Malware Analysis Report

2024-09-11 05:56

Sample ID 240528-1snthafb22
Target pretty.exe
SHA256 c1b64a1f5f197d061a7027f9b4b142f2d53c66a71c95eb41659c717c703ca562
Tags
pyinstaller discovery exploit ransomware spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c1b64a1f5f197d061a7027f9b4b142f2d53c66a71c95eb41659c717c703ca562

Threat Level: Likely malicious

The file pretty.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller discovery exploit ransomware spyware stealer

Possible privilege escalation attempt

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Checks computer location settings

Sets desktop wallpaper using registry

Drops file in Windows directory

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Kills process with taskkill

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Enumerates system info in registry

Modifies registry key

Uses Task Scheduler COM API

Modifies Control Panel

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-28 21:55

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 21:54

Reported

2024-05-28 22:00

Platform

win10-20240404-en

Max time kernel

300s

Max time network

256s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Cake\\yae_wallpaper.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Appearance\Current C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Cursors C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Cursors\ = "Windows Default" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Accessibility\HighContrast\Flags = "126" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Cursors\Scheme Source = "2" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Appearance C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Appearance\NewCurrent C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Accessibility\HighContrast C:\Windows\system32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 055398c849b1da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000d37a91644b3a8be7fd97def314ab920c83ed1bd12fb27fc038c085c01c824f867b780e1250e16c0bc3c2af6d1fb850d5dfd83e4fdf4224cd92b7 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 543b85c049b1da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Users\Admin\AppData\Local\Temp\pretty.exe
PID 3064 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Users\Admin\AppData\Local\Temp\pretty.exe
PID 2540 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2532 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 512 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 512 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 512 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 512 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 512 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 512 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2540 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 4124 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4124 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4124 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4124 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4124 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4124 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 7008 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 7008 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 7008 wrote to memory of 7056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 7008 wrote to memory of 7056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 7072 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 7072 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 7072 wrote to memory of 7120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 7072 wrote to memory of 7120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 7136 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 7136 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 7136 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 7136 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 292 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 292 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 768 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3044 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4516 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 5124 wrote to memory of 5168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5124 wrote to memory of 5168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 5180 wrote to memory of 5232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5180 wrote to memory of 5232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 5244 wrote to memory of 5300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5244 wrote to memory of 5300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 5308 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 5308 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pretty.exe

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

C:\Users\Admin\AppData\Local\Temp\pretty.exe

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn "pretty" /tr "C:\ProgramData\Cake\pretty.exe" /sc ONLOGON /rl HIGHEST /f"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "pretty" /tr "C:\ProgramData\Cake\pretty.exe" /sc ONLOGON /rl HIGHEST /f

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start "" "C:\Windows\Resources\Themes\aero.theme" & timeout /t 3 & taskkill /im "systemsettings.exe" /f"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\Resources\Themes\aero.theme

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\taskkill.exe

taskkill /im "systemsettings.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v SystemUsesLightTheme /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v SystemUsesLightTheme /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v ColorPrevalence /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v ColorPrevalence /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v StartColorMenu /t REG_DWORD /d 0xff7878e7 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v StartColorMenu /t REG_DWORD /d 0xff7878e7 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0xff8e8eeb /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0xff8e8eeb /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentPalette /t REG_BINARY /d ce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aa00 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentPalette /t REG_BINARY /d ce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aa00 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ActiveBorder /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ActiveBorder /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 120 150" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 120 150" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v AppWorkspace /t REG_SZ /d "255 180 200" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v AppWorkspace /t REG_SZ /d "255 180 200" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonAlternateFace /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonAlternateFace /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonDkShadow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonDkShadow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonHilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonHilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonLight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonLight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GradientActiveTitle /t REG_SZ /d "255 120 150" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GradientActiveTitle /t REG_SZ /d "255 120 150" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GradientInactiveTitle /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GradientInactiveTitle /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GrayText /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GrayText /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Hilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Hilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v HilightText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v HilightText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v HotTrackingColor /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v HotTrackingColor /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveBorder /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveBorder /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveTitleText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveTitleText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InfoText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InfoText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InfoWindow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InfoWindow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Menu /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Menu /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuBar /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuBar /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuHilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuHilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Scrollbar /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Scrollbar /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v TitleText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v TitleText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Window /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Window /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v WindowFrame /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v WindowFrame /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d C:\ProgramData\Cake\yae_wallpaper.jpg /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d C:\ProgramData\Cake\yae_wallpaper.jpg /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn pretty_lock /tr "C:\ProgramData\Cake\lock_file.bat" /ru "NT AUTHORITY\SYSTEM" /rl HIGHEST /sc ONLOGON"

C:\Windows\system32\schtasks.exe

schtasks /create /tn pretty_lock /tr "C:\ProgramData\Cake\lock_file.bat" /ru "NT AUTHORITY\SYSTEM" /rl HIGHEST /sc ONLOGON

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /run /tn pretty_lock"

C:\Windows\system32\schtasks.exe

schtasks /run /tn pretty_lock

C:\Windows\SYSTEM32\cmd.exe

C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\Cake\lock_file.bat"

C:\Windows\system32\takeown.exe

takeown /f "C:\ProgramData\Cake\pretty.exe"

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData\Cake\pretty.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Cake\pretty.exe" /remove *S-1-5-32-545

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Cake\pretty.exe" /inheritance:r /grant:r *S-1-5-32-545:RX /deny *S-1-5-32-545:(de,WO,WDAC) /grant:r *S-1-5-32-544:RX /deny *S-1-5-32-544:(de,WO,WDAC)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /delete /tn pretty_lock /F"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn pretty_lock /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -l

C:\Windows\system32\shutdown.exe

shutdown -l

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3afb855 /state1:0x41c64e6d

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 ctt.ac udp
US 134.209.68.5:443 ctt.ac tcp
US 134.209.68.5:443 ctt.ac tcp
US 8.8.8.8:53 5.68.209.134.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 56.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 clicktotweet.com udp
US 134.209.68.5:443 clicktotweet.com tcp
US 134.209.68.5:443 clicktotweet.com tcp
US 134.209.68.5:443 clicktotweet.com tcp
US 134.209.68.5:443 clicktotweet.com tcp
US 8.8.8.8:53 178.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 64.233.166.156:443 stats.g.doubleclick.net tcp
BE 64.233.166.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 156.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 72.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.65:443 twitter.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 x.com udp
US 104.244.42.193:443 x.com tcp
US 104.244.42.193:443 x.com tcp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 abs.twimg.com udp
US 104.244.42.193:443 x.com tcp
US 104.244.42.193:443 x.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI30642\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI30642\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

\Users\Admin\AppData\Local\Temp\_MEI30642\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI30642\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\Users\Admin\AppData\Local\Temp\_MEI30642\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI30642\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI30642\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI30642\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-heap-l1-1-0.dll

MD5 a8b967b65232ecce7261eaecf39e7d6d
SHA1 df0792b29c19d46a93291c88a497151a0ba4366d
SHA256 8fcc9a97a8ad3be9a8d0ce6bb502284dd145ebbe587b42cdeaa4262279517c1d
SHA512 b8116208eb646ec1c103f78c768c848eb9d8d7202ebdab4acb58686e6f0706f0d6aaa884e11065d7ece63ebbd452f35b1422bd79e6eb2405fb1892758195ccbb

C:\Users\Admin\AppData\Local\Temp\_MEI30642\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI30642\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI30642\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI30642\yae_wallpaper.jpg

MD5 09ffe72a73154d34fe7d9b9a0d783d2f
SHA1 f0c213776fc611047d2eb5ea79c4a27bb4515f61
SHA256 216a4381524cd23ef28518d3f2965c42f03f4be0dabe68b11f9aaa0f19be4509
SHA512 bcad75d710a0378b1a0c907654f5d4d57f8f949baf29c3901781a96c9855072309b4f7d1759ff1b05efddf1cfcb877ee84cdf7799c6ec2d8da3f41ad2170b031

C:\Users\Admin\AppData\Local\Temp\_MEI30642\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI30642\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI30642\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI30642\pinkpfp.jpg

MD5 d9fcc67f6ea4e7f7719b1f7ae1b483e0
SHA1 ef9dbb3e1c31d1ab4c4c417c1b9b3d5df5be535f
SHA256 82205d551b09b0398c61521a3fd6f35a7bb7e6bb2a204feff2a962f0c9a9c841
SHA512 01e75a4511283fb000bfc8af3303fcbc1a1be7aa94d85169054fbc770ccaf5e78c8053b41398e609f00fe55bfa91339eda536dacc2f833914bd9a4dc4e710ee0

C:\Users\Admin\AppData\Local\Temp\_MEI30642\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI30642\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-utility-l1-1-0.dll

MD5 57d3ee548db3a503ac391af798e0e2a2
SHA1 d686a96c5046d6d7a022c4266a5d0014745360a4
SHA256 2c80280e51c242466e10a36a0bf2a341607983b6f6648f93b0718b34ab5285c5
SHA512 f3ea9c8f2f230d23bc878e37044599b2c77f0bf6dd84b07c2f87a84263fb9ac7f44732f05e14781b6046afb2a39f27135c96d2da2ab9605bd00e55d9b0fffb0b

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-time-l1-1-0.dll

MD5 816a8932759bdb478d4263cacbf972e3
SHA1 ac9f2bed41e340313501aa7d33dcd369748f0496
SHA256 ce9a8e18923d12e2f62ce2a20693113000fc361cc816773037c155c273b99e7c
SHA512 5144f01bee04455d5b9a7b07e62f4afb928605331213eb483265016640198c175dc08673903ed5bc16b385ee76657aa4303776233d04347d9d1daadce39525c4

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-string-l1-1-0.dll

MD5 f9297b9ff06295bc07b7e5281b1face0
SHA1 d0eb0fddbb3eb187df0f0e5f9ddffcfc2e05f9b7
SHA256 c56a2ee0cc6dc1e7283b9bda8b7b2dba957329cb4bc9aca4cd99f88e108f9c04
SHA512 bec6222776015996eba744698d3254945dfe4bb4dc0d85528ee59a0f3b5fc5bb054bbf496d562cfc7b4cc81b4d3df5c53761931162a0091a49386233afba4f9c

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-stdio-l1-1-0.dll

MD5 8341f0371e25b8077fe61c89a9ef8144
SHA1 fc185203e33abed12e1398440cb2ee283ca9541a
SHA256 bd9a5d4554ef1a374257e8dd9436d89f686006ed1fd1cc44364b237bf5b795ff
SHA512 9c7e4e8d8e9e620f441ab5106820ec021d2b2323f44ed8cc8ec9673745dbc531347356f1ff195d63b62b09cc5c27e8f8641ce25be12ee9b700b5fc766337228b

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-runtime-l1-1-0.dll

MD5 364bc49cc7034f8a9981ade1ce565229
SHA1 fbd76c1842d1ccf563ece2db32fff4c71e7ca689
SHA256 6254fd07ace88685112e3a7b73676aabf13a1b1bc30c55dd976b34fea12b7f1d
SHA512 65e59e3358eb1bf26823c9538c74d343e7383591c021d2b340ef68aa9a274d65b15b30bbbe55f4b32e3a08fc79d4e179a6ce92eadb8c4be09a2c35c348ce10af

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-process-l1-1-0.dll

MD5 e3914d51afd864a6c6587aa9192c491b
SHA1 bae85701809bc259a8744aafa45cd7159e6c13f8
SHA256 28257cc063431f78284335ce3002ffb71b75c1e7ccabf5417bb42392c35564b4
SHA512 43b1445a80d309ec73d52d6cf68f4533a132fb55ab672e5e2a878bb42c1cb36d6e4c504d43fa4923e692c8be600f3f9d5a5edde80602636cb726eedfca23dfb8

