fabd429204db75e2ff9fe7fae5dc981b8c392be42a936273c99dcc41eeb0730d

Analysis

max time kernel
1799s
max time network
1328s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 16:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WinaeroTweaker-1.63.0.0-setup.exe
Size

5.7MB
MD5

df244a4909ab521e04df2306c026fc27
SHA1

2282c628e8191ced198c2aa21a623a2eda6e0431
SHA256

fabd429204db75e2ff9fe7fae5dc981b8c392be42a936273c99dcc41eeb0730d
SHA512

6609d199ffab65e84fa2f11d36c336465a79b3430f16305e57b46c07edcafac239c16f8bd76e5f08318d76fa294024017f9be21dad16145571727c550f37f279
SSDEEP

98304:nkLSlahKN+zztgHtfsTwFFF8yIn7t5J7BZAI6GzilpVSZpi8XiSzmItNUiTknrrv:c9hQS2HKik/tfgP+YutiSzmILUiTU6y7

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WinaeroTweaker-1.63.0.0-setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WinaeroTweaker-1.63.0.0-setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WinaeroTweaker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WinaeroTweaker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WinaeroTweaker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WinaeroTweaker.exe

Executes dropped EXE 64 IoCs

pid	Process
4352	WinaeroTweaker-1.63.0.0-setup.tmp
4864	WinaeroTweaker-1.63.0.0-setup.tmp
1564	WinaeroTweaker.exe
3008	WinaeroTweaker.exe
4016	WinaeroTweakerHelper.exe
4496	Elevator.exe
2844	Elevator.exe
2324	Elevator.exe
4452	Elevator.exe
4808	Elevator.exe
2524	Elevator.exe
4916	Elevator.exe
3436	Elevator.exe
4836	Elevator.exe
1664	Elevator.exe
4384	Elevator.exe
4864	Elevator.exe
4104	Elevator.exe
2876	Elevator.exe
4108	Elevator.exe
2156	Elevator.exe
704	Elevator.exe
2384	Elevator.exe
4620	Elevator.exe
244	Elevator.exe
3272	Elevator.exe
2840	Elevator.exe
1480	Elevator.exe
3264	Elevator.exe
3108	Elevator.exe
1516	Elevator.exe
632	Elevator.exe
2756	Elevator.exe
3816	Elevator.exe
1784	Elevator.exe
228	Elevator.exe
1292	Elevator.exe
952	Elevator.exe
4916	Elevator.exe
1412	Elevator.exe
1772	Elevator.exe
2828	Elevator.exe
1664	Elevator.exe
3104	Elevator.exe
3860	Elevator.exe
1504	Elevator.exe
3680	Elevator.exe
3496	Elevator.exe
4868	Elevator.exe
1088	Elevator.exe
5076	Elevator.exe
3120	Elevator.exe
2712	Elevator.exe
2068	Elevator.exe
4796	Elevator.exe
3628	Elevator.exe
2888	Elevator.exe
3436	Elevator.exe
4624	Elevator.exe
2164	WinaeroTweaker.exe
3352	WinaeroTweaker.exe
3648	WinaeroTweakerHelper.exe
4796	Elevator.exe
244	Elevator.exe

