Malware Analysis Report

2025-01-18 21:22

Sample ID 240323-vhcqlahf86
Target https://drive.usercontent.google.com/download?id=1UsGIXS_sMBR9tmgSfo0z2d1t22YHmoxU&export=download&authuser=0
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

Threat Level: Shows suspicious behavior

The file https://drive.usercontent.google.com/download?id=1UsGIXS_sMBR9tmgSfo0z2d1t22YHmoxU&export=download&authuser=0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Modifies system executable filetype association

Enumerates connected drives

Adds Run key to start application

Blocklisted process makes network request

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 16:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 16:59

Reported

2024-03-23 17:02

Platform

win10v2004-20240226-en

Max time kernel

221s

Max time network

203s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.usercontent.google.com/download?id=1UsGIXS_sMBR9tmgSfo0z2d1t22YHmoxU&export=download&authuser=0

Signatures

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicIEDLL_64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Classic Start Menu = "\"C:\\Program Files\\Classic Shell\\ClassicStartMenu.exe\" -autorun" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4} C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\NoExplorer = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\System32\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\StartMenuHelper32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\StartMenuHelper64.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Classic Shell\IE Settings.lnk~RFe58b706.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Classic Skin.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\IE Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\~E Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\StartMenuL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Windows XP Luna.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicIEDLL_32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicShellReadme.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Metro.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Start Screen.lnk~RFe58b735.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Full Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Metallic.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Windows 8.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Windows 8.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicIEDLL_64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicIE_32.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicShellUpdate.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\HISTORY.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicExplorer64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicIE_64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Classic Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Start Menu Settings.lnk~RFe58b706.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Classic Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Smoked Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Windows Aero.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Windows Basic.skin C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Classic Shell\ClassicShellReadme.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Program Files\Classic Shell\~$assicShellReadme.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Program Files\Classic Shell\~E Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicShell.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Classic Skin.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Windows Aero.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\StartMenuHelperL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Classic Shell\IE Settings.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Classic Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicExplorerSettings.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ExplorerL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Midnight.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicStartMenu.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Classic Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\ClassicExplorer32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\Skins\Metro.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Classic Shell\PolicyDefinitions.zip C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e58b205.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58b205.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB34D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58b207.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CABCE573-0A86-42FA-A52A-C7EA61D5BE08} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\Policy = "3" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Exec = "C:\\Program Files\\Classic Shell\\ClassicIE_32.exe" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppName = "ClassicIE_32.exe" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppPath = "C:\\Program Files\\Classic Shell" C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppName = "ClassicIE_32.exe" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppName = "ClassicIE_64.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\Policy = "3" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppPath = "C:\\Program Files\\Classic Shell" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppPath = "C:\\Program Files\\Classic Shell" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Policy = "3" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppName = "ClassicShellUpdate.exe" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppName = "ClassicShellUpdate.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Exec = "C:\\Program Files\\Classic Shell\\ClassicIE_32.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppPath = "C:\\Program Files\\Classic Shell" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\MenuText = "Classic IE Settings" C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppPath = "C:\\Program Files\\Classic Shell" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppName = "ClassicIE_64.exe" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppPath = "C:\\Program Files\\Classic Shell" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\MenuText = "Classic IE Settings" C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ClassicIE.DLL C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\ = "ShareOverlay Class" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\375ECBAC68A0AF245AA27CAE165DEB80\SourceList\Media\2 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicIE.ClassicIEBHO.1\ = "ClassicIEBHO Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDA50A1E-B8CE-49DE-8D17-B034A84AA280}\1.0\HELPDIR\ = "C:\\Program Files\\Classic Shell" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ = "ClassicCopyExt Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\375ECBAC68A0AF245AA27CAE165DEB80 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS\ = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\VersionIndependentProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDA50A1E-B8CE-49DE-8D17-B034A84AA280}\1.0\0\win64\ = "C:\\Program Files\\Classic Shell\\ClassicIEDLL_64.dll" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\ = "ClassicCopyExt Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C698A81E-5D02-42B1-9801-5381CA8BBC2F}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Programmable C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\VersionIndependentProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicIE.ClassicIEBHO.1 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\ = "ShareOverlay Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicIE.ClassicIEBHO\CLSID C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ProgID\ = "ClassicExplorer.ExplorerBHO.1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDA50A1E-B8CE-49DE-8D17-B034A84AA280}\1.0\ = "ClassicIE 1.0 Type Library" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\Programmable C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBHO" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Implemented Categories C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\375ECBAC68A0AF245AA27CAE165DEB80\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class" C:\Windows\System32\MsiExec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Classic Shell\ClassicIE_32.exe N/A
N/A N/A C:\Program Files\Classic Shell\ClassicIE_32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 4732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2792 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.usercontent.google.com/download?id=1UsGIXS_sMBR9tmgSfo0z2d1t22YHmoxU&export=download&authuser=0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb216f46f8,0x7ffb216f4708,0x7ffb216f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Win7Theme\ClassicShellSetup_4_3_1.exe