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 0b057fa3a94c782da362d225c5974d12
SHA1 ca27a53ff2be1250e33045989e0fb515dfdfe3f3
SHA256 e1c519fef1622d35a05dd60e6464492f7b8ee6bbceee01563db82be66edb1346
SHA512 2dc6ef4d2d1f1bc050cba52e1a96242468fa25372f216e399163bce2e5e17c4911e097106f5727db4379c9fb603091b32f1e818695b362596037d7a6f43e06c7

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-math-l1-1-0.dll

MD5 a592d1b2ecc42d1a083f0d34feae2444
SHA1 29718af390f832626fcdcc57c107333cdb5743e1
SHA256 18a827b01de7b1a3d5c8d17b79ad2462a90308124448a9b8c47eccda39c3a095
SHA512 44bed6d24f1fa35b10d2b2b1574e7baf10182e60fdcb6cba5dd9de5cd7a5183198925e4fa5a7e2896564a30f7b70de69691713118d59bf5162ce35aff5bcf7a6

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-locale-l1-1-0.dll

MD5 75f1a5f65790560d9544f3fb70efba51
SHA1 f30a5751901cfffc250be76e13a8b711ebc06bcc
SHA256 e0e02ea6c17da186e25e352b78c80b1b3511b5c1590e5ba647b14a7b384af0f8
SHA512 b7e285ca35f6a8ae2ccbe21594d72152175301a02ad6b92fe130e1e226a0faad1bfad1bd49857401549c09b50feee2c42c23ca4c19b2845cad090f5b9e8e8f63

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-heap-l1-1-0.dll

MD5 4b038cdc70357d2dec440717ac344a52
SHA1 f67ba87f6830858845a5763381a47893af061bf8
SHA256 6a24e9cfb0efd9e1b90053d4ebd87fc35144e61ae3f6555c7d400542d648e2b5
SHA512 9557f15fa3c06de89ea8be0c959b94575a1c4587151687730f9e66fed095feb882d43ea32262000f871e6d860ce0c6c341cf5509a6ce81866f6d0efacb8526fe

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 102a8c01049ef18cc6e8798a9e5d57f4
SHA1 9adef547e03032d8c5525cc9c7d4512fbeb53948
SHA256 e13edab280e7b3410d7f4ce30a8e8cae64f38652d770fc3bf223206f0c57aaa5
SHA512 a9fbc726f33399f55f70967f3f1bf374589eaad9581d9e94228d39afa06cdce31ed25bdc04805aad361c7cafbeb56ca39f6693259d67457199d4423a61b32263

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-environment-l1-1-0.dll

MD5 e41612752a7dfbbe756322cf48e106b9
SHA1 0ec106e926c9837a43e1d7ec8d1a5f03edd5ec3d
SHA256 4bb9d36e0e034652f2331ddb43ee061608f436cbc9e5771b4d27b28fa10f5248
SHA512 9bed9399e896d1cc58cc06e8d7ec6cc3345be6d15ca307c670e0f282c9ebe48a6cc1b145c2ecf94d84214cddff8f0d0d720ea984478c74c98e2499c2184638c9

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-convert-l1-1-0.dll

MD5 87e2934e49d7d111f383673f97d5029e
SHA1 267603d5510b775de3667f7d92bfaa3bd60e6533
SHA256 fb9dd774b25ab8e661c922caffb976c37a4d10a631ab65665da60016ef0c4d7c
SHA512 e6025ad419359ad3e06cc7a3b3b7436464dbbc71b91653833575264a5f8b0d781844a411bcd915d404b9a8c0a056eaf6d4d412723936845b53bfb5368bf5f7a7

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-crt-conio-l1-1-0.dll

MD5 9eb2c06decaae1a109a94886a26eec25
SHA1 307ce096bee44f54a6d37aab1ef123fb423ed028
SHA256 da8fd2fe08a531d2331c1fbee9f4ae9015b64f24a2654a7f82418c86b4ab6909
SHA512 7e701cb00a4cab8d5b3ecf55a16fef0103f9be1aa3fd7b53c7bab968708c21e8d1c763ad80a7a8d6c76dd45ddd244c9c9e8944455c2025b4195660b61ac1e8b7

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-util-l1-1-0.dll

MD5 f7fdc91ac711a9bb3391901957a25cea
SHA1 1cebc5497e15051249c951677b5b550a1770c24f
SHA256 de47c1f924dc12e41d3a123b7dcce0260e7758b90fb95ec95c270fc116fc7599
SHA512 0e03c998622d6bf113e8d3b4dab728974391efecf59df89f938bd22240488e71885c05fb0fa805948b3d9645758409a0966299b26625aa36e3fd6e519ee22769

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-timezone-l1-1-0.dll

MD5 b9a20c9223d3e3d3a0c359f001ce1046
SHA1 9710b9a8c393ba00c254cf693c7c37990c447cc8
SHA256 00d9a7353be0a54c17e4862b86196a8b2bc6a007899fa2fbe61afd9765548068
SHA512 a7d5611c0b3b53da6cac61e0374d54d27e6e8a1af90ef66cd7e1b052f906c8b3f6087f4c6de0db3ae0b099df7689ecde6c815a954b728d36d9d3b5d002ccf18e

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 e4893842d031b98cac1c6f754a2a3f8d
SHA1 2b0187134e40d27553a85dd4ec89dd6c40e58a24
SHA256 abe4c1464b325365d38e0bc4ae729a17a7f6f7ba482935c66e6840e1b0d126c5
SHA512 fc61a66fdc7213857f204bd0b20671db7092e0010e07b5e0e8e8408ace8ac5b6e696a7d9fc969233b2b3ad5dae4d3b291b007ff27a316e7fb750bfc93257c532

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-synch-l1-2-0.dll

MD5 b962237df7ea045c325e7f97938097cb
SHA1 1115e0e13ecc177d057e3d1c9644ac4d108f780a
SHA256 a24dd6afdb4c4aa450ae4bc6a2861a49032170661b9c1f30cd0460c5dc57e0f7
SHA512 19ac4cccaaa59fbae042d03ba52d89f309bd2591b035f3ec3df430ff399d650fcf9c4d897834a520dea60dc0562a8a6f7d25a1fffcd32f765a4eaffe4c7d5ea2

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-synch-l1-1-0.dll

MD5 bccc676f2fb18c1a1864363e5a649a88
SHA1 a095a83a32a4a65fe16aa0be9a517239fac5db0d
SHA256 9d3f803dc791d2ff2e05059f9bb9207cc8f4134e1ac05f20edd20cfadd6e72c0
SHA512 55aab9fa6f7c4904e4beea4ce250f45fb71c2dd6a6f099f4017101ebc45c0a6e303b6a222f49c971992cafe8988a042b7ef8e94671be858c926105021514737a

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-string-l1-1-0.dll

MD5 b65933f7bcadc7072d5a2d70ecba9f81
SHA1 c53561755b9f33d0ae7874b3a7d67bedcb0129d8
SHA256 eadf535795df58d4f52fc6237fe46feb0f8166daca5eaaa59cec3cee50a9181d
SHA512 4cbb8bda8609404fe84ca36a8cbfe1d69c55dee2b969231b2fa00ca9139d956196a2babbb80a1a2bb430a34e6bd335294f452bcbe9e44411561ebdf21e4aba91

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 0b30c6862b5224cc429fe2eb2b7bf14b
SHA1 5c3affa14e3bfdafe09e9841a2920b57c7fcbc56
SHA256 d9c6f93c4972db08c7888d55e8e59e8aba022d416817d65bc96e5a258c859b5f
SHA512 b378f2a2812245ea948d81a925d041dbd7e7a8fb2770cf7dd47643da20f5c685c6121479f95b293177a9480290b17c49e7b4fc10d33734cf883d2c614daae1bf

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-profile-l1-1-0.dll

MD5 1be729c6d9bf1b58f435b23e7f87ba49
SHA1 4b2df3fab46a362ee46057c344995fa622e0672a
SHA256 4c425fbb8d2319d838733ab9cec63a576639192d993909e70cf84f49c107f785
SHA512 ceccc5ff2bd90a91cfbb948f979576795ff0a9503ddaafd268c14306f93d887975bd376b62ed688be51bb88b3a0c54ef332be93b4b0d8737b5ab70a661b11416

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-processthreads-l1-1-1.dll

MD5 774aa9f9318880cb4ad3bf6f464da556
SHA1 3a5c07cf35009c98eb033e1cbde1900135d1abf8
SHA256 ba9fbd3a21879614c050c86a74ad2fffc0362266d6fa7be0ef359de393136346
SHA512 f7b57afb9810e3390d27a5469572fb29f0f1726f599403a180e685466237dff5dec4fdce40105ef1bb057e012d546308213e7cec73e0d7d3c5815eec8189a75d

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-processthreads-l1-1-0.dll

MD5 73586decad3b3d90653750504b356a5c
SHA1 39a7ee1660ca1291314ef78150e397b1d8683e03
SHA256 34f560c3e56f40db5df695c967b6e302e961085bc037bb9a1c2d2c866a9df48f
SHA512 9ec299e930d2b89ad379613f8fa63669ec7c858da8a24608b92175f42b0be75f8aa2e1727dabf7638ae9d2942d03840f288eab53f2c9f38dbea1325f1ea8b22b

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 4f1303827a67760d02feb54e9258edb1
SHA1 340d7029c39708d14da79b12a0e2ed0a8bc7c020
SHA256 77fc9adf1a734d9717700b038b98b4337a494fc4f7e1e706c82e97dbca896fd8
SHA512 20f067d1c2749c709e4fc45da8d9eb5b813f54d0e09fa482d00bc4a7e5744c587d0afc00cdd5263b4223fe94baa3f8ca110d010339f9e3f1c6b2700888dbe3d0

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 d1bc9b3a7aa94d10c41fa16210aa9dba
SHA1 a358b824b1f26ead420d2100e5f1a3fb74af2b7a
SHA256 75652caf05e86adc88ed214fd208b4a289489cac2b28fd358e302e2e7c3c338f
SHA512 149478dfca0165d5a68e89070017cda3400926284eaa2143a810138ff710079cde413c031721de5b58cb834f03d4c5df5b4bd6c2bdb65687755ad77cae778b30

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-memory-l1-1-0.dll

MD5 064fb2e1b5e90796a68d1edf91269ad3
SHA1 6e3a8c568f038879b7b102975a4471b2489f5493
SHA256 3500935e638f7d0ae2bf564bf77f9329811329261185fcdb9cd702b999889ffd
SHA512 821f091529d45531811a73664473cebb372a310d855e1a4c1a028ad4dc7d36146d3030dcf10de8a4a4bf16fb535fe3d0d2e1fcd22959690842388abb177b0036

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-localization-l1-2-0.dll

MD5 3589557535bba7641da3d76eefb0c73d
SHA1 6f63107c2212300c7cd1573059c08b43e5bd9b95
SHA256 642b01bb93d2cb529acf56070d65aae3202fd0b48d19fd40ec6763b627bcbee6
SHA512 7aedf3cf686b416f8b419f8af1d57675096ab2c2378c5a006f6ecbf2fe1ad701f28b7be8f08c9083230cf4d15d463371e92a6032178cd6c139d60b26fbd49b06

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 d042aa497ce2a9f03296f8de68ed0680
SHA1 f483a343a18b960630ccf0e6de2f82883550f3bf
SHA256 de3d2c5519f74a982f06f3f3fda085571c0cdcf5ad8d2d331c79d9c92062bdc3
SHA512 4e157c8701860982ce0dec956fe4bfb684d2db3eaa9e784f179d385be905fd0551ba90cc27c54179fc39a693d9c742364f2bf1a5444424ba5eae38103b5f0e02