Loads dropped DLL 2 IoCs

pid	Process
4352	WinaeroTweaker-1.63.0.0-setup.tmp
4864	WinaeroTweaker-1.63.0.0-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache	Taskmgr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	Taskmgr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl	explorer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	Taskmgr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	Taskmgr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Elevator.exe.log	Elevator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	Taskmgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	Taskmgr.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Winaero Tweaker\is-VUMHL.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-790PI.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-VI8TO.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-KAJU3.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-KLURV.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-G9U9U.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-OG2IO.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-VG0B9.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-CNQRB.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-IE1K9.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroControls.dll	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\no_tab_explorer.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-75G3Q.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\Elevator.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-IOS06.tmp	WinaeroTweaker-1.63.0.0-setup.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweakerHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweakerHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinaeroTweaker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinaeroTweaker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinaeroTweaker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinaeroTweaker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1508	taskkill.exe
5012	taskkill.exe
2176	taskkill.exe
4480	taskkill.exe
4028	taskkill.exe
2632	taskkill.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663982357173502"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Elevator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Elevator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder	Taskmgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\TaskManager\Preferences = 0d00000060000000600000009c0000009c0000001702000010020000000000000000008000000080d8010080df0100800001000194000000260000003c0300007e020000e80300000000000000000000000000000f000000010000000000000068aa1c21f67f0000000000000000000000000000ea0000001e0000008990000000000000ff00000001015002000000000d00000000000000a8aa1c21f67f00000000000000000000ffffffff960000001e0000008b900000010000000000000000101001000000000300000000000000c0aa1c21f67f00000000000000000000ffffffff780000001e0000008c900000020000000000000001021200000000000400000000000000d8aa1c21f67f00000000000000000000ffffffff960000001e0000008d900000030000000000000000011001000000000200000000000000f8aa1c21f67f00000000000000000000ffffffff320000001e0000008a90000004000000000000000008200100000000050000000000000010ab1c21f67f00000000000000000000ffffffffc80000001e0000008e90000005000000000000000001100100000000060000000000000038ab1c21f67f00000000000000000000ffffffff040100001e0000008f90000006000000000000000001100100000000070000000000000060ab1c21f67f00000000000000000000ffffffff49000000490000009090000007000000000000000004250000000000080000000000000090aa1c21f67f00000000000000000000ffffffff49000000490000009190000008000000000000000004250000000000090000000000000080ab1c21f67f00000000000000000000ffffffff490000004900000092900000090000000000000000042508000000000a0000000000000098ab1c21f67f00000000000000000000ffffffff4900000049000000939000000a0000000000000000042508000000000b00000000000000b8ab1c21f67f00000000000000000000ffffffff490000004900000039a000000b0000000000000000042509000000001c00000000000000d8ab1c21f67f00000000000000000000ffffffffc8000000490000003aa000000c0000000000000000011009000000001d0000000000000000ac1c21f67f00000000000000000000ffffffff64000000490000004ca000000d0000000000000000021508000000001e0000000000000020ac1c21f67f00000000000000000000ffffffff64000000490000004da000000e000000000000000002150800000000030000000a000000010000000000000068aa1c21f67f0000000000000000000000000000d7000000000000008990000000000000ff00000001015002000000000400000000000000d8aa1c21f67f000000000000000000000100000096000000000000008d900000010000000000000001011000000000000300000000000000c0aa1c21f67f00000000000000000000ffffffff64000000000000008c900000020000000000000000021000000000000c0000000000000050ac1c21f67f0000000000000000000003000000640000000000000094900000030000000000000001021000000000000d0000000000000078ac1c21f67f00000000000000000000ffffffff640000000000000095900000040000000000000000011001000000000e00000000000000a0ac1c21f67f0000000000000000000005000000320000000000000096900000050000000000000001042001000000000f00000000000000c8ac1c21f67f0000000000000000000006000000320000000000000097900000060000000000000001042001000000001000000000000000e8ac1c21f67f000000000000000000000700000046000000000000009890000007000000000000000101100100000000110000000000000008ad1c21f67f00000000000000000000ffffffff64000000000000009990000008000000000000000001100100000000060000000000000038ab1c21f67f000000000000000000000900000004010000000000008f9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000b000000010000000000000068aa1c21f67f0000000000000000000000000000d7000000000000009e90000000000000ff0000000101500200000000120000000000000030ad1c21f67f00000000000000000000ffffffff2d000000000000009b90000001000000000000000004200100000000140000000000000050ad1c21f67f00000000000000000000ffffffff64000000000000009d90000002000000000000000001100100000000130000000000000078ad1c21f67f00000000000000000000ffffffff64000000000000009c900000030000000000000000011001000000000300000000000000c0aa1c21f67f00000000000000000000ffffffff64000000000000008c90000004000000000000000102100000000000070000000000000060ab1c21f67f000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000090aa1c21f67f000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000080ab1c21f67f0000000000000000000007000000490000004900000092900000070000000000000001042108000000000a0000000000000098ab1c21f67f0000000000000000000008000000490000004900000093900000080000000000000001042108000000000b00000000000000b8ab1c21f67f0000000000000000000009000000490000004900000039a00000090000000000000001042