"C:\Users\Admin\Downloads\Win7Theme\ClassicShellSetup_4_3_1.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\ProgramData\ClassicShellSetup64_4_3_1.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicExplorer32.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicIEDLL_32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicExplorer64.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicIEDLL_64.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"

C:\Program Files\Classic Shell\ClassicStartMenu.exe

"C:\Program Files\Classic Shell\ClassicStartMenu.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 50980E4C969808F25BC4C0BD8B77BC27 C

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Program Files\Classic Shell\ClassicShellReadme.rtf" /o ""

C:\Program Files\Classic Shell\ClassicIE_32.exe

"C:\Program Files\Classic Shell\ClassicIE_32.exe"

C:\Program Files\Classic Shell\ClassicIE_32.exe

"C:\Program Files\Classic Shell\ClassicIE_32.exe"

C:\Program Files\Classic Shell\ClassicStartMenu.exe

"C:\Program Files\Classic Shell\ClassicStartMenu.exe" -settings

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
NL 216.58.214.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 71.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 33.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 3.214.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 142.251.36.33:443 drive.usercontent.google.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e0811105475d528ab174dfdb69f935f3
SHA1 dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256 c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA512 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

\??\pipe\LOCAL\crashpad_2792_GQKHEIVPNETBEFFF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 47b2c6613360b818825d076d14c051f7
SHA1 7df7304568313a06540f490bf3305cb89bc03e5c
SHA256 47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA512 08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8184efd35bf5af2eb8ec366f974b170f
SHA1 bd66dec7f9870e216bdb42b5f041536b44874d4f
SHA256 17491b85f7693ceb4d6f55cd53111434625ca4a29294cc1b401c38b3908836fe
SHA512 11bffbe04f4955dd2e089e18040f8b403653d1dd2910866a605e1646ff57a8f4b04990229d79973bb23bc82373b09388e3804e9a8808c044bc354621f48579c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 263f9555d052691cb330b9c288c2e070
SHA1 51f444e709c6efa572aab682082165c30ae1abfe
SHA256 a2b0acd8b224f66ec10daa65b238a5ddeb9bc5be6c52444852c84cd26b82e321
SHA512 4f6003e47687d9fc5523be485a7d6cd3d113d71b13d448ae81473faf3164509ff37c1c559ee26d87a81f5d157f9f5c900fc7d1bfe0ac43c40def23e8baefc74b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c6be602e180b6c2e25b34775fc46e1a3
SHA1 953c082cc394c2cf27dd03b737962a946b370178
SHA256 60db750fda93bb3dda9ee7ba5f8b6707fb520a33dc241b95e6f86c5e843230bc
SHA512 4cd950a3f463c3de7184b1ed6231549757f04f78a397023a9e8368708ea0ddca91fc79634e031ecc4da0ad41691e29e6e927489fde69ccc7743e98764f1f8429