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-interlocked-l1-1-0.dll

MD5 5872cb5ca3980697283aab9007196ae6
SHA1 26e8de47d9bee371f6c7a47f206a131965b6b481
SHA256 0dff50774693fcb71782b5e214419032a8c00b3031151d93be5c971b6f62cd45
SHA512 9b3e2fa9f66d29bfc7a4ca5d673b395bcda223a85fd06c94a11217047c1a312148c9c6270d7f69dfef06b25f8b5ad46717a829bde55f540c804a4ba4c4af070c

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-file-l1-2-0.dll

MD5 2b36752a5157359da1c0e646ee9bec45
SHA1 708aeb7e945c9c709109cea359cb31bd7ac64889
SHA256 3e3eb284937b572d1d70ce27be77b5e02eb73704c8b50feb5eb933db1facd2fc
SHA512 fc56080362506e3f38f1b3eb9d3193cdb9e576613c2e672f0fe9df203862f8a0f31938fa48b4ff7115dfe6016fa1fd5c5422fdc1913df63b3fde5f478a8417a1

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-file-l1-1-0.dll

MD5 abf9850eb219be4976a94144a9eba057
SHA1 3d8c37588b36296240934b2f63a1b135a52fcee2
SHA256 41c5c577fea3ce13d5beb64ce0920f1061f65bcf39eafa8cd3dfc09ff48bcf76
SHA512 dfaafb43ce7f05b2db35eac10b314fb506c6aada80f6c4327b09ec33c170478ebd0eea19f1c6ca2e4832bfa41f769046deca8f15d54b7966134d166ee6036bda

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 98340ffd2b1d8affef27d4b1260aeac5
SHA1 b428b39aa814a7038a1ddff9b64b935f51833a26
SHA256 7388a019922e9a0a3d05a8605a5307e3141b39f7d57b7faca5d34e72adfd5fa5
SHA512 6165c5be0360d55403e9dfd4e9df4ff9a12e5fb6057ed9278da09e688751487e46d9dd64949375c00764cbb4355cc13a1ea714055050f2ab7d432977b8443f81

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-debug-l1-1-0.dll

MD5 a00ebd3cf88d668be6d62a25fa4fb525
SHA1 edb07eafd08991611389293e2be80f8ee98f1e62
SHA256 b44646453584305d4edf8ab5f5d1adea6b9650bd2b75f8486fc275be52b86433
SHA512 d63f0e9f2e079ee06aa3ab96a0bd2d169564896027b731ee2597327bdc55456c5fd0c2d8c7e68165fc80bbc3fe0c24a3388d4c3615f33fc9f9fc0b205ae9ba7a

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-datetime-l1-1-0.dll

MD5 3095c9577395249e105410bdcc585f77
SHA1 7dfc0c81f8f28cbf36c5acdb83523569b430b944
SHA256 c08be448195f46c4b423d0ce0c2cdc343e842ff1f91b16a8d3c09d5152150917
SHA512 555568fc23ade238bcc13a447520d395546def4409a002d795dd3abea03b15321491bc63c97f4ed8eb78aa411a0b1267dce5c528e51dcac8ca9e93b8f5265786

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-handle-l1-1-0.dll

MD5 567ff20a8d330cbb3278d3360c8d56f5
SHA1 cdf0cfc650da3a1b57dc3ef982a317d37ffb974d
SHA256 47dfbe1ecc8abc002bd52dcd5281ed7378d457789be4cb1e9bee369150d7f5c8
SHA512 1643e900f13509f0ef9c7b7f8f2401fb3b6f2c0c39b512c623615df92b1e69df042ef1a0c6aace82173ce5d4d3c672c1636d6ee05545ce5c3b7374ab745e0e87

C:\Users\Admin\AppData\Local\Temp\_MEI30642\api-ms-win-core-console-l1-1-0.dll

MD5 a148dc22ea14cd5578de22b2dfb0917f
SHA1 eaccb66f62e5b6d7154798e596eabd3cef00b982
SHA256 7603e172853a9711fbdc53b080432ad12984b463768dbc3aa842a26f5b26ae23
SHA512 4e3c927692fc41889b596273aea8bbd776cf7644dae26c411c12bda23cd3299a5c9adc06a930294310f002de74592a244767378fc9e37ec76e86bfa23f4c0478

memory/4952-223-0x0000011B6E920000-0x0000011B6E930000-memory.dmp

memory/4952-239-0x0000011B6EA20000-0x0000011B6EA30000-memory.dmp

memory/4952-258-0x0000011B6BFD0000-0x0000011B6BFD2000-memory.dmp

memory/4460-287-0x0000027995800000-0x0000027995900000-memory.dmp

memory/4460-294-0x00000279A5CB0000-0x00000279A5CB2000-memory.dmp

memory/4460-292-0x00000279A5AF0000-0x00000279A5AF2000-memory.dmp

memory/4460-290-0x00000279A5AD0000-0x00000279A5AD2000-memory.dmp

memory/4460-314-0x00000279A5DD0000-0x00000279A5DF0000-memory.dmp

memory/4952-340-0x0000011B74E50000-0x0000011B74E51000-memory.dmp

memory/4952-341-0x0000011B74E60000-0x0000011B74E61000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\Q0HHSSW8\favicon[1].ico

MD5 fbc823a3900c2ddc64bc561ae4950560
SHA1 4f4de67a42a9159db2af02e59e5b9b5469d91370
SHA256 47a74ea5b48e0f2d025328d4f989d5c7dc022868b709d9fd434cda4e9a7045f0
SHA512 3a58c968d557c37d457ade5903a1cf4a68416e79a2ccdd74faa5d36072902f7b113380ae58b7b2ce1f4eb16404515de8f751148ca9259cf1166a4abf1da5864f

memory/4460-376-0x0000027995800000-0x0000027995900000-memory.dmp

memory/4460-375-0x0000027995800000-0x0000027995900000-memory.dmp

memory/4460-390-0x00000279A6080000-0x00000279A6082000-memory.dmp

memory/4460-388-0x00000279A5E90000-0x00000279A5E92000-memory.dmp

memory/4460-386-0x00000279A5E50000-0x00000279A5E52000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\60OWAKUB\favicon[1].png

MD5 864232b885e52799e6b0d1c37a4283a0
SHA1 2c2500822c05b93cf169c338af2fdf7d04ea4260
SHA256 2b56e0a792d9999e15f3ee39cabcba5cc3f88b4e640e71b3755c1424d8e12010
SHA512 9f868e18ec06442d4141034e0f0beb4f02fd7228a859ed9344b9c001519b02de849a16258db5f3613ac8b6b7cb8f7476fdf68f4a057b4d5c0ebc4b49d0d17bf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 23d62fe482706b944e6e26640ffedef2
SHA1 a56f72d5e67b194fdbdc5f40c169f9107a9d6e8a
SHA256 0ff0e51683a0edb4688bdfc36539fac6d5af99e71ba731bd6ac445dce69f782d
SHA512 5b771253897e4c8e7dedddab8f38563ec54e67f17a4f645593a6a5c9a1f57f18372565ea7787e499e5c4814e680b483d9fe9f42267fd0fb730ff5349df528bc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 b53df16c11e3ead565d9adc4380642cb
SHA1 98e5eaaf1fcaa69b703e743724414141eff4dbf8
SHA256 c75f3a83827948d47b25c6baf387dac955565fdf65446d3bee52586ccce1dfe2
SHA512 1c014b9a0e39f2f8603dc59628d41e378e4d479713776f081235192b5cc1a77237680545a108b80a21b406f5444620b8840d5e1e4cf64e82d11c02e1e1b2f4b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 21:54

Reported

2024-05-28 22:00

Platform

win10v2004-20240426-en

Max time kernel

300s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Cake\\yae_wallpaper.jpg" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\cursors\\aero_pen.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\cursors\\aero_ew.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\ = "Windows Default" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Appearance\NewCurrent C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\Scheme Source = "2" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\Hand = "C:\\Windows\\cursors\\aero_link.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\Crosshair C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\cursors\\aero_nesw.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\cursors\\aero_move.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\IBeam C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\cursors\\aero_nwse.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\cursors\\aero_up.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Appearance\Current C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Accessibility\HighContrast C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Accessibility\HighContrast\Flags = "126" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\cursors\\aero_ns.cur" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Appearance C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\cursors\\aero_arrow.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\Help = "C:\\Windows\\cursors\\aero_helpsel.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Cursors\No = "C:\\Windows\\cursors\\aero_unavail.cur" C:\Windows\system32\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Users\Admin\AppData\Local\Temp\pretty.exe
PID 5004 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Users\Admin\AppData\Local\Temp\pretty.exe
PID 4956 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1048 wrote to memory of 508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4956 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4956 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 2640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 4588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 4588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4248 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pretty.exe

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

C:\Users\Admin\AppData\Local\Temp\pretty.exe

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn "pretty" /tr "C:\ProgramData\Cake\pretty.exe" /sc ONLOGON /rl HIGHEST /f"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "pretty" /tr "C:\ProgramData\Cake\pretty.exe" /sc ONLOGON /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/6qjil

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff351146f8,0x7fff35114708,0x7fff35114718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start "" "C:\Windows\Resources\Themes\aero.theme" & timeout /t 3 & taskkill /im "systemsettings.exe" /f"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\Resources\Themes\aero.theme

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\taskkill.exe

taskkill /im "systemsettings.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v SystemUsesLightTheme /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v SystemUsesLightTheme /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v ColorPrevalence /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v ColorPrevalence /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v StartColorMenu /t REG_DWORD /d 0xff7878e7 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v StartColorMenu /t REG_DWORD /d 0xff7878e7 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0xff8e8eeb /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0xff8e8eeb /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentPalette /t REG_BINARY /d ce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aa00 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentPalette /t REG_BINARY /d ce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aa00 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ActiveBorder /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ActiveBorder /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 120 150" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 120 150" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v AppWorkspace /t REG_SZ /d "255 180 200" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v AppWorkspace /t REG_SZ /d "255 180 200" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonAlternateFace /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonAlternateFace /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonDkShadow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonDkShadow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonHilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonHilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonLight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonLight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GradientActiveTitle /t REG_SZ /d "255 120 150" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GradientActiveTitle /t REG_SZ /d "255 120 150" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GradientInactiveTitle /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GradientInactiveTitle /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GrayText /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GrayText /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Hilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Hilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v HilightText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v HilightText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v HotTrackingColor /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v HotTrackingColor /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveBorder /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveBorder /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveTitleText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveTitleText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InfoText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InfoText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InfoWindow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InfoWindow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Menu /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Menu /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuBar /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuBar /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuHilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuHilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Scrollbar /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Scrollbar /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v TitleText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v TitleText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Window /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Window /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v WindowFrame /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v WindowFrame /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d C:\ProgramData\Cake\yae_wallpaper.jpg /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d C:\ProgramData\Cake\yae_wallpaper.jpg /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn pretty_lock /tr "C:\ProgramData\Cake\lock_file.bat" /ru "NT AUTHORITY\SYSTEM" /rl HIGHEST /sc ONLOGON"

C:\Windows\system32\schtasks.exe

schtasks /create /tn pretty_lock /tr "C:\ProgramData\Cake\lock_file.bat" /ru "NT AUTHORITY\SYSTEM" /rl HIGHEST /sc ONLOGON

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /run /tn pretty_lock"

C:\Windows\system32\schtasks.exe

schtasks /run /tn pretty_lock

C:\Windows\SYSTEM32\cmd.exe

C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\Cake\lock_file.bat"

C:\Windows\system32\takeown.exe

takeown /f "C:\ProgramData\Cake\pretty.exe"

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData\Cake\pretty.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Cake\pretty.exe" /remove *S-1-5-32-545

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Cake\pretty.exe" /inheritance:r /grant:r *S-1-5-32-545:RX /deny *S-1-5-32-545:(de,WO,WDAC) /grant:r *S-1-5-32-544:RX /deny *S-1-5-32-544:(de,WO,WDAC)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /delete /tn pretty_lock /F"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn pretty_lock /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -l