109000000001c00000000000000d8ab1c21f67f000000000000000000000a00000064000000000000003aa000000a00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000068aa1c21f67f0000000000000000000000000000c600000000000000b090000000000000ff0000000101500200000000150000000000000098ad1c21f67f00000000000000000000ffffffff6b00000000000000b1900000010000000000000000042500000000001600000000000000c8ad1c21f67f00000000000000000000ffffffff6b00000000000000b2900000020000000000000000042500000000001800000000000000f0ad1c21f67f00000000000000000000ffffffff6b00000000000000b490000003000000000000000004250000000000170000000000000018ae1c21f67f00000000000000000000ffffffff6b00000000000000b390000004000000000000000004250000000000190000000000000050ae1c21f67f00000000000000000000ffffffffa000000000000000b5900000050000000000000000042001000000001a0000000000000080ae1c21f67f00000000000000000000ffffffff7d00000000000000b6900000060000000000000000042001000000001b00000000000000b0ae1c21f67f00000000000000000000ffffffff7d00000000000000b790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000da000000000000000000000000000000000000009d200000200000006400000064000000320000005000000050000000320000003200000028000000500000003c000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003c0000005000000050000000780000003200000078000000780000003200000050000000500000005000000050000000c8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000e0000000f000000100000001100000012000000130000001400000015000000160000001700000018000000190000001a0000001b0000001c0000001d0000001e0000001f000000200000002100000022000000230000002400000025000000260000002700000028000000290000002a0000002b0000002c0000002d0000002e0000002f00000000000000000000001f00000000000000640000003200000078000000500000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000	Taskmgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\TaskManager	Taskmgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Elevator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Elevator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "5"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState = 240000003428000000000000000000000000000001000000130000000000000062000000	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowStatusBar = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{470C0EBD-5D73-4D58-9CED-E91E22E23282} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000ca47cf8fb0deda01	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Elevator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000ca41ae7fafdeda01	Taskmgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Elevator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000ca47cf8fb0deda01	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	Taskmgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f3a9d18fb0deda01	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons = "0"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay = "1"	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	Taskmgr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\TaskManager\Preferences = 0d00000060000000600000009c0000009c0000001702000010020000010000000000008000000080d8010080df010080000100010000008000000080a802008058020080e80300000000000000000000000000000f000000010000000000000068aa1c21f67f0000000000000000000000000000ea000000000000008990000000000000ff00000001015002000000000d00000000000000a8aa1c21f67f00000000000000000000ffffffff96000000000000008b900000010000000000000000101001000000000300000000000000c0aa1c21f67f00000000000000000000ffffffff78000000000000008c900000020000000000000001021200000000000400000000000000d8aa1c21f67f00000000000000000000ffffffff96000000000000008d900000030000000000000000011001000000000200000000000000f8aa1c21f67f00000000000000000000ffffffff32000000000000008a90000004000000000000000008200100000000050000000000000010ab1c21f67f00000000000000000000ffffffffc8000000000000008e90000005000000000000000001100100000000060000000000000038ab1c21f67f00000000000000000000ffffffff04010000000000008f90000006000000000000000001100100000000070000000000000060ab1c21f67f00000000000000000000ffffffff49000000490000009090000007000000000000000004250000000000080000000000000090aa1c21f67f00000000000000000000ffffffff49000000490000009190000008000000000000000004250000000000090000000000000080ab1c21f67f00000000000000000000ffffffff490000004900000092900000090000000000000000042508000000000a0000000000000098ab1c21f67f00000000000000000000ffffffff4900000049000000939000000a0000000000000000042508000000000b00000000000000b8ab1c21f67f00000000000000000000ffffffff490000004900000039a000000b0000000000000000042509000000001c00000000000000d8ab1c21f67f00000000000000000000ffffffffc8000000000000003aa000000c0000000000000000011009000000001d0000000000000000ac1c21f67f00000000000000000000ffffffff64000000000000004ca000000d0000000000000000021508000000001e0000000000000020ac1c21f67f00000000000000000000ffffffff64000000000000004da000000e000000000000000002150800000000030000000a000000010000000000000068aa1c21f67f0000000000000000000000000000d7000000000000008990000000000000ff00000001015002000000000400000000000000d8aa1c21f67f000000000000000000000100000096000000000000008d900000010000000000000001011000000000000300000000000000c0aa1c21f67f00000000000000000000ffffffff64000000000000008c900000020000000000000000021000000000000c0000000000000050ac1c21f67f0000000000000000000003000000640000000000000094900000030000000000000001021000000000000d0000000000000078ac1c21f67f00000000000000000000ffffffff640000000000000095900000040000000000000000011001000000000e00000000000000a0ac1c21f67f0000000000000000000005000000320000000000000096900000050000000000000001042001000000000f00000000000000c8ac1c21f67f0000000000000000000006000000320000000000000097900000060000000000000001042001000000001000000000000000e8ac1c21f67f000000000000000000000700000046000000000000009890000007000000000000000101100100000000110000000000000008ad1c21f67f00000000000000000000ffffffff64000000000000009990000008000000000000000001100100000000060000000000000038ab1c21f67f000000000000000000000900000004010000000000008f9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000b000000010000000000000068aa1c21f67f0000000000000000000000000000d7000000000000009e90000000000000ff0000000101500200000000120000000000000030ad1c21f67f00000000000000000000ffffffff2d000000000000009b90000001000000000000000004200100000000140000000000000050ad1c21f67f00000000000000000000ffffffff64000000000000009d90000002000000000000000001100100000000130000000000000078ad1c21f67f00000000000000000000ffffffff64000000000000009c900000030000