C:\Users\Admin\Downloads\Win7Theme.zip

MD5 294ae9c93e4de26268f68d665e64fd5d
SHA1 4c0a653069693de08f0590338a3432e60666cc15
SHA256 08b6547ec074e63fb9197f48255be0c8f5e9079e95fa189ffb9f6b14a496d64b
SHA512 86e860fef46a036009c2be2dda0608b7473385008e27231681248abe1bcfa46f167b3391d182a98eb2b74f1d17aa929b1e98093f681197248a02a8eb04428ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 80229c16a834267d493dcc80c5cab1e2
SHA1 71318dc148c04a76ef860fe2fb26d4205cc6cccf
SHA256 3a2a29202bab4329032ecbbc2e5d6bed8f78af387880eea9fd7b93afacfa2dc7
SHA512 8c33e4e1d93f1a6e4997ddedc68ee2ec2d71b9000cd9297609186f07f56ebb645dfeea5566dff7e4d415d7446debc9f37967b3178a482d99200bc34a62322a34

C:\ProgramData\ClassicShellSetup64_4_3_1.msi

MD5 0606a9a7e1157a08c1098718575edd6b
SHA1 44737e63cf3565d34a6a36fd6365ec92429fb3c7
SHA256 347d8e65f200ea8c4eb9752f56b62d14af4370ecf7f13657a806fa1433fbffcf
SHA512 d46c9829ed2b67a37429723af09f46e11d0d7b61cf5b398ca1daa2ef061c5b4de68ec89a95bd8a612ccd87899ff07bd802cc12fc8d1e0e5746ddbbdd7b0ef4ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4c29ee368dd9df9a9fa0c2a81e0880bd
SHA1 4c645b0b5065adb4441ac3b7bda275c030b47533
SHA256 5f0aea65f9bca43c168c4d4926fffc1b6abbbe12686eedf740b8604672fb83a4
SHA512 870a02b8adf6fbe6e963bb495c6aa09c2f18e652c88b4f80b6512e523a91f179c807bda6cb4d31bf7b0677238c14582098cd02e7568258c46918f42c065ddad0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0602B4943A2FCB32C8E00E4BC52232F6

MD5 798ca16363b0e6b85bfb16e1d1a6e513
SHA1 129fa2b4d5d51eeaf6d80beeef0de15186f3f5b9
SHA256 407c39695be114245cffbc8dedc2304ce688cb48cf730b5ae2af54cceb7d524c
SHA512 6d6bea262537578f8d5d01ea8decf809333e3a78348e2b3839c93f1e1691d5db3549b7b8b1d8df1b989eba312892dfb5103b2b0247c86f404c201cd071344898

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 01e6c534d2c674de8ec8214121156074
SHA1 9dbdcb4fc02b968ebe948e939db9a8a56ee376da
SHA256 4d97a86e4ccaea2a4bec9019d0bb923304a8c851c286cc866ca38a61d87b3504
SHA512 7626d0835476ef7653dbe269a87409097b6c791dda9564834e203ccce00a741d11913c93e90e7acfb1ea7918a01e1fc7715213e6c456acd22e0c99d2e864600f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_0602B4943A2FCB32C8E00E4BC52232F6

MD5 35c39cadc3524c3263fc3cdd4c228eea
SHA1 0147775826c6a8dc01f3d720c8d6026b3f8232ae
SHA256 55b7601fa875aab0c83bc4f9894563fd1dacdc680ef15877ade7b7440c585da9
SHA512 649be6391f1453ca4c454d7ca085431bdbe86022a6f60fc9acd95e54755bc4c38e3cf71d2a1730b5411e66b40f3648dd4685b0e491171b6bc8f812f05fee1af8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 1cf7793fa00dbf6c23a664726bc6969c
SHA1 ccc2d1bb2b043c1f9a7b6228f5922bd36373e2aa
SHA256 b3cf4d89d8e0d28e339716b8934e6613a6917b2a9f1bea4aee397fda3262c595
SHA512 d405dd5a35bf700df2b72e1df0f798c6d99f2e5e634c39dd0d1ad60e644692b67633ef031ebde1bf0dc2f84c3e01eeef43f4dbc979f3825067aa9c85d2af5ba7

\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2388535-af59-4dec-aa4f-1cf7549743fa}_OnDiskSnapshotProp