C:\Windows\system32\shutdown.exe

shutdown -l

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3929855 /state1:0x41c64e6d

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,2942047530712663982,18358991695836655461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ctt.ac udp
US 134.209.68.5:443 ctt.ac tcp
US 8.8.8.8:53 clicktotweet.com udp
US 134.209.68.5:443 clicktotweet.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 64.233.166.154:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 5.68.209.134.in-addr.arpa udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 x.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
GB 199.232.56.159:443 pbs.twimg.com tcp
PL 93.184.221.165:443 t.co tcp
US 8.8.8.8:53 154.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 129.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 72.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 abs-0.twimg.com udp
SE 192.229.220.133:443 video.twimg.com tcp
US 104.244.43.131:443 abs-0.twimg.com tcp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 159.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 165.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.220.229.192.in-addr.arpa udp
US 8.8.8.8:53 131.43.244.104.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
NL 142.250.27.84:443 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 114.66.68.104.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI50042\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI50042\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI50042\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\Users\Admin\AppData\Local\Temp\_MEI50042\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI50042\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI50042\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI50042\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 102a8c01049ef18cc6e8798a9e5d57f4
SHA1 9adef547e03032d8c5525cc9c7d4512fbeb53948
SHA256 e13edab280e7b3410d7f4ce30a8e8cae64f38652d770fc3bf223206f0c57aaa5
SHA512 a9fbc726f33399f55f70967f3f1bf374589eaad9581d9e94228d39afa06cdce31ed25bdc04805aad361c7cafbeb56ca39f6693259d67457199d4423a61b32263

C:\Users\Admin\AppData\Local\Temp\_MEI50042\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI50042\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI50042\yae_wallpaper.jpg

MD5 09ffe72a73154d34fe7d9b9a0d783d2f
SHA1 f0c213776fc611047d2eb5ea79c4a27bb4515f61
SHA256 216a4381524cd23ef28518d3f2965c42f03f4be0dabe68b11f9aaa0f19be4509
SHA512 bcad75d710a0378b1a0c907654f5d4d57f8f949baf29c3901781a96c9855072309b4f7d1759ff1b05efddf1cfcb877ee84cdf7799c6ec2d8da3f41ad2170b031

C:\Users\Admin\AppData\Local\Temp\_MEI50042\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI50042\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI50042\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI50042\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI50042\pinkpfp.jpg

MD5 d9fcc67f6ea4e7f7719b1f7ae1b483e0
SHA1 ef9dbb3e1c31d1ab4c4c417c1b9b3d5df5be535f
SHA256 82205d551b09b0398c61521a3fd6f35a7bb7e6bb2a204feff2a962f0c9a9c841
SHA512 01e75a4511283fb000bfc8af3303fcbc1a1be7aa94d85169054fbc770ccaf5e78c8053b41398e609f00fe55bfa91339eda536dacc2f833914bd9a4dc4e710ee0

C:\Users\Admin\AppData\Local\Temp\_MEI50042\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-utility-l1-1-0.dll

MD5 57d3ee548db3a503ac391af798e0e2a2
SHA1 d686a96c5046d6d7a022c4266a5d0014745360a4
SHA256 2c80280e51c242466e10a36a0bf2a341607983b6f6648f93b0718b34ab5285c5
SHA512 f3ea9c8f2f230d23bc878e37044599b2c77f0bf6dd84b07c2f87a84263fb9ac7f44732f05e14781b6046afb2a39f27135c96d2da2ab9605bd00e55d9b0fffb0b

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-time-l1-1-0.dll

MD5 816a8932759bdb478d4263cacbf972e3
SHA1 ac9f2bed41e340313501aa7d33dcd369748f0496
SHA256 ce9a8e18923d12e2f62ce2a20693113000fc361cc816773037c155c273b99e7c
SHA512 5144f01bee04455d5b9a7b07e62f4afb928605331213eb483265016640198c175dc08673903ed5bc16b385ee76657aa4303776233d04347d9d1daadce39525c4

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-string-l1-1-0.dll

MD5 f9297b9ff06295bc07b7e5281b1face0
SHA1 d0eb0fddbb3eb187df0f0e5f9ddffcfc2e05f9b7
SHA256 c56a2ee0cc6dc1e7283b9bda8b7b2dba957329cb4bc9aca4cd99f88e108f9c04
SHA512 bec6222776015996eba744698d3254945dfe4bb4dc0d85528ee59a0f3b5fc5bb054bbf496d562cfc7b4cc81b4d3df5c53761931162a0091a49386233afba4f9c

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-stdio-l1-1-0.dll

MD5 8341f0371e25b8077fe61c89a9ef8144
SHA1 fc185203e33abed12e1398440cb2ee283ca9541a
SHA256 bd9a5d4554ef1a374257e8dd9436d89f686006ed1fd1cc44364b237bf5b795ff
SHA512 9c7e4e8d8e9e620f441ab5106820ec021d2b2323f44ed8cc8ec9673745dbc531347356f1ff195d63b62b09cc5c27e8f8641ce25be12ee9b700b5fc766337228b

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-runtime-l1-1-0.dll

MD5 364bc49cc7034f8a9981ade1ce565229
SHA1 fbd76c1842d1ccf563ece2db32fff4c71e7ca689
SHA256 6254fd07ace88685112e3a7b73676aabf13a1b1bc30c55dd976b34fea12b7f1d
SHA512 65e59e3358eb1bf26823c9538c74d343e7383591c021d2b340ef68aa9a274d65b15b30bbbe55f4b32e3a08fc79d4e179a6ce92eadb8c4be09a2c35c348ce10af

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-process-l1-1-0.dll

MD5 e3914d51afd864a6c6587aa9192c491b
SHA1 bae85701809bc259a8744aafa45cd7159e6c13f8
SHA256 28257cc063431f78284335ce3002ffb71b75c1e7ccabf5417bb42392c35564b4
SHA512 43b1445a80d309ec73d52d6cf68f4533a132fb55ab672e5e2a878bb42c1cb36d6e4c504d43fa4923e692c8be600f3f9d5a5edde80602636cb726eedfca23dfb8

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 0b057fa3a94c782da362d225c5974d12
SHA1 ca27a53ff2be1250e33045989e0fb515dfdfe3f3
SHA256 e1c519fef1622d35a05dd60e6464492f7b8ee6bbceee01563db82be66edb1346
SHA512 2dc6ef4d2d1f1bc050cba52e1a96242468fa25372f216e399163bce2e5e17c4911e097106f5727db4379c9fb603091b32f1e818695b362596037d7a6f43e06c7

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-math-l1-1-0.dll

MD5 a592d1b2ecc42d1a083f0d34feae2444
SHA1 29718af390f832626fcdcc57c107333cdb5743e1
SHA256 18a827b01de7b1a3d5c8d17b79ad2462a90308124448a9b8c47eccda39c3a095
SHA512 44bed6d24f1fa35b10d2b2b1574e7baf10182e60fdcb6cba5dd9de5cd7a5183198925e4fa5a7e2896564a30f7b70de69691713118d59bf5162ce35aff5bcf7a6

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-locale-l1-1-0.dll

MD5 75f1a5f65790560d9544f3fb70efba51
SHA1 f30a5751901cfffc250be76e13a8b711ebc06bcc
SHA256 e0e02ea6c17da186e25e352b78c80b1b3511b5c1590e5ba647b14a7b384af0f8
SHA512 b7e285ca35f6a8ae2ccbe21594d72152175301a02ad6b92fe130e1e226a0faad1bfad1bd49857401549c09b50feee2c42c23ca4c19b2845cad090f5b9e8e8f63

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-heap-l1-1-0.dll

MD5 4b038cdc70357d2dec440717ac344a52
SHA1 f67ba87f6830858845a5763381a47893af061bf8
SHA256 6a24e9cfb0efd9e1b90053d4ebd87fc35144e61ae3f6555c7d400542d648e2b5
SHA512 9557f15fa3c06de89ea8be0c959b94575a1c4587151687730f9e66fed095feb882d43ea32262000f871e6d860ce0c6c341cf5509a6ce81866f6d0efacb8526fe

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-environment-l1-1-0.dll

MD5 e41612752a7dfbbe756322cf48e106b9
SHA1 0ec106e926c9837a43e1d7ec8d1a5f03edd5ec3d
SHA256 4bb9d36e0e034652f2331ddb43ee061608f436cbc9e5771b4d27b28fa10f5248
SHA512 9bed9399e896d1cc58cc06e8d7ec6cc3345be6d15ca307c670e0f282c9ebe48a6cc1b145c2ecf94d84214cddff8f0d0d720ea984478c74c98e2499c2184638c9

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-convert-l1-1-0.dll

MD5 87e2934e49d7d111f383673f97d5029e
SHA1 267603d5510b775de3667f7d92bfaa3bd60e6533
SHA256 fb9dd774b25ab8e661c922caffb976c37a4d10a631ab65665da60016ef0c4d7c
SHA512 e6025ad419359ad3e06cc7a3b3b7436464dbbc71b91653833575264a5f8b0d781844a411bcd915d404b9a8c0a056eaf6d4d412723936845b53bfb5368bf5f7a7

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-crt-conio-l1-1-0.dll

MD5 9eb2c06decaae1a109a94886a26eec25
SHA1 307ce096bee44f54a6d37aab1ef123fb423ed028
SHA256 da8fd2fe08a531d2331c1fbee9f4ae9015b64f24a2654a7f82418c86b4ab6909
SHA512 7e701cb00a4cab8d5b3ecf55a16fef0103f9be1aa3fd7b53c7bab968708c21e8d1c763ad80a7a8d6c76dd45ddd244c9c9e8944455c2025b4195660b61ac1e8b7

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-util-l1-1-0.dll

MD5 f7fdc91ac711a9bb3391901957a25cea
SHA1 1cebc5497e15051249c951677b5b550a1770c24f
SHA256 de47c1f924dc12e41d3a123b7dcce0260e7758b90fb95ec95c270fc116fc7599
SHA512 0e03c998622d6bf113e8d3b4dab728974391efecf59df89f938bd22240488e71885c05fb0fa805948b3d9645758409a0966299b26625aa36e3fd6e519ee22769

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-timezone-l1-1-0.dll

MD5 b9a20c9223d3e3d3a0c359f001ce1046
SHA1 9710b9a8c393ba00c254cf693c7c37990c447cc8
SHA256 00d9a7353be0a54c17e4862b86196a8b2bc6a007899fa2fbe61afd9765548068
SHA512 a7d5611c0b3b53da6cac61e0374d54d27e6e8a1af90ef66cd7e1b052f906c8b3f6087f4c6de0db3ae0b099df7689ecde6c815a954b728d36d9d3b5d002ccf18e

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 e4893842d031b98cac1c6f754a2a3f8d
SHA1 2b0187134e40d27553a85dd4ec89dd6c40e58a24
SHA256 abe4c1464b325365d38e0bc4ae729a17a7f6f7ba482935c66e6840e1b0d126c5
SHA512 fc61a66fdc7213857f204bd0b20671db7092e0010e07b5e0e8e8408ace8ac5b6e696a7d9fc969233b2b3ad5dae4d3b291b007ff27a316e7fb750bfc93257c532

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-synch-l1-2-0.dll

MD5 b962237df7ea045c325e7f97938097cb
SHA1 1115e0e13ecc177d057e3d1c9644ac4d108f780a
SHA256 a24dd6afdb4c4aa450ae4bc6a2861a49032170661b9c1f30cd0460c5dc57e0f7
SHA512 19ac4cccaaa59fbae042d03ba52d89f309bd2591b035f3ec3df430ff399d650fcf9c4d897834a520dea60dc0562a8a6f7d25a1fffcd32f765a4eaffe4c7d5ea2