000000000000011001000000000300000000000000c0aa1c21f67f00000000000000000000ffffffff64000000000000008c90000004000000000000000102100000000000070000000000000060ab1c21f67f000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000090aa1c21f67f000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000080ab1c21f67f0000000000000000000007000000490000004900000092900000070000000000000001042108000000000a0000000000000098ab1c21f67f0000000000000000000008000000490000004900000093900000080000000000000001042108000000000b00000000000000b8ab1c21f67f0000000000000000000009000000490000004900000039a00000090000000000000001042109000000001c00000000000000d8ab1c21f67f000000000000000000000a00000064000000000000003aa000000a00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000068aa1c21f67f0000000000000000000000000000c600000000000000b090000000000000ff0000000101500200000000150000000000000098ad1c21f67f00000000000000000000ffffffff6b00000000000000b1900000010000000000000000042500000000001600000000000000c8ad1c21f67f00000000000000000000ffffffff6b00000000000000b2900000020000000000000000042500000000001800000000000000f0ad1c21f67f00000000000000000000ffffffff6b00000000000000b490000003000000000000000004250000000000170000000000000018ae1c21f67f00000000000000000000ffffffff6b00000000000000b390000004000000000000000004250000000000190000000000000050ae1c21f67f00000000000000000000ffffffffa000000000000000b5900000050000000000000000042001000000001a0000000000000080ae1c21f67f00000000000000000000ffffffff7d00000000000000b6900000060000000000000000042001000000001b00000000000000b0ae1c21f67f00000000000000000000ffffffff7d00000000000000b790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000da000000000000000000000000000000000000009d200000200000006400000064000000320000005000000050000000320000003200000028000000500000003c000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003c0000005000000050000000780000003200000078000000780000003200000050000000500000005000000050000000c8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000a0000000b0000000c0000000d0000000e0000000f000000100000001100000012000000130000001400000015000000160000001700000018000000190000001a0000001b0000001c0000001d0000001e0000001f000000200000002100000022000000230000002400000025000000260000002700000028000000290000002a0000002b0000002c0000002d0000002e0000002f00000000000000000000001f00000000000000640000003200000078000000500000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000010000000000	Taskmgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	Taskmgr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Elevator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Elevator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{11DBB47C-A525-400B-9E80-A54615A090C0} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000eb6ed68fb0deda01	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn = "0"	explorer.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 8c00310000000000f9583383110050524f4752417e310000740009000400efbe874fdb49f95833832e0000003f0000000000010000000000000000004a00000000002baf0401500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	WinaeroTweaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 6800310000000000f9583383100057494e4145527e310000500009000400efbef9583383f95833832e000000a8e30100000006000000000000000000000000000000de9dd200570069006e006100650072006f00200054007700650061006b0065007200000018000000	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "4"	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WinaeroTweaker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WinaeroTweaker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{3F99F8BA-1C3D-4B86-A4A8-6A2BEB78F666}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	WinaeroTweaker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	WinaeroTweaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	WinaeroTweaker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	WinaeroTweaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WinaeroTweaker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2816	taskmgr.exe
3008	WinaeroTweaker.exe
1080	taskmgr.exe
3352	WinaeroTweaker.exe
3312	osk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	2816	taskmgr.exe
Token: SeSystemProfilePrivilege	2816	taskmgr.exe
Token: SeCreateGlobalPrivilege	2816	taskmgr.exe
Token: 33	2816	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2816	taskmgr.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe
Token: SeCreatePagefilePrivilege	3328	chrome.exe
Token: SeShutdownPrivilege	3328	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3008	WinaeroTweaker.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe
3312	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4352	1684	WinaeroTweaker-1.63.0.0-setup.exe	84
PID 1684 wrote to memory of 4352	1684	WinaeroTweaker-1.63.0.0-setup.exe	84
PID 1684 wrote to memory of 4352	1684	WinaeroTweaker-1.63.0.0-setup.exe	84
PID 4352 wrote to memory of 5072	4352	WinaeroTweaker-1.63.0.0-setup.tmp	87
PID 4352 wrote to memory of 5072	4352	WinaeroTweaker-1.63.0.0-setup.tmp	87
PID 4352 wrote to memory of 5072	4352	WinaeroTweaker-1.63.0.0-setup.tmp	87
PID 4352 wrote to memory of 2224	4352	WinaeroTweaker-1.63.0.0-setup.tmp	89
PID 4352 wrote to memory of 2224	4352	WinaeroTweaker-1.63.0.0-setup.tmp	89
PID 4352 wrote to memory of 2224	4352	WinaeroTweaker-1.63.0.0-setup.tmp	89
PID 2224 wrote to memory of 4028	2224	cmd.exe	91
PID 2224 wrote to memory of 4028	2224	cmd.exe	91
PID 2224 wrote to memory of 4028	2224	cmd.exe	91
PID 5072 wrote to memory of 4480	5072	cmd.exe	92
PID 5072 wrote to memory of 4480	5072	cmd.exe	92
PID 5072 wrote to memory of 4480	5072	cmd.exe	92
PID 3328 wrote to memory of 3824	3328	chrome.exe	134
PID 3328 wrote to memory of 3824	3328	chrome.exe	134
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 3856	3328	chrome.exe	135
PID 3328 wrote to memory of 4572	3328	chrome.exe	136
PID 3328 wrote to memory of 4572	3328	chrome.exe	136
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137
PID 3328 wrote to memory of 3956	3328	chrome.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe
"C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\is-1JB3O.tmp\WinaeroTweaker-1.63.0.0-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1JB3O.tmp\WinaeroTweaker-1.63.0.0-setup.tmp" /SL5="$A007C,5100998,832000,C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweaker.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweakerhelper.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4028