MD5 4612a46bdee73f5c0595fe2355b23863
SHA1 08ea7e4bb6c5bb5f794290f02d5e014c8a1088a9
SHA256 9a94c80c56d378ef2c74d096ca3b711591c2244b828376f46aed7162674f0d88
SHA512 e455c1a3fcaf64e2bc96e1c2969b8e4becd5f22180347c11f73195205fb5a033560cd2b56dddd9417f569135359661caf3b5c59ab700477a06d2ecfffa29206a

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 bcb343b5d0ebaaab399dd2b17ac16851
SHA1 a7e166debe5ac3621a8601191f3630e3591a2f16
SHA256 e7ad84350993b7bfaa29d9cf6158834b71311e4e0f4eb4d836dad095dc33bd22
SHA512 bfab2a3f238d8697d417feb696ea85a15dc1889b3e60b31cba8d23d3524d756d32c4204767f34b9cf298eed769e86172cccf01ace83ea4e6ea408a847bbcac8a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Explorer Settings.lnk

MD5 2624d78641190bc686347c31bad9e52b
SHA1 29b641271e95770c722b68a9b9c4cf442cbf7c08
SHA256 62cf9c22e6899ea57e1e3df6a55ece12f3a3ff9a63a7d75ee2a6cc8b0762635c
SHA512 85218a13d3a90559090729a32a32f97f2af5fd10f1c55c7ca3f4f0c752326c69f086848996060a1f10459b565c68a66596488e1d829f3ebdabb14048fbb135ff

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Explorer Settings.lnk~RFe58b6c8.TMP

MD5 478d883e0e035faa065c132c4e39498c
SHA1 d00270099b85536989146ad186cfc784c8e292fe
SHA256 c2c32a8fe540c75a97b411f44097f89b889339ee498c5cea366b92538efc8fb2
SHA512 510319c271469318203d5ce08452de07a55898ca034168478a633dfd75b01bc4acf82af9d4101831068753ed5b36aaef07510d2c59084fc04f14fb8ba9314bf3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Start Menu Settings.lnk~RFe58b6e7.TMP

MD5 ad2d6d9cf6b7468f9725371e640402b4
SHA1 e82668c395b601478c6b984f760ca5c1ec4980f3
SHA256 afb9f254b9e662a74d40bb1c9d29872f15bd7138abf08d9fd8f9a0c6a821a166
SHA512 054ea4b6b060b1f0752ca108050b243e79e726e7245ab40c500b7dcef87843385b68e899d63d3a6ee839bf43109c4ea378cc4f664208479a4505a42679ec9f2f

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Start Menu Settings.lnk

MD5 535dafcd4d9d79b4ede079757a656089
SHA1 1427658eff734b6c2d914c351915404b3a0ed395
SHA256 0e8f2eb0f564092759200187f0a08f07d8216fcb851bc80d5265cb62e26cfecb
SHA512 922e11194e050fedefe3233df3c16af5249bc73d9a5da3c83926938d278c35251a71c5cd639959990d9a01a8ab5fdf91b76c6c56b47cd389b588ff317f362f4e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic IE Settings.lnk~RFe58b6e7.TMP

MD5 6e082747659437e78474d4a12e178336
SHA1 9b405bb65eef13da3867123464786e384d1e51a6
SHA256 4dfd3f56970b0ea108bf827450819c613969a6dd15d79bd13de5070fce593dec
SHA512 8b9be4a8c23f703c7015968d0518a14749d111ba963dd5fbfaa8af0e6a7dc306445e53218405d85246c5fdf472ee034784f2f7ad7e1ba3baa87fb612bdfed4cf

C:\Program Files\Classic Shell\ClassicIE_32.exe

MD5 a1c24588503cd2c1690ef94bbf341829
SHA1 5368795d2a0c0bc404ef2d108a4812979f4544f5
SHA256 f37f3bd363d1695e0a151c3302fcfb8be770eb107b066d05f10c4fb6c946318f
SHA512 7c2e079dd59cd3c905db6ef1c41356d38e000c9d1fc7e4867be4b2039ba866871f310c096b29b93d07b71b52b78ac9274ffb77a8257f4a8d7ddf8dd4af8b4b7f