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-synch-l1-1-0.dll

MD5 bccc676f2fb18c1a1864363e5a649a88
SHA1 a095a83a32a4a65fe16aa0be9a517239fac5db0d
SHA256 9d3f803dc791d2ff2e05059f9bb9207cc8f4134e1ac05f20edd20cfadd6e72c0
SHA512 55aab9fa6f7c4904e4beea4ce250f45fb71c2dd6a6f099f4017101ebc45c0a6e303b6a222f49c971992cafe8988a042b7ef8e94671be858c926105021514737a

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-string-l1-1-0.dll

MD5 b65933f7bcadc7072d5a2d70ecba9f81
SHA1 c53561755b9f33d0ae7874b3a7d67bedcb0129d8
SHA256 eadf535795df58d4f52fc6237fe46feb0f8166daca5eaaa59cec3cee50a9181d
SHA512 4cbb8bda8609404fe84ca36a8cbfe1d69c55dee2b969231b2fa00ca9139d956196a2babbb80a1a2bb430a34e6bd335294f452bcbe9e44411561ebdf21e4aba91

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 0b30c6862b5224cc429fe2eb2b7bf14b
SHA1 5c3affa14e3bfdafe09e9841a2920b57c7fcbc56
SHA256 d9c6f93c4972db08c7888d55e8e59e8aba022d416817d65bc96e5a258c859b5f
SHA512 b378f2a2812245ea948d81a925d041dbd7e7a8fb2770cf7dd47643da20f5c685c6121479f95b293177a9480290b17c49e7b4fc10d33734cf883d2c614daae1bf

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-profile-l1-1-0.dll

MD5 1be729c6d9bf1b58f435b23e7f87ba49
SHA1 4b2df3fab46a362ee46057c344995fa622e0672a
SHA256 4c425fbb8d2319d838733ab9cec63a576639192d993909e70cf84f49c107f785
SHA512 ceccc5ff2bd90a91cfbb948f979576795ff0a9503ddaafd268c14306f93d887975bd376b62ed688be51bb88b3a0c54ef332be93b4b0d8737b5ab70a661b11416

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-processthreads-l1-1-1.dll

MD5 774aa9f9318880cb4ad3bf6f464da556
SHA1 3a5c07cf35009c98eb033e1cbde1900135d1abf8
SHA256 ba9fbd3a21879614c050c86a74ad2fffc0362266d6fa7be0ef359de393136346
SHA512 f7b57afb9810e3390d27a5469572fb29f0f1726f599403a180e685466237dff5dec4fdce40105ef1bb057e012d546308213e7cec73e0d7d3c5815eec8189a75d

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-processthreads-l1-1-0.dll

MD5 73586decad3b3d90653750504b356a5c
SHA1 39a7ee1660ca1291314ef78150e397b1d8683e03
SHA256 34f560c3e56f40db5df695c967b6e302e961085bc037bb9a1c2d2c866a9df48f
SHA512 9ec299e930d2b89ad379613f8fa63669ec7c858da8a24608b92175f42b0be75f8aa2e1727dabf7638ae9d2942d03840f288eab53f2c9f38dbea1325f1ea8b22b

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 4f1303827a67760d02feb54e9258edb1
SHA1 340d7029c39708d14da79b12a0e2ed0a8bc7c020
SHA256 77fc9adf1a734d9717700b038b98b4337a494fc4f7e1e706c82e97dbca896fd8
SHA512 20f067d1c2749c709e4fc45da8d9eb5b813f54d0e09fa482d00bc4a7e5744c587d0afc00cdd5263b4223fe94baa3f8ca110d010339f9e3f1c6b2700888dbe3d0

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 d1bc9b3a7aa94d10c41fa16210aa9dba
SHA1 a358b824b1f26ead420d2100e5f1a3fb74af2b7a
SHA256 75652caf05e86adc88ed214fd208b4a289489cac2b28fd358e302e2e7c3c338f
SHA512 149478dfca0165d5a68e89070017cda3400926284eaa2143a810138ff710079cde413c031721de5b58cb834f03d4c5df5b4bd6c2bdb65687755ad77cae778b30

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-memory-l1-1-0.dll

MD5 064fb2e1b5e90796a68d1edf91269ad3
SHA1 6e3a8c568f038879b7b102975a4471b2489f5493
SHA256 3500935e638f7d0ae2bf564bf77f9329811329261185fcdb9cd702b999889ffd
SHA512 821f091529d45531811a73664473cebb372a310d855e1a4c1a028ad4dc7d36146d3030dcf10de8a4a4bf16fb535fe3d0d2e1fcd22959690842388abb177b0036

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-localization-l1-2-0.dll

MD5 3589557535bba7641da3d76eefb0c73d
SHA1 6f63107c2212300c7cd1573059c08b43e5bd9b95
SHA256 642b01bb93d2cb529acf56070d65aae3202fd0b48d19fd40ec6763b627bcbee6
SHA512 7aedf3cf686b416f8b419f8af1d57675096ab2c2378c5a006f6ecbf2fe1ad701f28b7be8f08c9083230cf4d15d463371e92a6032178cd6c139d60b26fbd49b06

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 d042aa497ce2a9f03296f8de68ed0680
SHA1 f483a343a18b960630ccf0e6de2f82883550f3bf
SHA256 de3d2c5519f74a982f06f3f3fda085571c0cdcf5ad8d2d331c79d9c92062bdc3
SHA512 4e157c8701860982ce0dec956fe4bfb684d2db3eaa9e784f179d385be905fd0551ba90cc27c54179fc39a693d9c742364f2bf1a5444424ba5eae38103b5f0e02

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-interlocked-l1-1-0.dll

MD5 5872cb5ca3980697283aab9007196ae6
SHA1 26e8de47d9bee371f6c7a47f206a131965b6b481
SHA256 0dff50774693fcb71782b5e214419032a8c00b3031151d93be5c971b6f62cd45
SHA512 9b3e2fa9f66d29bfc7a4ca5d673b395bcda223a85fd06c94a11217047c1a312148c9c6270d7f69dfef06b25f8b5ad46717a829bde55f540c804a4ba4c4af070c

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-heap-l1-1-0.dll

MD5 a8b967b65232ecce7261eaecf39e7d6d
SHA1 df0792b29c19d46a93291c88a497151a0ba4366d
SHA256 8fcc9a97a8ad3be9a8d0ce6bb502284dd145ebbe587b42cdeaa4262279517c1d
SHA512 b8116208eb646ec1c103f78c768c848eb9d8d7202ebdab4acb58686e6f0706f0d6aaa884e11065d7ece63ebbd452f35b1422bd79e6eb2405fb1892758195ccbb

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-handle-l1-1-0.dll

MD5 567ff20a8d330cbb3278d3360c8d56f5
SHA1 cdf0cfc650da3a1b57dc3ef982a317d37ffb974d
SHA256 47dfbe1ecc8abc002bd52dcd5281ed7378d457789be4cb1e9bee369150d7f5c8
SHA512 1643e900f13509f0ef9c7b7f8f2401fb3b6f2c0c39b512c623615df92b1e69df042ef1a0c6aace82173ce5d4d3c672c1636d6ee05545ce5c3b7374ab745e0e87

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-file-l1-2-0.dll

MD5 2b36752a5157359da1c0e646ee9bec45
SHA1 708aeb7e945c9c709109cea359cb31bd7ac64889
SHA256 3e3eb284937b572d1d70ce27be77b5e02eb73704c8b50feb5eb933db1facd2fc
SHA512 fc56080362506e3f38f1b3eb9d3193cdb9e576613c2e672f0fe9df203862f8a0f31938fa48b4ff7115dfe6016fa1fd5c5422fdc1913df63b3fde5f478a8417a1

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-file-l1-1-0.dll

MD5 abf9850eb219be4976a94144a9eba057
SHA1 3d8c37588b36296240934b2f63a1b135a52fcee2
SHA256 41c5c577fea3ce13d5beb64ce0920f1061f65bcf39eafa8cd3dfc09ff48bcf76
SHA512 dfaafb43ce7f05b2db35eac10b314fb506c6aada80f6c4327b09ec33c170478ebd0eea19f1c6ca2e4832bfa41f769046deca8f15d54b7966134d166ee6036bda

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 98340ffd2b1d8affef27d4b1260aeac5
SHA1 b428b39aa814a7038a1ddff9b64b935f51833a26
SHA256 7388a019922e9a0a3d05a8605a5307e3141b39f7d57b7faca5d34e72adfd5fa5
SHA512 6165c5be0360d55403e9dfd4e9df4ff9a12e5fb6057ed9278da09e688751487e46d9dd64949375c00764cbb4355cc13a1ea714055050f2ab7d432977b8443f81

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-debug-l1-1-0.dll

MD5 a00ebd3cf88d668be6d62a25fa4fb525
SHA1 edb07eafd08991611389293e2be80f8ee98f1e62
SHA256 b44646453584305d4edf8ab5f5d1adea6b9650bd2b75f8486fc275be52b86433
SHA512 d63f0e9f2e079ee06aa3ab96a0bd2d169564896027b731ee2597327bdc55456c5fd0c2d8c7e68165fc80bbc3fe0c24a3388d4c3615f33fc9f9fc0b205ae9ba7a

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-datetime-l1-1-0.dll

MD5 3095c9577395249e105410bdcc585f77
SHA1 7dfc0c81f8f28cbf36c5acdb83523569b430b944
SHA256 c08be448195f46c4b423d0ce0c2cdc343e842ff1f91b16a8d3c09d5152150917
SHA512 555568fc23ade238bcc13a447520d395546def4409a002d795dd3abea03b15321491bc63c97f4ed8eb78aa411a0b1267dce5c528e51dcac8ca9e93b8f5265786

C:\Users\Admin\AppData\Local\Temp\_MEI50042\api-ms-win-core-console-l1-1-0.dll

MD5 a148dc22ea14cd5578de22b2dfb0917f
SHA1 eaccb66f62e5b6d7154798e596eabd3cef00b982
SHA256 7603e172853a9711fbdc53b080432ad12984b463768dbc3aa842a26f5b26ae23
SHA512 4e3c927692fc41889b596273aea8bbd776cf7644dae26c411c12bda23cd3299a5c9adc06a930294310f002de74592a244767378fc9e37ec76e86bfa23f4c0478

