA1
8e306560a0b8ff0e54023d047e0a86e640704406

SHA256
1ec876c7d9b08b171d6d7242b90c43727d08d7ade52978551d656f0132ad0669

SHA512
66aa35e2fe78207fd5e52e4c0b2a5f08d2d84fe847bd884b89209ce9f33a631c384d82e0ce9b226ff7464e2fb7f6789838ae6aa15a1c6af88c33f4a1b74fee96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\CustomerTools.dll

Filesize
1003KB

MD5
3e051bed735927ebd7b91605967f6ee9

SHA1
8e306560a0b8ff0e54023d047e0a86e640704406

SHA256
1ec876c7d9b08b171d6d7242b90c43727d08d7ade52978551d656f0132ad0669

SHA512
66aa35e2fe78207fd5e52e4c0b2a5f08d2d84fe847bd884b89209ce9f33a631c384d82e0ce9b226ff7464e2fb7f6789838ae6aa15a1c6af88c33f4a1b74fee96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\System.dll

Filesize
22KB

MD5
e0d81e16e8ffd2ead568b6b5c33ee454

SHA1
65dc21f4dc316cd763bc95cef2d50ae511ab641f

SHA256
3de187772bcab22af801384e2828d1bb3f0400c5d16ae5857098def02d4e9ed5

SHA512
1900c967d3477da0f0f4dae98ec8cba1a67a5ae3c58eaecda215dbc300d924335a8561957f7781036e48314eec39c6290da93f92d76119557082376ad33bd62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\System.dll

Filesize
22KB

MD5
e0d81e16e8ffd2ead568b6b5c33ee454

SHA1
65dc21f4dc316cd763bc95cef2d50ae511ab641f

SHA256
3de187772bcab22af801384e2828d1bb3f0400c5d16ae5857098def02d4e9ed5

SHA512
1900c967d3477da0f0f4dae98ec8cba1a67a5ae3c58eaecda215dbc300d924335a8561957f7781036e48314eec39c6290da93f92d76119557082376ad33bd62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\TvGetVersion.dll

Filesize
207KB

MD5
148766d1c26ed1c2afee7e86522bbbc2

SHA1
76481fe88f914e759c5facd6a90af4161234f32f

SHA256
fd75cdad91f86b09cfcfac46364f268145c26ed9ef17a97b26f71cfc87869b00

SHA512
b0614bca61df1b0545a949adb694b0b644b1e091584b18a5d12570bf0bb37ec7dae6e467cd20363268e31083bb03333463866be6485d21db5b460f913d40bd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\TvGetVersion.dll

Filesize
207KB

MD5
148766d1c26ed1c2afee7e86522bbbc2

SHA1
76481fe88f914e759c5facd6a90af4161234f32f

SHA256
fd75cdad91f86b09cfcfac46364f268145c26ed9ef17a97b26f71cfc87869b00

SHA512
b0614bca61df1b0545a949adb694b0b644b1e091584b18a5d12570bf0bb37ec7dae6e467cd20363268e31083bb03333463866be6485d21db5b460f913d40bd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\nsJSON.dll

Filesize
29KB

MD5
fd0e6d0bb00bc8efb11fad6361bbb313

SHA1
43eb2ebc1f9410563a8e1bfcfa92c76ea6a57f87

SHA256
264a40085fada3fbf970e1767726d3dea279eb8c9f5764ae708284329f743e19

SHA512
ab4988f7be65129ad1e891c48cb2933ab5be1fa9a9b39b49486a6819e3ffbf5039530beea59fad9f016f577ab4e097f261854658e21fc52bc2cc59d821d46a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10A1.tmp\nsJSON.dll

Filesize
29KB

MD5
fd0e6d0bb00bc8efb11fad6361bbb313

SHA1
43eb2ebc1f9410563a8e1bfcfa92c76ea6a57f87

SHA256
264a40085fada3fbf970e1767726d3dea279eb8c9f5764ae708284329f743e19

SHA512
ab4988f7be65129ad1e891c48cb2933ab5be1fa9a9b39b49486a6819e3ffbf5039530beea59fad9f016f577ab4e097f261854658e21fc52bc2cc59d821d46a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\System.dll

Filesize
23KB

MD5
938c37b523d7fc08166e7a5810dd0f8e

SHA1
47b9663e5873669211655e0010e322f71b5a94be

SHA256
a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

SHA512
77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\System.dll

Filesize
23KB

MD5
938c37b523d7fc08166e7a5810dd0f8e

SHA1
47b9663e5873669211655e0010e322f71b5a94be

SHA256
a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

SHA512
77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\TvGetVersion.dll

Filesize
226KB

MD5
72a2916b62850bbe1445eda79104f2bc

SHA1
c73cff2dc8afdb7764614943e2d3e49540ce6bc3

SHA256
aa301c3880417fdfab0b08f7745d403a5260f3ddcc331d7eb6281d45b9b36588

SHA512
f3d79ba4a94a137507731e670f78e4bbc6891ab77160366e5e45b8a0f220e7a825957a08925577d109ab952536122deca89b5fffdd89f967db8f1df41e9f2e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\advanced_unicode.ini