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic IE Settings.lnk

MD5 92f546353916da986a5b325313f52252
SHA1 136b9a897eb78c439b7966050df5b4c699ed83a8
SHA256 bde767209e3497a15edd2fc668d447be4aec60fa71c99904df12f705035806ed
SHA512 f75e7afbce4d1d9ab34c561f4192511ad7a652c9d40b80c82b99d53ff6b144a35671feafed497ce21ec0dd2ebd3dbf0ab45ad2dd504a98b36ae05ea54c3937a2

C:\Program Files\Classic Shell\IE Settings.lnk~RFe58b706.TMP

MD5 8f33b7e9a9c738dea02dcc697b4466ca
SHA1 c7b18247c7d380ddfbd004ac504b303b108fda2d
SHA256 68c57f47c6dd1ef5a6f61718302b6c8992e4c26877d61a86fe1a84c112185e27
SHA512 9f498d8c5e481143e64ecad63c047e7a835273f90200276c94a26a54e64f8b27eec8f5face5779b637a662d8c4ba5d45726563449c9bbb7a13284de6062b5699

C:\Program Files\Classic Shell\IE Settings.lnk

MD5 c4a3eb86f377ffcb7fe43dba9e0a0668
SHA1 b59e8d3ba5ebe84c0d3c6e21a8df893fbc909139
SHA256 b0e7390bfbfbbd68c6ab52e620e6354f22ddaa4d66cf3d33999a486965a14011
SHA512 8eb42d5c86f5903d01ab1a88b03547cf46f4cede824e63694f51d8f6f443e6e9ffa8937009a854f01c5a193ecc44633d4627a00d87f736373e13615effb0c7cf

C:\Program Files\Classic Shell\ClassicStartMenu.exe

MD5 6776a3d1c644bfe33932189b00165caf
SHA1 c109b9b2f344748daff26fcc0b55fa0d2cf8322f
SHA256 a99adf420ef6498e2e665703fcd1dc76bdbaa5a2e1f38d72f7229a9c3cd932e7
SHA512 4db70c69be312d8065b2013d0a83b235969c7f38b31a8c54c63f8f6c0a888f139df45eeeb6c245bb7d4dd07f24a18be9507c4a80dee2cf4d274f7bc8cbbf8aa9

C:\Program Files\Classic Shell\Start Menu Settings.lnk~RFe58b706.TMP

MD5 2b59d2df60cff9e5b87cbbb9c5d97e0b
SHA1 d35ff86e4732741c824b1ebb55ac882306cb6116
SHA256 fe9f0b2de3c0a84519e2025f416e98a7903feace9a6d9e57a3680c88f19b01a0
SHA512 8e9054621d9d027680999bf7e30a7111d89fa18b5e2914d692df8f2f350a4ab91f953e4e845ce18c5ba1430b6d57ce3f99c22765d40ee156909c7f373865c29a

C:\Program Files\Classic Shell\Start Menu Settings.lnk

MD5 bfcd1b03a72cc8d017f3ddda2e5c0b50
SHA1 17eb546f19e60e3b7ef692be963bc5d6928e8a78
SHA256 dbb96fc6328c5178846cdbc813bea04a9f418ee1f31cf3407304816ba5ef65ba
SHA512 8740059f761396d66ec716df0de65ae6b2f81fe3c8f55a439f8d3ac249f9b3c0b3c03e51dc042ba939ea79b41ed254f7611b25ad29465f157c7372c6c7a0e5e7

C:\Program Files\Classic Shell\Start Screen.lnk

MD5 bc5b85e4348c093ad6c0df4bc4724ccb
SHA1 9a120c43a90bee66a863cf651ec4e4c7ce46209f
SHA256 6a1bfa5a7d59365f5dac34f4a2fc34e951e9a7e80ec7bf3217b4302d2583211e
SHA512 ed48c2d9190bfacde79876401fd00675db860e197d8478bee7aff2fedbb1fb71d3ee31f3dc59560b11ddf1aed512c440a0160c4621f831c99fccb853d84b6ac5