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b2a1398f937474c51a48b347387ee36a
SHA1 922a8567f09e68a04233e84e5919043034635949
SHA256 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA512 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1ac52e2503cc26baee4322f02f5b8d9c
SHA1 38e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256 f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA512 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f7adbae0d2c597f7cc337504a0be05d0
SHA1 6fb815bf7be3cbed810650959a09bde9727c8c7e
SHA256 89d309288873a18962bddd5e07adeb2cae2402db0618b5416b7919cabaf02b73
SHA512 ac2501ce86b1c33f7c220195eda16cc39a7368cbad19e1afe115e790f042d74b55746244130400e0e636130f5a42e6d14708388c351ec8a5864f32ebd5ebcafb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 7fb79143306c366914491bbb65e8eabc
SHA1 2310332215257e55238ae07cf019fa8990be237f
SHA256 f0b7c4243f9018c22a71e24650d5a1693130be7c2c1a1f2f9ac37e5325c82eee
SHA512 e51c303463af7bf9e477bd7e544509052587a1abddef99fc400e8884697d4c4243ea96363978b9fc4a37474eabf9516e41282462bac2a76222464f4fe110921a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 365e9fb9bfdabed488c8831f94d7acfa
SHA1 806adf4a0d7a46872dde2c484c98fb10c8d115d1
SHA256 1851f37714e943d85f72c1c3ce280ae93a0c81e1e829c45c510e707db6f35830
SHA512 d7763d1a50877bbef24a63afe72d6c5b08b27809a778cd8cbf28d85236c3a72c718defe85dd5b1c2d3164fc5930b4bb35397eab29c3c048a865ea99583e6ec7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 afc3d4610da79b877a0a1c3d8b3fbb83
SHA1 875581aa50cb6b348113112a4d88c4002d45c7f7
SHA256 57e16d6bd93c5ed762895abe6e11ec33f41d84d8a00d1021da6a8475da2a66e0
SHA512 cff47bd8fdf72f886c4d0dbf9763c8450ff20d3e3bf6c47c2e126c12967175af1ab4293cb1d6e8990921aa49892e4be2bb8c8c79777e2755d7fa67f7e9ec05f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 7b70623ba6fb6bd30c9baac6695ae6b2
SHA1 9cd0d21e8e0fea74c6a97f5fddbde79d63275f54
SHA256 ce37bc4e9d35da8ca39a838831605ddc977731d244c7ea1b791a618e518a51ff
SHA512 2e2489b4284d7b9c4ff8e3aa4c10ac99b6df81aa0525cb12c91fe55c784522055da31f546630c598d73210e879ecfb270aba4c9a16d733414bdda00b60d8df3b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 5d372929dac34695f77aa557d20a3cb6
SHA1 7c0050861fabf8e7f6feeb422141e7a5b4ae6be1
SHA256 e998dcb007f3d055a948d2ff081cb30d3d3af5e86bd84a09d708add5bb4aa7d6
SHA512 99b425012c88e732768574981425df84a1197975dd4c28581209f2bcda7d3c0a27534570325e54d7fca31ca696a63786942accf7fa92c2270e55c4437d6a1b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 20aa9550820cba839e3347500571b855
SHA1 e654a51f5ba244b12e5a2c7909a10fb488f60b63
SHA256 c7004a36a71d0f0f2fdd8719d92d835d797274a0a8e30dcfc8425e2520b7d7e0
SHA512 c243f99368385041fec33b44007254e396c4c367eff022da1a4d30f4e0ca4d8771d5eaae825eaf80c7e777c62ee75d94f89c39063d8c0c32e946a3b26e632de4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fdb65f5681bc33a3c96ead549f5c21c3
SHA1 890ce70ec677695837924a59bbf79e23f5ac7cf7
SHA256 702757356c320a622d0ca910315687d2f8f6adc717d925e69d7a44e7ba970d08
SHA512 f98f97076f516d1bbc61f86a3675eff8155e3459b414f102fcb10ffa08562cc0b1de211233ba24c1b58ad32ac0b9c0b3031fd5056b5b5a299f72ec2196fced7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 64d25a287d5d4a873d5e2ae73719bfae
SHA1 fb77bd2edc4b1b9305ed1c2e4d53bd436c82fc3a
SHA256 d146f062b33b5ecead05d1d7e58b8b6d7cc460f58ff783e5a635bac58513cef7
SHA512 b07cf132f16193f1b42abc2fb453b8162ab9b6de5487facbab06bf7133bd62e1443117ffc085070524381b462f93093dde8eec7e6f9483e8770987b0b8ae0b61

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 631f05d71ae3f6bd61da260a814b7594
SHA1 3fb944243ebcc5d516c748f0fe72be60bb04ecda
SHA256 7df336efdae76fdfff0c4ba2fdc86a6b4c4a28573a35bf8912b4d32d7b800335
SHA512 6477f718bc6a42f66c5d8ae9a73582aa967893f980248e66753b3263d3117141ab670ad1c6869c5701dd52dcaff81a575b6b2e6f0829c69e10dab1e68394ff4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bc2c.TMP

MD5 c2255cbd33821c297b1d038efb80acba
SHA1 73517a55382b555e18cf5532d7c829c276648ced
SHA256 92454e307ece81a0345f9bbd28e2589e51fb1b08e960919bcca9a3bb758af353
SHA512 225ae6de92df7177978871b56eceba1ae9928858cdc4c868829495bf5a2030d378603ce8cc14b30711e4cfea0681cd3d07c98a3cb7c6288dc3333f48e2930806

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-28 21:54

Reported

2024-05-28 22:00

Platform

win11-20240426-en

Max time kernel

300s

Max time network

284s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Cake\\yae_wallpaper.jpg" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\IBeam C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\cursors\\aero_nwse.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\ = "Windows Default" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\cursors\\aero_ew.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Appearance\Current C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Accessibility\HighContrast\Flags = "126" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\No = "C:\\Windows\\cursors\\aero_unavail.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\cursors\\aero_ns.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\cursors\\aero_nesw.cur" C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\Scheme Source = "2" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Appearance\NewCurrent C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\cursors\\aero_move.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\cursors\\aero_up.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\cursors\\aero_arrow.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\cursors\\aero_pen.cur" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Accessibility\HighContrast C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\Hand = "C:\\Windows\\cursors\\aero_link.cur" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\Crosshair C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Appearance C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Cursors\Help = "C:\\Windows\\cursors\\aero_helpsel.cur" C:\Windows\system32\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "227" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Users\Admin\AppData\Local\Temp\pretty.exe
PID 2620 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Users\Admin\AppData\Local\Temp\pretty.exe
PID 2116 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 2116 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1108 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2116 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2116 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\pretty.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 4740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 4740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 4772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 3760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pretty.exe

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

C:\Users\Admin\AppData\Local\Temp\pretty.exe

"C:\Users\Admin\AppData\Local\Temp\pretty.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn "pretty" /tr "C:\ProgramData\Cake\pretty.exe" /sc ONLOGON /rl HIGHEST /f"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "pretty" /tr "C:\ProgramData\Cake\pretty.exe" /sc ONLOGON /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/6qjil

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebaaf3cb8,0x7ffebaaf3cc8,0x7ffebaaf3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start "" "C:\Windows\Resources\Themes\aero.theme" & timeout /t 3 & taskkill /im "systemsettings.exe" /f"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\Resources\Themes\aero.theme

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\taskkill.exe

taskkill /im "systemsettings.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 1 /f"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12980720125705604265,13735591173999940371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v SystemUsesLightTheme /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v SystemUsesLightTheme /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v ColorPrevalence /t REG_DWORD /d 1 /f"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v ColorPrevalence /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v StartColorMenu /t REG_DWORD /d 0xff7878e7 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v StartColorMenu /t REG_DWORD /d 0xff7878e7 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0xff8e8eeb /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentColorMenu /t REG_DWORD /d 0xff8e8eeb /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentPalette /t REG_BINARY /d ce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aa00 /f"

C:\Windows\system32\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent /v AccentPalette /t REG_BINARY /d ce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aaffce43aa00 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ActiveBorder /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ActiveBorder /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 120 150" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 120 150" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v AppWorkspace /t REG_SZ /d "255 180 200" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v AppWorkspace /t REG_SZ /d "255 180 200" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Background /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonAlternateFace /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonAlternateFace /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonDkShadow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonDkShadow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonHilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonHilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonLight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonLight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v ButtonText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v ButtonText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GradientActiveTitle /t REG_SZ /d "255 120 150" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GradientActiveTitle /t REG_SZ /d "255 120 150" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GradientInactiveTitle /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GradientInactiveTitle /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v GrayText /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v GrayText /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Hilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Hilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v HilightText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v HilightText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v HotTrackingColor /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v HotTrackingColor /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveBorder /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveBorder /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InactiveTitleText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InactiveTitleText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InfoText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InfoText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v InfoWindow /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v InfoWindow /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Menu /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Menu /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuBar /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuBar /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuHilight /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuHilight /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v MenuText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v MenuText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Scrollbar /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Scrollbar /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v TitleText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v TitleText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v Window /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v Window /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v WindowFrame /t REG_SZ /d "255 200 220" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v WindowFrame /t REG_SZ /d "255 200 220" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 255 255" /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 255 255" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d C:\ProgramData\Cake\yae_wallpaper.jpg /f"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v WallPaper /t REG_SZ /d C:\ProgramData\Cake\yae_wallpaper.jpg /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t REG_DWORD /d 1 /f"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispAppearancePage /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn pretty_lock /tr "C:\ProgramData\Cake\lock_file.bat" /ru "NT AUTHORITY\SYSTEM" /rl HIGHEST /sc ONLOGON"

C:\Windows\system32\schtasks.exe

schtasks /create /tn pretty_lock /tr "C:\ProgramData\Cake\lock_file.bat" /ru "NT AUTHORITY\SYSTEM" /rl HIGHEST /sc ONLOGON

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /run /tn pretty_lock"

C:\Windows\system32\schtasks.exe

schtasks /run /tn pretty_lock

C:\Windows\SYSTEM32\cmd.exe

C:\Windows\SYSTEM32\cmd.exe /c "C:\ProgramData\Cake\lock_file.bat"

C:\Windows\system32\takeown.exe

takeown /f "C:\ProgramData\Cake\pretty.exe"

C:\Windows\system32\attrib.exe

attrib +r +s "C:\ProgramData\Cake\pretty.exe"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Cake\pretty.exe" /remove *S-1-5-32-545

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Cake\pretty.exe" /inheritance:r /grant:r *S-1-5-32-545:RX /deny *S-1-5-32-545:(de,WO,WDAC) /grant:r *S-1-5-32-544:RX /deny *S-1-5-32-544:(de,WO,WDAC)

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /delete /tn pretty_lock /F"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn pretty_lock /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -l

C:\Windows\system32\shutdown.exe

shutdown -l

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39ec055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 ctt.ac udp
US 134.209.68.5:443 clicktotweet.com tcp
US 8.8.8.8:53 5.68.209.134.in-addr.arpa udp
US 134.209.68.5:443 clicktotweet.com tcp
BE 64.233.166.154:443 stats.g.doubleclick.net tcp
US 104.244.42.65:443 x.com tcp
US 104.244.42.65:443 x.com tcp
US 104.244.42.2:443 api.x.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
PL 93.184.220.70:443 pbs.twimg.com tcp
PL 93.184.221.165:443 t.co tcp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 152.199.21.141:443 abs.twimg.com tcp
GB 199.232.56.158:443 video.twimg.com tcp
US 104.244.43.131:443 abs-0.twimg.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 104.244.42.2:443 api.x.com tcp
US 104.244.42.2:443 api.x.com tcp
US 104.244.42.2:443 api.x.com tcp
US 104.244.42.2:443 api.x.com tcp
US 104.244.42.2:443 api.x.com tcp
NL 142.250.27.84:443 accounts.google.com udp
N/A 224.0.0.251:5353 udp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
NL 23.62.61.194:443 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26202\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI26202\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI26202\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI26202\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI26202\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI26202\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI26202\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI26202\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI26202\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI26202\yae_wallpaper.jpg

MD5 09ffe72a73154d34fe7d9b9a0d783d2f
SHA1 f0c213776fc611047d2eb5ea79c4a27bb4515f61
SHA256 216a4381524cd23ef28518d3f2965c42f03f4be0dabe68b11f9aaa0f19be4509
SHA512 bcad75d710a0378b1a0c907654f5d4d57f8f949baf29c3901781a96c9855072309b4f7d1759ff1b05efddf1cfcb877ee84cdf7799c6ec2d8da3f41ad2170b031

C:\Users\Admin\AppData\Local\Temp\_MEI26202\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI26202\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI26202\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI26202\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI26202\pinkpfp.jpg

MD5 d9fcc67f6ea4e7f7719b1f7ae1b483e0
SHA1 ef9dbb3e1c31d1ab4c4c417c1b9b3d5df5be535f
SHA256 82205d551b09b0398c61521a3fd6f35a7bb7e6bb2a204feff2a962f0c9a9c841
SHA512 01e75a4511283fb000bfc8af3303fcbc1a1be7aa94d85169054fbc770ccaf5e78c8053b41398e609f00fe55bfa91339eda536dacc2f833914bd9a4dc4e710ee0

C:\Users\Admin\AppData\Local\Temp\_MEI26202\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI26202\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-utility-l1-1-0.dll