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff82b4cc40,0x7fff82b4cc4c,0x7fff82b4cc58
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3436,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1720
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6047b4698,0x7ff6047b46a4,0x7ff6047b46b0
    3⤵
    - Drops file in Program Files directory
    PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5136,i,4571140482494067471,10105462654929821545,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2876

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff8e3446f8,0x7fff8e344708,0x7fff8e344718
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,4534540755877749573,2843835495919588085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\Temp1_winaerotweaker.zip\WinaeroTweaker-1.63.0.0-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_winaerotweaker.zip\WinaeroTweaker-1.63.0.0-setup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3396
- C:\Users\Admin\AppData\Local\Temp\is-7UMG1.tmp\WinaeroTweaker-1.63.0.0-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7UMG1.tmp\WinaeroTweaker-1.63.0.0-setup.tmp" /SL5="$303FC,5100998,832000,C:\Users\Admin\AppData\Local\Temp\Temp1_winaerotweaker.zip\WinaeroTweaker-1.63.0.0-setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweaker.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweakerhelper.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1508
- - C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
    "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1564
  - - C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
      "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe" -profile="C:\Users\Admin" -sid="S-1-5-21-701583114-2636601053-947405450-1000" -muil="en-US"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3008
    - - C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe
        
        "C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe" -
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:4496
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        8⤵
        
        PID:1968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill issas.exe
        9⤵
        Kills process with taskkill
        
        PID:5012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im issas.exe
        9⤵
        Kills process with taskkill
        
        PID:2176
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2524
        
        C:\Windows\System32\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        8⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies data under HKEY_USERS
        
        PID:5112
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:4916
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:4836
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:1664
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:4864
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:4104
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:4108
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:2156
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:3272
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:2384
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:244
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:3264
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:4620
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:632
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:2840
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:1784
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:3108
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:952
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:2756
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:1772
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:228
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:3104
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:4916
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:3680
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:1664
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:1088
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:3860
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:2712
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:3496
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:4796
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:5076
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:3628
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Executes dropped EXE
        
        PID:2888
      - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
        6⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        7⤵
        Executes dropped EXE
        
        PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1624

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:1080

C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
"C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2164
- C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
  "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe" -profile="C:\Users\Admin" -sid="S-1-5-21-701583114-2636601053-947405450-1000" -muil="en-US"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3352
- - C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe
    "C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3648
- - C:\Program Files\Winaero Tweaker\Elevator.exe
    "C:\Program Files\Winaero Tweaker\Elevator.exe" /1:S-1-5-21-701583114-2636601053-947405450-1000
    3⤵
    - Executes dropped EXE
    PID:4796
  - - C:\Program Files\Winaero Tweaker\Elevator.exe
      "C:\Program Files\Winaero Tweaker\Elevator.exe" /2:S-1-5-21-701583114-2636601053-947405450-1000
      4⤵
      Executes dropped EXE
      PID:244
    - - C:\Program Files\Winaero Tweaker\Elevator.exe
        
        "C:\Program Files\Winaero Tweaker\Elevator.exe" /3:S-1-5-21-701583114-2636601053-947405450-1000
        5⤵
        Modifies data under HKEY_USERS
        
        PID:5000
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        Drops file in System32 directory
        Checks processor information in registry
        Modifies data under HKEY_USERS
        
        PID:4348

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2b4 0x45c
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Winaero Tweaker\Elevator.exe

Filesize
79KB

MD5
3452b73bfd48a180a241cd23f9c847b5

SHA1
e508fae59e20a5dd1fb11cd06d32a985d5235dda

SHA256
bf04db2fa5760ca720df20d8d7e7c16672b087dd313e80b1a192dea905ea86aa

SHA512
55c4f6a27c0d166909715ede6ba754913359b28fb031cd0e3625d3e5225399a55686f35144797ae5d4aaad7abaf34b01ef4bc43f66eff5d76df07210423ca6f1

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroControls.dll

Filesize
428KB

MD5
08dff3b716f7382929f613439cf9e835

SHA1
fcbfb0748fc5fc2315c336c2a582d399f0451659

SHA256
59f92064ff838dfbb8a52392b3bc427ae54daf9e1f6325e880cb1010456a5ee5

SHA512
d6cd9cdba81879c608796b9b7ceb5f99a06a91ed2d3b779e8c219defccdd45b2c79082b2b2fbfa995acb26954cc8b61708c81e26666403dc0295078e5cce2003

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
5.2MB

MD5
99c3342a209d92e537879699108f8288

SHA1
58ebfcc943cc6abd064dd176f79a1e8fa04759ed

SHA256
bd2eb1ade28a7a3023b8e96ea1d44c82c7df50fcbac460c63c05ab11d7849bb4

SHA512
76b1a5c27f724297f247c32b40c7c05f0afde0f19aba31199f7b82ea5b0b52b97bb718eb757352c35d9683162d94486c888a04ffe5d2d6de1e072b090de14dc0