C:\Program Files\Classic Shell\Start Screen.lnk

MD5 2350a9764d413ab8ff7d0b6d5ba547aa
SHA1 6b5f769a1fe42755c89786b004c12e042e64d714
SHA256 a6697aa737610d50d6f1d613c2c29fc1b39785fb651a74661db28dc845532013
SHA512 ded972e3649e645ae59964980dad01132deb3f1c9cee80809338e58f623fb4a7864f7a427b36a1052315345e4ed381b0a87f543365b68a1c9e3b13138290961a

C:\Program Files\Classic Shell\Start Screen.lnk

MD5 4e9e7deedfbd72927559567e7d102969
SHA1 2c57a66669004858855d2578d94efe70279a1804
SHA256 ac93715355042eab171fb7f75794e923f19d515c70adc22a059cfd5abfc99e58
SHA512 d6bdd0ba1b00c94bbc4a1ae892b52560382b4145b3bf52e955615b219c627d4f58c19596d7c627335928df90598b8dd63acfecf60b25471a749ea8c09e63c1d6

C:\Program Files\Classic Shell\Start Screen.lnk

MD5 9fa09580037cbfb254e125984da9ba6f
SHA1 1382c0d759d0aaf317df0b403791577ac2022871
SHA256 94a222f5469759e821cb64cf715827d54af1eb914c5106f3be10b65d08b7f11f
SHA512 76c4f216e5d90c191d0c690d3bb7fa2977fc3e8f4e3602d69eac9b28b2f381223caf697051aaef9b12b537ce50493002913ec9d53f33d4b02fcd999332b69ed5

C:\Program Files\Classic Shell\ClassicExplorer32.dll

MD5 f239f9186bbf10ef438b0b0c5a71d9a9
SHA1 6b1b562c59121049bf5c15187de51a507710e5d7
SHA256 5cd5193b50cebefb65ddfa227e2806425b35327d6b545145c6e65a946ed43928
SHA512 7f63ec4ace5679c6c2775cfdc7c21f77d0481bf779c78b51d2806551b61ad5e39d18e1786bd9a0db968afb2a1279c7543d7067b84b4907a2817d4ffe737f5f94

C:\Program Files\Classic Shell\ExplorerL10N.ini

MD5 c89e164a7d30247919fae38c7512ad24
SHA1 f42bc1cdc66e4822dae63f0ae2f640e4b217615a
SHA256 7974a14e02b91a3bcb1e15fce3aad7d640d2800989cdd1ba3c5a82f847de5b98
SHA512 eaa448ec09ee02bff711a2101303f80fc608f6d5b9760c3f3c963cc4d36c4f88eb4bde16573955321f0166a171f4f98d3ae5a8aa805c5d972de855491dc98031

C:\Program Files\Classic Shell\ClassicIEDLL_32.dll

MD5 d82c55ef5c9f4dea2151907d45040b4a
SHA1 605aaad9c12ab3fd3a44c9b9adbfd9c75196d565
SHA256 336f2689d81bc7c2b623c1e1fb67b6d32d4b615dcce94dc9e37ed9e1bf59eac7
SHA512 f8d7bf2397e73dd718b4553f45c2b28cbb44834992da87832ee71d686c845938b068a2be34af4366ccb5894618d89fc5d911d04cd1e0461f7096243d6c94cfe1

C:\Program Files\Classic Shell\ClassicExplorer64.dll

MD5 a7bdf136014cc2be258ccac078f437eb
SHA1 ef1108633774f52e406f2a787a2102035db21858
SHA256 363809b264b915bd640580f05195a61f308b351555667072239835ec51f4405c
SHA512 c90637f3d5d6892abdef506566b130d6816ce0ba8c9f6506742144b63678b22e80ce7839dcf7b9bcbae53bd4e8c355781b06a9b64cbbd1b901176b1779fb5b8d