MD5 57d3ee548db3a503ac391af798e0e2a2
SHA1 d686a96c5046d6d7a022c4266a5d0014745360a4
SHA256 2c80280e51c242466e10a36a0bf2a341607983b6f6648f93b0718b34ab5285c5
SHA512 f3ea9c8f2f230d23bc878e37044599b2c77f0bf6dd84b07c2f87a84263fb9ac7f44732f05e14781b6046afb2a39f27135c96d2da2ab9605bd00e55d9b0fffb0b

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-time-l1-1-0.dll

MD5 816a8932759bdb478d4263cacbf972e3
SHA1 ac9f2bed41e340313501aa7d33dcd369748f0496
SHA256 ce9a8e18923d12e2f62ce2a20693113000fc361cc816773037c155c273b99e7c
SHA512 5144f01bee04455d5b9a7b07e62f4afb928605331213eb483265016640198c175dc08673903ed5bc16b385ee76657aa4303776233d04347d9d1daadce39525c4

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-string-l1-1-0.dll

MD5 f9297b9ff06295bc07b7e5281b1face0
SHA1 d0eb0fddbb3eb187df0f0e5f9ddffcfc2e05f9b7
SHA256 c56a2ee0cc6dc1e7283b9bda8b7b2dba957329cb4bc9aca4cd99f88e108f9c04
SHA512 bec6222776015996eba744698d3254945dfe4bb4dc0d85528ee59a0f3b5fc5bb054bbf496d562cfc7b4cc81b4d3df5c53761931162a0091a49386233afba4f9c

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-stdio-l1-1-0.dll

MD5 8341f0371e25b8077fe61c89a9ef8144
SHA1 fc185203e33abed12e1398440cb2ee283ca9541a
SHA256 bd9a5d4554ef1a374257e8dd9436d89f686006ed1fd1cc44364b237bf5b795ff
SHA512 9c7e4e8d8e9e620f441ab5106820ec021d2b2323f44ed8cc8ec9673745dbc531347356f1ff195d63b62b09cc5c27e8f8641ce25be12ee9b700b5fc766337228b

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-runtime-l1-1-0.dll

MD5 364bc49cc7034f8a9981ade1ce565229
SHA1 fbd76c1842d1ccf563ece2db32fff4c71e7ca689
SHA256 6254fd07ace88685112e3a7b73676aabf13a1b1bc30c55dd976b34fea12b7f1d
SHA512 65e59e3358eb1bf26823c9538c74d343e7383591c021d2b340ef68aa9a274d65b15b30bbbe55f4b32e3a08fc79d4e179a6ce92eadb8c4be09a2c35c348ce10af

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-process-l1-1-0.dll

MD5 e3914d51afd864a6c6587aa9192c491b
SHA1 bae85701809bc259a8744aafa45cd7159e6c13f8
SHA256 28257cc063431f78284335ce3002ffb71b75c1e7ccabf5417bb42392c35564b4
SHA512 43b1445a80d309ec73d52d6cf68f4533a132fb55ab672e5e2a878bb42c1cb36d6e4c504d43fa4923e692c8be600f3f9d5a5edde80602636cb726eedfca23dfb8

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 0b057fa3a94c782da362d225c5974d12
SHA1 ca27a53ff2be1250e33045989e0fb515dfdfe3f3
SHA256 e1c519fef1622d35a05dd60e6464492f7b8ee6bbceee01563db82be66edb1346
SHA512 2dc6ef4d2d1f1bc050cba52e1a96242468fa25372f216e399163bce2e5e17c4911e097106f5727db4379c9fb603091b32f1e818695b362596037d7a6f43e06c7

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-math-l1-1-0.dll

MD5 a592d1b2ecc42d1a083f0d34feae2444
SHA1 29718af390f832626fcdcc57c107333cdb5743e1
SHA256 18a827b01de7b1a3d5c8d17b79ad2462a90308124448a9b8c47eccda39c3a095
SHA512 44bed6d24f1fa35b10d2b2b1574e7baf10182e60fdcb6cba5dd9de5cd7a5183198925e4fa5a7e2896564a30f7b70de69691713118d59bf5162ce35aff5bcf7a6

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-locale-l1-1-0.dll

MD5 75f1a5f65790560d9544f3fb70efba51
SHA1 f30a5751901cfffc250be76e13a8b711ebc06bcc
SHA256 e0e02ea6c17da186e25e352b78c80b1b3511b5c1590e5ba647b14a7b384af0f8
SHA512 b7e285ca35f6a8ae2ccbe21594d72152175301a02ad6b92fe130e1e226a0faad1bfad1bd49857401549c09b50feee2c42c23ca4c19b2845cad090f5b9e8e8f63

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-heap-l1-1-0.dll

MD5 4b038cdc70357d2dec440717ac344a52
SHA1 f67ba87f6830858845a5763381a47893af061bf8
SHA256 6a24e9cfb0efd9e1b90053d4ebd87fc35144e61ae3f6555c7d400542d648e2b5
SHA512 9557f15fa3c06de89ea8be0c959b94575a1c4587151687730f9e66fed095feb882d43ea32262000f871e6d860ce0c6c341cf5509a6ce81866f6d0efacb8526fe

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 102a8c01049ef18cc6e8798a9e5d57f4
SHA1 9adef547e03032d8c5525cc9c7d4512fbeb53948
SHA256 e13edab280e7b3410d7f4ce30a8e8cae64f38652d770fc3bf223206f0c57aaa5
SHA512 a9fbc726f33399f55f70967f3f1bf374589eaad9581d9e94228d39afa06cdce31ed25bdc04805aad361c7cafbeb56ca39f6693259d67457199d4423a61b32263

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-environment-l1-1-0.dll

MD5 e41612752a7dfbbe756322cf48e106b9
SHA1 0ec106e926c9837a43e1d7ec8d1a5f03edd5ec3d
SHA256 4bb9d36e0e034652f2331ddb43ee061608f436cbc9e5771b4d27b28fa10f5248
SHA512 9bed9399e896d1cc58cc06e8d7ec6cc3345be6d15ca307c670e0f282c9ebe48a6cc1b145c2ecf94d84214cddff8f0d0d720ea984478c74c98e2499c2184638c9

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-convert-l1-1-0.dll

MD5 87e2934e49d7d111f383673f97d5029e
SHA1 267603d5510b775de3667f7d92bfaa3bd60e6533
SHA256 fb9dd774b25ab8e661c922caffb976c37a4d10a631ab65665da60016ef0c4d7c
SHA512 e6025ad419359ad3e06cc7a3b3b7436464dbbc71b91653833575264a5f8b0d781844a411bcd915d404b9a8c0a056eaf6d4d412723936845b53bfb5368bf5f7a7

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-crt-conio-l1-1-0.dll

MD5 9eb2c06decaae1a109a94886a26eec25
SHA1 307ce096bee44f54a6d37aab1ef123fb423ed028
SHA256 da8fd2fe08a531d2331c1fbee9f4ae9015b64f24a2654a7f82418c86b4ab6909
SHA512 7e701cb00a4cab8d5b3ecf55a16fef0103f9be1aa3fd7b53c7bab968708c21e8d1c763ad80a7a8d6c76dd45ddd244c9c9e8944455c2025b4195660b61ac1e8b7

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-util-l1-1-0.dll

MD5 f7fdc91ac711a9bb3391901957a25cea
SHA1 1cebc5497e15051249c951677b5b550a1770c24f
SHA256 de47c1f924dc12e41d3a123b7dcce0260e7758b90fb95ec95c270fc116fc7599
SHA512 0e03c998622d6bf113e8d3b4dab728974391efecf59df89f938bd22240488e71885c05fb0fa805948b3d9645758409a0966299b26625aa36e3fd6e519ee22769

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-timezone-l1-1-0.dll

MD5 b9a20c9223d3e3d3a0c359f001ce1046
SHA1 9710b9a8c393ba00c254cf693c7c37990c447cc8
SHA256 00d9a7353be0a54c17e4862b86196a8b2bc6a007899fa2fbe61afd9765548068
SHA512 a7d5611c0b3b53da6cac61e0374d54d27e6e8a1af90ef66cd7e1b052f906c8b3f6087f4c6de0db3ae0b099df7689ecde6c815a954b728d36d9d3b5d002ccf18e

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 e4893842d031b98cac1c6f754a2a3f8d
SHA1 2b0187134e40d27553a85dd4ec89dd6c40e58a24
SHA256 abe4c1464b325365d38e0bc4ae729a17a7f6f7ba482935c66e6840e1b0d126c5
SHA512 fc61a66fdc7213857f204bd0b20671db7092e0010e07b5e0e8e8408ace8ac5b6e696a7d9fc969233b2b3ad5dae4d3b291b007ff27a316e7fb750bfc93257c532

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-synch-l1-2-0.dll

MD5 b962237df7ea045c325e7f97938097cb
SHA1 1115e0e13ecc177d057e3d1c9644ac4d108f780a
SHA256 a24dd6afdb4c4aa450ae4bc6a2861a49032170661b9c1f30cd0460c5dc57e0f7
SHA512 19ac4cccaaa59fbae042d03ba52d89f309bd2591b035f3ec3df430ff399d650fcf9c4d897834a520dea60dc0562a8a6f7d25a1fffcd32f765a4eaffe4c7d5ea2

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-synch-l1-1-0.dll

MD5 bccc676f2fb18c1a1864363e5a649a88
SHA1 a095a83a32a4a65fe16aa0be9a517239fac5db0d
SHA256 9d3f803dc791d2ff2e05059f9bb9207cc8f4134e1ac05f20edd20cfadd6e72c0
SHA512 55aab9fa6f7c4904e4beea4ce250f45fb71c2dd6a6f099f4017101ebc45c0a6e303b6a222f49c971992cafe8988a042b7ef8e94671be858c926105021514737a

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-string-l1-1-0.dll

MD5 b65933f7bcadc7072d5a2d70ecba9f81
SHA1 c53561755b9f33d0ae7874b3a7d67bedcb0129d8
SHA256 eadf535795df58d4f52fc6237fe46feb0f8166daca5eaaa59cec3cee50a9181d
SHA512 4cbb8bda8609404fe84ca36a8cbfe1d69c55dee2b969231b2fa00ca9139d956196a2babbb80a1a2bb430a34e6bd335294f452bcbe9e44411561ebdf21e4aba91

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 0b30c6862b5224cc429fe2eb2b7bf14b
SHA1 5c3affa14e3bfdafe09e9841a2920b57c7fcbc56
SHA256 d9c6f93c4972db08c7888d55e8e59e8aba022d416817d65bc96e5a258c859b5f
SHA512 b378f2a2812245ea948d81a925d041dbd7e7a8fb2770cf7dd47643da20f5c685c6121479f95b293177a9480290b17c49e7b4fc10d33734cf883d2c614daae1bf

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-profile-l1-1-0.dll

MD5 1be729c6d9bf1b58f435b23e7f87ba49
SHA1 4b2df3fab46a362ee46057c344995fa622e0672a
SHA256 4c425fbb8d2319d838733ab9cec63a576639192d993909e70cf84f49c107f785
SHA512 ceccc5ff2bd90a91cfbb948f979576795ff0a9503ddaafd268c14306f93d887975bd376b62ed688be51bb88b3a0c54ef332be93b4b0d8737b5ab70a661b11416

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-processthreads-l1-1-1.dll

MD5 774aa9f9318880cb4ad3bf6f464da556
SHA1 3a5c07cf35009c98eb033e1cbde1900135d1abf8
SHA256 ba9fbd3a21879614c050c86a74ad2fffc0362266d6fa7be0ef359de393136346
SHA512 f7b57afb9810e3390d27a5469572fb29f0f1726f599403a180e685466237dff5dec4fdce40105ef1bb057e012d546308213e7cec73e0d7d3c5815eec8189a75d