Download Submit
C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe

Filesize
330KB

MD5
8e0aec38406afacff9487529add32c74

SHA1
4a7973910178147b217107db30610bf3416f2745

SHA256
c789872a6141e19f9cb71abb8260c8303a2ac48dfd86f36912a4649800a78d39

SHA512
a29bac662446c238c787635654a1787471c484c5887cca5838361c232dca1d32220b50f36fe918b39db7d6f1976f0584332386340e96a7f85e2d71123014e62c

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8e62aaca8551193bbd96de073c07cbaf

SHA1
3c4da2efdd0d21aeae3755522fcd9bb5ac3fc443

SHA256
1832290138ccbda5fe5dc0094de8dfdd6bcc48e812e26cae8c9ae4b56fed9a75

SHA512
a61c6127ed6b62ec5d05f5abc8dff5b0a194150be1fd824ee24f5ead770ae577379bb7015e9e67af74b736b2ac01ad6bf5b3b61410235d0a2a832154904c754b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
42b1d5a048a130c24e8f19563b44ba94

SHA1
50a2066be1c39e46f921d2cd3b1af8aed9695c23

SHA256
5ba6c058c1bce5745e2e4fd3bac0bdb33301262032eff0f02195f1d10dc3a93f

SHA512
109c28cf919c95ecc4aa5432d70606d22b2ec4ff56e54f1b4e1a5e5b05af6400e25f4d84b9755c78d962da75f6b89e9c26a0199b353221c6463c7cc7e1cc595e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
504b29855f94872556b90569a233379d

SHA1
a0ea76b99344b196a850949a8a20c4fe1b51e1b0

SHA256
8932c7adb8b4f4b78bee7ee1bbd225352831fa157d85b925d2748f2e031d01e4

SHA512
ced6ccfa83b09dbdf9ae79cadec2be30eb3903dbb3fd2bf5c84608d237cc1ae187dc9d5ddaf5efe04a9fc3038ee3bfa7edafe7d1e3a5a1fbb7617378da6d8409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
31911b3cc913e9f49b69d158c289f082

SHA1
dcc5df5c4321da5c4836798992405678c404b7af

SHA256
0400adefac1e80f5ca478644a62adcfc6eecf05e096da6078d38d196cca11a80

SHA512
12292d3e535ec633fc1c5c2bb0f6cdcc1843abd166eca0a33b1648bbe334d75926505a660baa7626df5756bb5f50eaa80056bff25e2412da7f46894cf8ce599e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
02386d29844de685b9b4b14119794c92

SHA1
bf4126bf04ef76b93fbffc9a463a2023c90a6988

SHA256
4746aadedd7c7ea79631a9ba3fdfee1d2b686e021a33ab2098978a5877c57cfc

SHA512
1ac49d4aaaac8a48e90250a1203c93eeb8745536146c80a2c42d268c746266e9cd2951514dc6d3eee267d96ed118a42fc954d076e3eb9a0ffee087b0d27e5137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc3afe337dbb143fac1c42c5d955f6fe

SHA1
a08d061e4d6463af498411585bb7c1e0f5a5c86c

SHA256
e851769247d1e7a4fdc7c43a747da7cf343fe67daece89c42fe41f7af95d0500

SHA512
788000bbf40abdaa579a00840b0940e058a0bc76575203913dc7380777dd9b816b2f207693a5d2fd9db0b426a9ea41973cf268d0d18636ad94306b810d3e3311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31884d9c5cdf442e8a78b73e112e222a

SHA1
4fef40d700e6a3e76b7a169a14ad9ba118dd0451

SHA256
8c375001fb328b7893478084281fd51dc3d9beaca13c2fd53e3163d8b8164304

SHA512
398ce3718b74852ae956025e38f97113843a5ef1910793ceb2d8f325ae2c053b356ac65373a937cc103a8d5d1647362b03cbce073311c099b8d92b533db9ab8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f905df2e64e794fdde21096032aeb9c7

SHA1
d884ccf1177c8df1e892696c5d855596d196c97c

SHA256
9c34396fb72669245391932874279352e4699cb1a8358911cde6ece69028a231

SHA512
c008752e199bebc42ad3551f3b77b487a1caa67d28dc6f15a3bed928d4c5f4952b56193c8b19f0001fb46b90ab0c7af1f0d492d497e27a7fdb7111533e6e3bc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b8ddbbddf9cf97a5d3d30eb981724b5

SHA1
050a879d7e20c5bcfbcf4a0d46848bbd827971c5

SHA256
4238adc57be0cd2baae98f8679df210656b503172cf5b56108a9d553c20cb32c

SHA512
5b9f625aa931d13165e097fcb45914b40780cdf91d4d90cd554e34016c074ea5653f58ff6932e401592ee4161b6e95aaf30e75f4ab98dfe4f97f2676cbd651ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
65efcb92fae2166446b4d8758c98a623