C:\Program Files\Classic Shell\ClassicIEDLL_64.dll

MD5 cc19cd33a861f4768e2a747d71ad5f79
SHA1 7b39a2468a0928e76ea096f17ea1ef5c6837619f
SHA256 20280766ade26aefc3c1f9fb69f9c7a9d8d85cedeebf6b8b156adb49f1ee3c0b
SHA512 78873ad62e3d655b20865146da8a4df7c1cb9730f5a5172309cb4bc8bd1e6f0fd28f9a7b65e14dce1f6ff5bcb75c0d0e50e12961e7c01b005b6e4d8e428067aa

C:\Windows\SysWOW64\StartMenuHelper32.dll

MD5 5679c87e409ea2271c65daca31581604
SHA1 d10d16f08dcf33bc50d9a706d0ee94e0f71e7483
SHA256 e662bbdd855b13de2391d543d8bde824b59b47ea0691147fc0e86ab19444ac19
SHA512 a26128178e9a39589753680714b5f9de4ba60a0e8674103c63dae0793facf4e0b43fd57b6270fe29501bf1031f80bf4f6d285801f2120096ecab2e15f0a0c4f5

C:\Program Files\Classic Shell\StartMenuHelperL10N.ini

MD5 8f13bf2f1f487b6b4b1580322c95b1e9
SHA1 7acf79e62409413f83ea6a86b8672cda9a92f81d
SHA256 e082504eb91d7e5ed60f5a6b7866c77349c566d7185f167d24ad022e02e83c2c
SHA512 49bd5e70912ca70326460b6223a4257e5658a445135e446b49616f903cfb685086bcd606b16a4f17d18849f91d1726fc904237e6663aacf55ea47530347e0bac

C:\Windows\system32\StartMenuHelper64.dll

MD5 bdc5a9ac0c6437ec7c272cb06c6bb5a6
SHA1 5df8e23bf820b47a2eb0d3b86e013e86d5362646
SHA256 c85fd8fc877b9e360766592774f9e1fdf3fb9a74258b52b0d53e1e6723fd0f4f
SHA512 0fe0741fcb28892d7a9b5443bc8b81916ea1723ac91310943a8f5d5c51421c921c9125488c6f54ad0bc69b9522ad8cc11998644705e6eb7d3c5919a3fee5b32f

C:\Config.Msi\e58b206.rbs

MD5 ae2d4e7cd4e144496aaeecc1494a88a1
SHA1 bea389bd58fc60d59fb18c9d5aaa481ff42621cb
SHA256 7ddae75f6cd5a8f75c7abce06f983004e0bbbaa06e0f6399766658516742e8fa
SHA512 cda71f11c3a39b98d0823008120dc0a2be7ffa9f7395e7fbfcc8e3d02e6c248cf2f93bcd8ad087b5f72058f8d74e4bd76b751d44fe23eccd3844e9fed2afd774

C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll

MD5 1434e96c86a3b5a9ba9c9a95f1be1584
SHA1 04c81a71e96940dddc13a097bef440343c8d197b
SHA256 3ad92e7759614d08395ebdeec411035c7d68cb2fa7532b70fc564546f9dec4b1
SHA512 9e9c37047671c5b67180612771d037d332139ba46c6cac16196e9a863c120d4b45e72a287e6df41759e04a990f9a77a04c1c841bb89fc6b88c69189a197601d4

C:\Program Files\Classic Shell\StartMenuL10N.ini

MD5 b53021bc0d4329a1567faff97cdb624a
SHA1 2b2f8d5147011eb1174d9d7268f1838e7d71875f
SHA256 8b56c1a8881f34ad52e6530becb21be691cb6739472befa06835987b6602d9e3
SHA512 a262769074ccb5909188f28afd0473be7a0c1dac905424fce6b6e7850003ed0388ce718872010dd64a67b2b488c96e6f69cecb690851fa113776347abcf9beb7

memory/1324-340-0x00000000023F0000-0x00000000023F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSID4C0.tmp