Filesize
1KB

MD5
f68824a4130ebaf6bc7ab0f62256d7d7

SHA1
40af19a0d92b3c9e1a8b1eaab7d12c69e5df436a

SHA256
cd8149a2e89373075ee6db800b7f2496bacbfe21b23e4a06a3453632503b3965

SHA512
6a173aaa183be0e5a516cad484802dae1fc53a414f870f93ea846a9ef9f9df35153766ef632eb5e8ced8f94c2ed09a9decdf3465d46b0dcc44a6918d88e242cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\nsArray.dll

Filesize
18KB

MD5
9761d708ea7c49662a21f6690d439e06

SHA1
b2e757e7eee5c788f16d666fb6cf9d41caccb04b

SHA256
8b8be21fa7bca491c93683c9f84bb49370ca7e1e864bd0658ff9e1d2809b67e4

SHA512
25990a993373009ccbd9e89cae3fc601928121775d0d5fe326c55a305ce8de51f35a2cb160e9dfbf3be82a53ddf7b9864116e7f5d3325afd7403cd3b7740c652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\nsArray.dll

Filesize
18KB

MD5
9761d708ea7c49662a21f6690d439e06

SHA1
b2e757e7eee5c788f16d666fb6cf9d41caccb04b

SHA256
8b8be21fa7bca491c93683c9f84bb49370ca7e1e864bd0658ff9e1d2809b67e4

SHA512
25990a993373009ccbd9e89cae3fc601928121775d0d5fe326c55a305ce8de51f35a2cb160e9dfbf3be82a53ddf7b9864116e7f5d3325afd7403cd3b7740c652

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\nsis7z.dll

Filesize
187KB

MD5
7fe20cee9277556f4ef137e61d29d9f5

SHA1
d53c37dbf548914ed20c8ebb21186a95beef1ee3

SHA256
5d71aaeefbc81732017e9040c8087e6686a16dd54e6d9bcd5ba7a47af68cc925

SHA512
a90250214c6c5048b098e031fca5a8097854a8667330551d7694740e3bc83f7d77791d314e3ac75617ef1834b75c41e3e3d3c74da9794a207894c13fb2d4bef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\start_unicode.ini

Filesize
1KB

MD5
e1e5f83035cb20fd89b7de415465eb28

SHA1
9444cf7198dbf73700d19f4725d8d06efec87366

SHA256
483e0ae06bf051ffd48e0374d6d16454ad7ebc0794bfc4572e4c40155b4b4e2f

SHA512
b3aaa4d68a0d79a5ad8471ea8ebe9cea3f2ec202fcec32da1c39555d7e17b77738411f3b6b75a99c904014d2f0dee93644813775fb1c22e3c5694ac2713c31bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\start_unicode.ini

Filesize
2KB

MD5
6d5333fc8cdd2009f6860cf7705437d6

SHA1
823ee816cfb81655eaee81b9d491e8dc7631515f

SHA256
2e1a2f2c8e8ca2a0ebc06f55c8fe12662385fb106371f21dcff756e8491bb83d

SHA512
06b90cbf152358d11aaa7b398db2cd398a82c5427be28b0335055acbb2deff79a0d0e21d0033a529e0eb0b729620dacd7ae2bf8563991b6f5f3b618732433e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv43E7.tmp\start_unicode.ini

Filesize
2KB

MD5
60abcb6a9526bf3ed2a5539c0485f433

SHA1
8097176ef36ca5204206665a8c6d985a5a3934f3

SHA256
ead4e1053e0056dd97400434ed59478d5dbc7fc2901bb8ae33db0378b9751a3b

SHA512
14ccd5a8914aa3b7cbe2e922e7945014ca2b647c70a585f618dfed704a337985d0a441d32aecf62f3d086414767267a95a94f8659da070b3a8dc87f235cb0a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25dbafa2-a70b-7743-bf0a-d2a7cda1f7f1}\SETB992.tmp

Filesize
11KB

MD5
418e65566ab5349ad9266c3a55099f5a

SHA1
f76792c83f3d4301f65952291e9f7d5a64323333

SHA256
52e2589e1276cc72749a1384334e35fe5aec72936fe22f7857c68d81df858c81

SHA512
026aa7c70badf55392189c7d0e2df6dc8ddf992c97f7ea0241cfdbbe227129821f9d5c612b97c74081d1ab3eaed5a93d5889acd6b6cc5614f647eeae8d7f0861

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25dbafa2-a70b-7743-bf0a-d2a7cda1f7f1}\SETB993.tmp

Filesize
69KB

MD5
eea8ec74d73a13be24222da07ed3153d

SHA1
aea6186a4c98d54a2a94a5a5b509b1705b23462f

SHA256
85fe9126995d45c4b001f70e08f422c2f501215bf38b42bdcd0e548ee36ba66f

SHA512
98627dafd538103a241cc1b31b8ab9c7625cd027bf2f39f56cdb08990f758ace5a975aa525dcee091a13944174768545fe6aea3a6872cba97015f88d4fd111c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25dbafa2-a70b-7743-bf0a-d2a7cda1f7f1}\SETB9A4.tmp