SHA1
96d6038b0b02651f06cdd23b72a2571ff6441991

SHA256
c15bb47c2ddb7035e7cc8e6848fdb917189779c5ded2c1ca90e2a088c9002548

SHA512
3508a10cfee70bd5c25762125bd96bfb73c4f3de329811705716b33b75f78f1b93dd716b622b4c96b70050a677aef858d716219c88fbe4fcfc9d95641a4a8e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
347f2d71c33f56f32bc63051b570ed7c

SHA1
8a25770bda03667025f39a8c282a4157a8c72794

SHA256
df0cc033ec49f07d985c595498d6c5a1c153e23439959db8ff758e7e9cba6d97

SHA512
f5bf059b02d1423bbc88880bd7ba06dd2ac05a94b4a14a51aa46b6ed3093bd09025d04d2794156a84f92a21c6fc124d610ff63570493dcdef1b62e7ae9a96489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
fd92e3cbba70c6c38361201b3fa0df17

SHA1
21324992df9c6a5d4bb0eb36228c0ff68b619ebc

SHA256
f2910944964ea279102f5903a5c280788739a6a45165f7353e28cf1dcd7471ee

SHA512
895a16e9e9b15a9a9863f8e48b1abe5a770bd5ac5fd99f08c3237e617f3f101b426aa10c4b58b0463e1a47f3520299ebe5cfaf7a4673fad72c95f4d639069644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
9fd85bd6e0a0013ae35b82ef490da073

SHA1
45e443a828e4dd37b6e5d9f68b58e4a930025b93

SHA256
6b955d5e6e6c4dba224981f872f4fd224f4cfd8e5cd0c2494113b5de90b21ecb

SHA512
ea5a4e4399e2f27ac11d9e343abe69de7de272d7528254641c1b893d50ab44b28c5fd53ec45f5ef8bdcfb8c33594dc804c78c82355666764061de7effe5b3c9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
baaf4f7675ee778bc9104df8db5a2d31

SHA1
b165face56c69545ffb218e223a6714f417330e5

SHA256
f957b062ba52b9a06cbd719bc2a90343d4529c058ef594e8a51c1ba6f5bcae54

SHA512
9f4ebe4f1b22883b72e23ce3924517fdb26b461e4807d1c36b62b122c32e170402927abcc33dcb896069f3464fe7c5c06969f8fc0ce0c854c09f1cddf539d5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinaeroTweaker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6b261be7670198f99a15e1f6a3895581

SHA1
009960e4c74f58eabd40616f1790a29d0ba0e410

SHA256
0abbb4fc4c5928935a65b425a0e25c7e5241da36e82a3279f310056e08eb01d1

SHA512
cb3ebe7481169b9b98b4d64331f1c7ecad5b87eaec8f38e72a2eac3840c64e268622c7f39394fb13a449752d41725d159be2f456a7e88c0b8cf3844a3b3bbe1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
327B

MD5
3eed05f4a75513ca7a782424edffca98

SHA1
04bb3a6e62176801ef3244b17e4fbc43a2ce7dd6

SHA256
f6a6f6776e8e9da571fd4185225f14f6467be4f0b29b237b3a685954e563abcb

SHA512
46a8f8eaa27160591bc4516db0c15198c8dd860b21bc01d03a8a252b0d30a63d2e7d7166172f8833b2e1b349dd2a081442e41d648769159ee46dbc610091b5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
979348400fe7e299ac89bd1ab984b47e

SHA1
593ba0c24790a94b5e3d6c612612399bcc2f8f2d

SHA256
858db8d2b23ac3b75efdd3131fa3b959a9e3bc45fd0b6a4a5609f7221fcc1d8d

SHA512
b2208d78aab9337e850d755db67bae76dc6299335ca9493c3fcc6390548b9c697c9a3ae714dc0604abcbc79361cdd1ce1ba4664e21beb8228bf706ab9a395cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fb0aba8a32b7565b56a868ab9e5ba251

SHA1
7c81fe8b292f32d4d014fd3c3cd6cd9d62b6f873

SHA256
b8662fac2ff87611f91531e457e835d41ae7ce6e3204f1828881dfc522bdb086

SHA512
193d8063afaf376a7e53cc2d4e19406e217e793b075b1c9a1aea73477ce21dfdd5a8490707d63713803234a26f60d52057045a5cd551c16b6a2ea706502d98bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a09b50a02786895d8f3bbd415b4b72fe

SHA1
ef3ada2be151d3ac8c00651bdc2ac477290da8c3

SHA256
dc877878c85bef1c7169e82f1382dcd715b647749fe90089903385763329f401

SHA512
6bb97cf28e78fa428825ef8ca9f9eca97145fb78852efcc8bebe492660e027962097fef2be75a57c3917abb8fde2991b3e1b6f1c9c3b138e6a2f29afafef7bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f8e0429f6601279e15923db5d129c2a