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-processthreads-l1-1-0.dll

MD5 73586decad3b3d90653750504b356a5c
SHA1 39a7ee1660ca1291314ef78150e397b1d8683e03
SHA256 34f560c3e56f40db5df695c967b6e302e961085bc037bb9a1c2d2c866a9df48f
SHA512 9ec299e930d2b89ad379613f8fa63669ec7c858da8a24608b92175f42b0be75f8aa2e1727dabf7638ae9d2942d03840f288eab53f2c9f38dbea1325f1ea8b22b

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 4f1303827a67760d02feb54e9258edb1
SHA1 340d7029c39708d14da79b12a0e2ed0a8bc7c020
SHA256 77fc9adf1a734d9717700b038b98b4337a494fc4f7e1e706c82e97dbca896fd8
SHA512 20f067d1c2749c709e4fc45da8d9eb5b813f54d0e09fa482d00bc4a7e5744c587d0afc00cdd5263b4223fe94baa3f8ca110d010339f9e3f1c6b2700888dbe3d0

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 d1bc9b3a7aa94d10c41fa16210aa9dba
SHA1 a358b824b1f26ead420d2100e5f1a3fb74af2b7a
SHA256 75652caf05e86adc88ed214fd208b4a289489cac2b28fd358e302e2e7c3c338f
SHA512 149478dfca0165d5a68e89070017cda3400926284eaa2143a810138ff710079cde413c031721de5b58cb834f03d4c5df5b4bd6c2bdb65687755ad77cae778b30

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-memory-l1-1-0.dll

MD5 064fb2e1b5e90796a68d1edf91269ad3
SHA1 6e3a8c568f038879b7b102975a4471b2489f5493
SHA256 3500935e638f7d0ae2bf564bf77f9329811329261185fcdb9cd702b999889ffd
SHA512 821f091529d45531811a73664473cebb372a310d855e1a4c1a028ad4dc7d36146d3030dcf10de8a4a4bf16fb535fe3d0d2e1fcd22959690842388abb177b0036

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-localization-l1-2-0.dll

MD5 3589557535bba7641da3d76eefb0c73d
SHA1 6f63107c2212300c7cd1573059c08b43e5bd9b95
SHA256 642b01bb93d2cb529acf56070d65aae3202fd0b48d19fd40ec6763b627bcbee6
SHA512 7aedf3cf686b416f8b419f8af1d57675096ab2c2378c5a006f6ecbf2fe1ad701f28b7be8f08c9083230cf4d15d463371e92a6032178cd6c139d60b26fbd49b06

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 d042aa497ce2a9f03296f8de68ed0680
SHA1 f483a343a18b960630ccf0e6de2f82883550f3bf
SHA256 de3d2c5519f74a982f06f3f3fda085571c0cdcf5ad8d2d331c79d9c92062bdc3
SHA512 4e157c8701860982ce0dec956fe4bfb684d2db3eaa9e784f179d385be905fd0551ba90cc27c54179fc39a693d9c742364f2bf1a5444424ba5eae38103b5f0e02

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-interlocked-l1-1-0.dll

MD5 5872cb5ca3980697283aab9007196ae6
SHA1 26e8de47d9bee371f6c7a47f206a131965b6b481
SHA256 0dff50774693fcb71782b5e214419032a8c00b3031151d93be5c971b6f62cd45
SHA512 9b3e2fa9f66d29bfc7a4ca5d673b395bcda223a85fd06c94a11217047c1a312148c9c6270d7f69dfef06b25f8b5ad46717a829bde55f540c804a4ba4c4af070c

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-heap-l1-1-0.dll

MD5 a8b967b65232ecce7261eaecf39e7d6d
SHA1 df0792b29c19d46a93291c88a497151a0ba4366d
SHA256 8fcc9a97a8ad3be9a8d0ce6bb502284dd145ebbe587b42cdeaa4262279517c1d
SHA512 b8116208eb646ec1c103f78c768c848eb9d8d7202ebdab4acb58686e6f0706f0d6aaa884e11065d7ece63ebbd452f35b1422bd79e6eb2405fb1892758195ccbb

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-handle-l1-1-0.dll

MD5 567ff20a8d330cbb3278d3360c8d56f5
SHA1 cdf0cfc650da3a1b57dc3ef982a317d37ffb974d
SHA256 47dfbe1ecc8abc002bd52dcd5281ed7378d457789be4cb1e9bee369150d7f5c8
SHA512 1643e900f13509f0ef9c7b7f8f2401fb3b6f2c0c39b512c623615df92b1e69df042ef1a0c6aace82173ce5d4d3c672c1636d6ee05545ce5c3b7374ab745e0e87

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-file-l1-2-0.dll

MD5 2b36752a5157359da1c0e646ee9bec45
SHA1 708aeb7e945c9c709109cea359cb31bd7ac64889
SHA256 3e3eb284937b572d1d70ce27be77b5e02eb73704c8b50feb5eb933db1facd2fc
SHA512 fc56080362506e3f38f1b3eb9d3193cdb9e576613c2e672f0fe9df203862f8a0f31938fa48b4ff7115dfe6016fa1fd5c5422fdc1913df63b3fde5f478a8417a1

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-file-l1-1-0.dll

MD5 abf9850eb219be4976a94144a9eba057
SHA1 3d8c37588b36296240934b2f63a1b135a52fcee2
SHA256 41c5c577fea3ce13d5beb64ce0920f1061f65bcf39eafa8cd3dfc09ff48bcf76
SHA512 dfaafb43ce7f05b2db35eac10b314fb506c6aada80f6c4327b09ec33c170478ebd0eea19f1c6ca2e4832bfa41f769046deca8f15d54b7966134d166ee6036bda

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 98340ffd2b1d8affef27d4b1260aeac5
SHA1 b428b39aa814a7038a1ddff9b64b935f51833a26
SHA256 7388a019922e9a0a3d05a8605a5307e3141b39f7d57b7faca5d34e72adfd5fa5
SHA512 6165c5be0360d55403e9dfd4e9df4ff9a12e5fb6057ed9278da09e688751487e46d9dd64949375c00764cbb4355cc13a1ea714055050f2ab7d432977b8443f81

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-debug-l1-1-0.dll

MD5 a00ebd3cf88d668be6d62a25fa4fb525
SHA1 edb07eafd08991611389293e2be80f8ee98f1e62
SHA256 b44646453584305d4edf8ab5f5d1adea6b9650bd2b75f8486fc275be52b86433
SHA512 d63f0e9f2e079ee06aa3ab96a0bd2d169564896027b731ee2597327bdc55456c5fd0c2d8c7e68165fc80bbc3fe0c24a3388d4c3615f33fc9f9fc0b205ae9ba7a

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-datetime-l1-1-0.dll

MD5 3095c9577395249e105410bdcc585f77
SHA1 7dfc0c81f8f28cbf36c5acdb83523569b430b944
SHA256 c08be448195f46c4b423d0ce0c2cdc343e842ff1f91b16a8d3c09d5152150917
SHA512 555568fc23ade238bcc13a447520d395546def4409a002d795dd3abea03b15321491bc63c97f4ed8eb78aa411a0b1267dce5c528e51dcac8ca9e93b8f5265786

C:\Users\Admin\AppData\Local\Temp\_MEI26202\api-ms-win-core-console-l1-1-0.dll

MD5 a148dc22ea14cd5578de22b2dfb0917f
SHA1 eaccb66f62e5b6d7154798e596eabd3cef00b982
SHA256 7603e172853a9711fbdc53b080432ad12984b463768dbc3aa842a26f5b26ae23
SHA512 4e3c927692fc41889b596273aea8bbd776cf7644dae26c411c12bda23cd3299a5c9adc06a930294310f002de74592a244767378fc9e37ec76e86bfa23f4c0478

C:\Users\Admin\AppData\Local\Temp\_MEI26202\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d22039bc7833a3a27231b8eb834f70
SHA1 79c4290a2894b0e973d3c4b297fad74ef45607bb
SHA256 402defe561006133623c2a4791b2baf90b92d5708151c2bcac6d02d2771cd3d6
SHA512 c69ee22d8c52a61e59969aa757d58ab4f32492854fc7116975efc7c6174f5d998cc236bbf15bce330d81e39a026b18e29683b6d69c93d21fea6d14e21460a0a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 046d49efac191159051a8b2dea884f79
SHA1 d0cf8dc3bc6a23bf2395940cefcaad1565234a3a
SHA256 00dfb1705076450a45319666801a3a7032fc672675343434cb3d68baccb8e1f7
SHA512 46961e0f0e4d7f82b4417e4aac4434e86f2130e92b492b53a194255bd3bba0855069524cd645f910754d4d2dbf3f1dc467bcc997f01dc6b1d8d6028e2d957236

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b37178971baab609f38aec468b495d5
SHA1 356e5a7e6439c791336b4d34d8c99573ad902949
SHA256 e2ed27c259e5cb2f49071d7c6f968fd103fd34a84e5920c1fc0462e43f3fb84d
SHA512 3350c272e4dd1451f24037e36f2da41bceb6481ac5cc3af5225a21d401d929a4d07cc3efeb989d6b8bf4ffcb5aef652b9ff5c94eb0e0142ed55fa19be46aa091

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 a7fafa5fa4fe322cf78aa5ebaac2db80
SHA1 ce74092ce6341c01fec7e6b3d38c651aacbe84ea
SHA256 a7f5ec6c5670555049ce3a233e86489d83ab21fc6b9bdb71087bc16794d03bef
SHA512 5f4f71e69e1b9d68d271555dbcabce4a1b9abb0b97c0aeadb19bd8b7d56ff63e44c51493f580b422d351233f5710b3e98673711654712c443cbff54777deab51

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 95459a2555eab50b65709e979222860f
SHA1 d51f9be442ef289e66e11ec1cc61b5e748ba88cc
SHA256 39891e748766fc9b05e16e715cd7d70cf7af5a5fbe6d27e8430bff5e77f3e515
SHA512 4a4691bc484eb043e68bcf9324333440ba150eed1b48c1e60cce211001076a88452900ff7dc530afd8c4bd3d69ab961ae9ff919a133491e1f961ef15080f232d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6c65b7672e72633ba216cd0f2d842df
SHA1 884c1f5fcfb491dcc7bfca904735172415b7bea3
SHA256 be393a821c503354953670ed89288642f7fba705ea24dc3575c2e613a48db914
SHA512 b3fae9b7c1c975655d59d289b5fdba9a166708a032d0c0ff7afff592e00420b90d3d0817ded8cbd19184679070498b04a32daad9dd7ce202df04e59db50ef5a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 3a2e53928f4396f703b9330ef4375a4a
SHA1 8477199230a08befead00bf2d75e8eafeb7db5c0
SHA256 6c468e3da4fcc1a408fd2c70bcfa7d3d59fbafa0a72fa977c05758c39ffae574
SHA512 4fbe5fe97eb35ce3e7b8b16d46f6fe594d113088911935aac87f6940cc291e8d332533d094b760ba0944f42f9ec13a97dd5023bd9582d94bb117d662d2be2b83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b36a64d4e12c3a1690231c0076d0231
SHA1 4379191519cef37fe7d7460de4d7f5e1550f4d23
SHA256 a6d2406a217ed527d887a69a2fe2db193127b587eb7b19163ecb070f9b233ed9
SHA512 f88ff299eb07512d24d7b4b6d34ae77967c47063b39faf58817c819da16bda3b28669a1953daa6db6dd671e968be7348a3c8e1a865c9d99950b0a2176b36a6df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c07e489992c3716774eff75e2b3d62cb
SHA1 7f44c7ec3ac38561b0fbcdb08068f0ac0dfa5592
SHA256 09cae54ef18a56aa2d4f83da63bb6b01890e426c1c27e86fdeee6ef4483354e8
SHA512 2e49f494f9540b5ca9906dbf14290808942177422a66930ebd9664ad699c3ef1177e2948252ecd213773853e55ee70e52398c5f0de4f954e60a7d274a08ca355