Filesize
4KB

MD5
0755f3bc7bf79d7bd30212745017c188

SHA1
0a9ff27b973b1820ed7232faa35a64466b18e201

SHA256
72d854954d0e14d1c5b91f44ad0d262dc292e9e0fb4f655dd6b3ea7df9479e12

SHA512
132dab12bd7e009cff5b062fc97f4ce6612ac9bfa02652f0eb123e21568f1a5c6b88ddd49cb4ad8ef650815de65872c09fcd5e065074c0bbe5ad87edf3071e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
54.9MB

MD5
27a9b5da94d7d8536d96324726188556

SHA1
59383ff03534c6f9768ed22aba074a46f9cf5a53

SHA256
5d171e50f17019941b17f3b9fcb991dbb51eefa3464d14bcd5f184493915eeef

SHA512
7db976930bf9c94a184c409e24737ab6993035c97c9a124b8799227232444be98640d8db4cb1354852fe8f4ad5acc5581558ebe6e28f67da33859d897db520b2

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
54.9MB

MD5
27a9b5da94d7d8536d96324726188556

SHA1
59383ff03534c6f9768ed22aba074a46f9cf5a53

SHA256
5d171e50f17019941b17f3b9fcb991dbb51eefa3464d14bcd5f184493915eeef

SHA512
7db976930bf9c94a184c409e24737ab6993035c97c9a124b8799227232444be98640d8db4cb1354852fe8f4ad5acc5581558ebe6e28f67da33859d897db520b2

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
54.9MB

MD5
27a9b5da94d7d8536d96324726188556

SHA1
59383ff03534c6f9768ed22aba074a46f9cf5a53

SHA256
5d171e50f17019941b17f3b9fcb991dbb51eefa3464d14bcd5f184493915eeef

SHA512
7db976930bf9c94a184c409e24737ab6993035c97c9a124b8799227232444be98640d8db4cb1354852fe8f4ad5acc5581558ebe6e28f67da33859d897db520b2

Download Submit
memory/2308-742-0x0000000003980000-0x00000000039B2000-memory.dmp

Filesize
200KB

Download
memory/2308-737-0x00000000734A0000-0x00000000734AA000-memory.dmp

Filesize
40KB

Download
memory/2308-1222-0x00000000734A0000-0x00000000734AA000-memory.dmp

Filesize
40KB

Download
memory/2308-544-0x0000000003390000-0x000000000339E000-memory.dmp

Filesize
56KB

Download
memory/2308-664-0x00000000734A0000-0x00000000734AA000-memory.dmp

Filesize
40KB

Download
memory/3508-2346-0x00007FFB1C4B0000-0x00007FFB1C4B1000-memory.dmp

Filesize
4KB

Download
memory/3712-2378-0x00007FFB1DCE0000-0x00007FFB1DCE1000-memory.dmp

Filesize
4KB

Download
memory/3712-2512-0x000001CAC1C70000-0x000001CAC1CA0000-memory.dmp

Filesize
192KB

Download
memory/3712-2382-0x00007FFB1C3C0000-0x00007FFB1C3C1000-memory.dmp

Filesize
4KB

Download
memory/5516-2958-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2972-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2968-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2966-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2955-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2965-0x00007FFADBC80000-0x00007FFADBC90000-memory.dmp

Filesize
64KB

Download
memory/5516-2963-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2962-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2961-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2960-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2959-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2957-0x00007FFADBC80000-0x00007FFADBC90000-memory.dmp

Filesize
64KB

Download
memory/5516-2969-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2971-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2964-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2954-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2953-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/5516-2946-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/5516-2947-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2952-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2944-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/5516-2951-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2950-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/5516-2956-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2948-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/5516-2949-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5516-2945-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/5912-2381-0x00007FFB1C4B0000-0x00007FFB1C4B1000-memory.dmp

Filesize
4KB

Download
memory/6008-1992-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-2113-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-1983-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1984-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-2060-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1985-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-1987-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-1988-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1989-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1990-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-1982-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-1994-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1995-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1996-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1997-0x00007FFADBC80000-0x00007FFADBC90000-memory.dmp

Filesize
64KB

Download
memory/6008-1999-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-2001-0x00007FFADBC80000-0x00007FFADBC90000-memory.dmp

Filesize
64KB

Download
memory/6008-2000-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1998-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1993-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1991-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-1986-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-2111-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-2112-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-2110-0x00007FFADDED0000-0x00007FFADDEE0000-memory.dmp

Filesize
64KB

Download
memory/6008-2059-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6008-2114-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2154-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2152-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2146-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2149-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2274-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2151-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2231-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2228-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2229-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2153-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2144-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2142-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2150-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2227-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2226-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2225-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2224-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2199-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2156-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2157-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2161-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2482-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download
memory/6100-2160-0x00007FFB1DE50000-0x00007FFB1E045000-memory.dmp

Filesize
2.0MB

Download