SHA1
787fbee88d01b389d2e5214e97791a8febb867e8

SHA256
ecefa5c900bdf676468f5e42a2a3f2e00e7e1050e1ea948e03d0befc216e0ea6

SHA512
87b911af6bf3ee0888993fa5e1a181608d425c05642e7b16f0e6e7ac7608bb3ad7be74bf55ffd0755d68a1a63195ee3ed5c7cad7fafcc3b830d60b1dc38693ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
f181b9e837481ea6a2d30acc7bb703d4

SHA1
ddf549f0ddedeb270d4955fcb670486a63906fff

SHA256
728f5bab8a74463880a3739496cc9f5ca88194c4b2cd05782e48f6aefaf8f44c

SHA512
35d3107795999f34b0c487633abf095db7f41fac36d8534fa461312d880cf96445595fa3ed328a138c6b3076e79f21aa6a3d8420f7c4f17857a392c0daa8e382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe61bcd7.TMP

Filesize
706B

MD5
4b5bfe4799268b25c9aff3a37b0bfe7e

SHA1
fd305e39c049adfa045a84c5e5c5c06a88c6450e

SHA256
8487269bca01981fb127fd4bf64378adbca7ff04d7c32d5ab9db7693ecdfedea

SHA512
3c9a1fa7c9dc2eafd558bd931f220d0898ca8c1d37caf659de1987d04a4f05327f4c1e9746319e1b0eada45eaeac64d5378aa273bcadd0f554df6a11490bb73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6cf7a671595239c9c1e41b5f677a8305

SHA1
4b9d0d3711f2c66d7f9d563e45b05cd96ddd2c85

SHA256
53408a6a2848308ac53dba778b5eaefe02e28be9b1dd3effb4586eabd012b60e

SHA512
1ed345ac7c3d206d21abc7432f72c79749f27f9a49b8e6ee5501e7ca62c05bdbc3c054fa5001b2a1f5f07516d1af3534b6910cc5a8efdd751f448af626e68ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
309de1f4ed5d140ee2410f9a61c298c6

SHA1
a0323a54d0c0bb8dede25a338eb2da2c90dc515e

SHA256
3125219892e2a377140a3c768644694f1cb8362d2bedd99aa42d3c3340a1982e

SHA512
71e0fb024f2bc94b2f9f197bb3ea9b0c35ee0f9817e848ad6c36a849022631aec6da53a5ae34f0f3c087d6467b2a3fb3ba8051c2c598564d6a8841ddd033d7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1JB3O.tmp\WinaeroTweaker-1.63.0.0-setup.tmp

Filesize
3.0MB

MD5
1f8bc6b583179090e759faa5b1c97430

SHA1
d8ac7e18aa560acb861b37b13ae5622633bd7830

SHA256
e960ecec070425603934a878e09329edc9a44f2112bfb90e84b162a654074a67

SHA512
72244fa43407ae2f88d00cdfa3d8ccdc8da0ea663eb60dbfd37ea355a01f861559cfe20801c1f6898792b9d59d8c265cc941bafcc6ca1dd1c1f37bf23f2f695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6MR2D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 968813.crdownload

Filesize
5.2MB

MD5
455613c0a575bc31a050af6f2418d8fb

SHA1
225f6311e872a226cb69ccd3055d43d86d598a1f

SHA256
8b46861abb7266c798b27cd6e4cc95e6e81215870128f892236b7a27dfb02b74

SHA512
991b204b17a7bb91756479d685e6d53e4cb2c7a399a3a04037154c7ef5363cb720fc2d6d210ab2d76078041acd690adbacd927f77c1b7eb224f23ac5bd611967

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Elevator.exe.log

Filesize
660B

MD5
1c5e1d0ff3381486370760b0f2eb656b

SHA1
f9df6be8804ef611063f1ff277e323b1215372de

SHA256
f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

SHA512
78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

Download Submit
memory/1564-812-0x0000012FE0230000-0x0000012FE02A0000-memory.dmp

Filesize
448KB

Download
memory/1564-813-0x0000012FDE840000-0x0000012FDE846000-memory.dmp

Filesize
24KB

Download
memory/1564-810-0x0000012FF8AF0000-0x0000012FF8D20000-memory.dmp

Filesize
2.2MB

Download
memory/1564-805-0x0000012FDDF70000-0x0000012FDE4A0000-memory.dmp

Filesize
5.2MB

Download
memory/1684-11-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1684-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1684-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3008-819-0x000001EF6D040000-0x000001EF6D062000-memory.dmp

Filesize
136KB

Download
memory/4352-102-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/4352-12-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/4352-6-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/4496-822-0x000002D4C6360000-0x000002D4C637A000-memory.dmp

Filesize
104KB

Download
memory/4496-823-0x000002D4C6710000-0x000002D4C6716000-memory.dmp

Filesize
24KB

Download