MD5 c62f1d994bb13e677211bbdba96433f8
SHA1 3a00d34df6ec81035234e339194fb49fbe317dbf
SHA256 3585ccf92c60150cf863e26c0eb2948e206841ca8ff91dac092cf567eef0880b
SHA512 c3269bcc5a639e7b8ebffc6f75313e12b27c8ad83abd99708e2aa7b5adfbb46a9fad1ebee81c2c53b9f84ea0e5ef200611a6db7b9f7165d43af04d853d47bef9

C:\Program Files\Classic Shell\ClassicShellReadme.rtf

MD5 d00ce44ff320f14ee7b733b3c78ae615
SHA1 625daa8a5958360ef2a667839c4324b6101caf7d
SHA256 95f7362d6f5bd9f2174ca189369ce4d6e25069cdb48670b223399c0523d9d145
SHA512 1c97f17e61209523b47b7a5e1c72557c8795fb13fb72d5747510ae0134ba986308c1fb6b9dac9a1d14949c60c6358cea3b6969886726cdc59d21f0c7f923f0a3

memory/1420-346-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-347-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-350-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-349-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-348-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-353-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-352-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-351-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-354-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-356-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-355-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-357-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-358-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-359-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/1420-360-0x00007FFAED7B0000-0x00007FFAED7C0000-memory.dmp

memory/1420-361-0x00007FFAED7B0000-0x00007FFAED7C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 790bf35a56f7acb2748ae13bd44b6f01
SHA1 f4c05d3f6d04e5483a1cb298132355f5c148d7c9
SHA256 4ad102053925ba51d00008ce2d9d5418b3a36cae63e42997d2c470a32868f8b3
SHA512 b3c0719bab0cc3c46dfbfdb43f190023a0e1f43e90a0a1fd21d971564d19eed9c017998a076e279c211c64ffd9edc373da59aed7f71fcc7765b0eb1333962e45

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

MD5 bf814c5cabd1b6c6c0cddffcf2f79715
SHA1 188cbdf083d5712c38e97cfa5c5eafe08b736b71
SHA256 56ca4e4b2aae1b8331b6c06efa218eecbc1a193d37a48a8c6c4c5227cf2d9a0b
SHA512 a36caf3301faaf4537ffe384a21fadc2fd45abdc05ded8fa7b93d828b1746aab26363d40037686e3574d86b8856dc4ec0527c23722dbf2d7ffb446e315199b29

memory/1420-401-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-403-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-402-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-404-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp

memory/1420-405-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 66a530a096e7cfc27d33564603175785
SHA1 5263ced21db0fef74ab3c253e394feb87527c650
SHA256 e7f83ddf62b05aa673875204813b55e308ff490dc347215c5586f54f120f7544
SHA512 11fd7867d535401bcea8c9dcdefffd1b5e7009ecdd2a5f37c68f82875eed0819931a74a1739d4db4af07817d43d1abb1d9323e62cdc4273fce9d1846d73538df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0dc120f1-1b90-4652-9806-0be087114b69.tmp

MD5 9be5bac965f21587a48f90a71dc7955a
SHA1 30c35421dfba8ccf3c9b550d2c4f2a58efd733d4
SHA256 786afa05fa63903bef008c41c1f42fd4699aaee78fe162314c0c8e48f77edbdc
SHA512 42579bbb7e9157cdca61700dbf118bb96150e5bb4892c9d4537e1333e8303d5ebee4743b8d6d3b2d57da9a36a8fd0f73488dd405aeccd0c265468c14a6f1767a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 41a6ce8903083795c1ae9c9e8f72cebc
SHA1 a32cde6d3ced346e2d1a1467f35e2f25b19a2f32
SHA256 4f0c18cb3157c8efeeba42d1b00c45ab35b7bbd0f9a63f2e7a1fa9d54addd5d0
SHA512 6429c57587b94463d656e91e69ab95be53b340a402566e3e80ea710d8064cb7522bae7b866c588edac0c106a683ec41cb5b2524a6022445f6de02d69d5307826

memory/5944-506-0x00000000014C0000-0x00000000014C1000-memory.dmp

memory/5944-508-0x00000000014C0000-0x00000000014C1000-memory.dmp

memory/3484-511-0x0000000000650000-0x0000000000651000-memory.dmp