hxxps://github[.]com/teknixstuff/revert8plus/releases/tag/3[.]3[.]4

Analysis

max time kernel
411s
max time network
489s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 06:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/teknixstuff/revert8plus/releases/tag/3.3.4

Score

8^/10

adware defense_evasion discovery execution exploit persistence privilege_escalation stealer

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 36 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5464	powershell.exe
3040	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 37 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ThemeSwitcher.exe\GlobalFlag = "256"	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKKILL.EXE	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RunAsTI.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SetupPrep.exe	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SIB10.EXE	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	r8p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\GlobalFlag = "256"	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYM.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGSVR32.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INCONTROL.EXE	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe	r8p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\GlobalFlag = "256"	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sym.exe	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\VerifierDlls = "OpenTheme.dll"	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regsvr32.exe	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNASTI.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REG.EXE	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallPrep.exe\Debugger = "\"C:\\Windows\\Revert8Plus\\unwin7.exe\""	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SIB10.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.EXE	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SetupPrep.exe\Debugger = "\"C:\\Windows\\Revert8Plus\\unwin7.exe\""	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w7games.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallPrep.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ViVeTool.exe	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SC.EXE	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InControl.exe	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\VerifierDlls = "OpenTheme.dll"	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIVETOOL.EXE	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ThemeSwitcher.exe	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ThemeSwitcher.exe\VerifierDlls = "OpenTheme.dll"	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERSHELL.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\W7GAMES.EXE	r8p.exe

Possible privilege escalation attempt 34 IoCs

exploit

pid	Process
3980	icacls.exe
1336	takeown.exe
3084	icacls.exe
5924	takeown.exe
1764	takeown.exe
3984	takeown.exe
1064	takeown.exe
4872	takeown.exe
1204	icacls.exe
3468	takeown.exe
4044	takeown.exe
4432	icacls.exe
2392	icacls.exe
4268	icacls.exe
3888	takeown.exe
5872	icacls.exe
1848	icacls.exe
5712	icacls.exe
3640	icacls.exe
1076	icacls.exe
6076	takeown.exe
5360	takeown.exe
5700	takeown.exe
1220	takeown.exe
2812	icacls.exe
5556	takeown.exe
5848	icacls.exe
6008	icacls.exe
5236	icacls.exe
5656	icacls.exe
2828	takeown.exe
3380	takeown.exe
5496	takeown.exe
3564	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	SIB10.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
5144	r8p.exe
4560	InControl.exe
5032	SIB10.exe
2348	StartIsBackCfg.exe
5704	startscreen.exe
3732	UpdateCheck.exe
4764	UpdateCheck.exe
4328	UpdateCheck.exe
5588	UpdateCheck.exe
1896	UpdateCheck.exe
5364	UpdateCheck.exe
4492	ThemeSwitcher.exe
2536	UpdateCheck.exe
5512	ViVeTool.exe
6132	UpdateCheck.exe
3588	UpdateCheck.exe
5876	UpdateCheck.exe
2856	UpdateCheck.exe
5228	UpdateCheck.exe
1152	sym.exe
4732	sym.exe
5840	UpdateCheck.exe
3088	DWMBlurGlass.exe
3356	sym.exe
4196	sym.exe
5640	sym.exe
4508	sym.exe
1456	UpdateCheck.exe
5288	sym.exe
3916	sym.exe
5332	UpdateCheck.exe
3832	sym.exe
2584	sym.exe
5924	UpdateCheck.exe
1132	sym.exe
1596	sym.exe
5164	sym.exe
3436	sym.exe
5424	sym.exe
5232	sym.exe
4480	UpdateCheck.exe
5996	UpdateCheck.exe
3832	sym.exe
1420	sym.exe
5472	UpdateCheck.exe
1948	sym.exe
6032	sym.exe
5872	sym.exe
5360	sym.exe
2636	sym.exe
4192	sym.exe
2668	UpdateCheck.exe
868	UpdateCheck.exe
2592	UpdateCheck.exe
552	sym.exe
5148	sym.exe
3380	UpdateCheck.exe
4044	sym.exe
5940	sym.exe
1196	sym.exe
1248	sym.exe
2992	UpdateCheck.exe
3880	UpdateCheck.exe
1668	UpdateCheck.exe

Loads dropped DLL 64 IoCs

pid	Process
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
5144	r8p.exe
4756	explorer.EXE
4056	explorer.exe
5472	explorer.exe
3144	explorer.exe
5476	explorer.exe
5756	explorer.exe
5432	explorer.exe
3116	explorer.exe
4492	ThemeSwitcher.exe
5144	r8p.exe
732	explorer.exe
1328	explorer.exe
5144	r8p.exe
5144	r8p.exe
2288	explorer.EXE
5364	explorer.exe
3084	explorer.exe
2676	explorer.exe
4844	explorer.exe
5972	explorer.exe
5144	r8p.exe
5144	r8p.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
4732	sym.exe
2544	explorer.exe
3948	explorer.exe
5144	r8p.exe
3088	DWMBlurGlass.exe
3088	DWMBlurGlass.exe
968	dwm.exe
968	dwm.exe
5144	r8p.exe
4196	sym.exe
4196	sym.exe
4196	sym.exe
4196	sym.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5700	takeown.exe
4432	icacls.exe
5496	takeown.exe
6076	takeown.exe
1064	takeown.exe
3640	icacls.exe
5236	icacls.exe
5556	takeown.exe
2812	icacls.exe
5656	icacls.exe
5712	icacls.exe
1336	takeown.exe
5924	takeown.exe
1204	icacls.exe
2828	takeown.exe
5872	icacls.exe
6008	icacls.exe
2392	icacls.exe
3564	icacls.exe
4044	takeown.exe
3888	takeown.exe
3984	takeown.exe
5848	icacls.exe
5360	takeown.exe
1848	icacls.exe
4268	icacls.exe
1076	icacls.exe
3380	takeown.exe
4872	takeown.exe
3980	icacls.exe
3084	icacls.exe
1220	takeown.exe
1764	takeown.exe
3468	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Libs = "reg add \"HKCU\\Software\\Classes\\CLSID\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\" /v System.IsPinnedToNameSpaceTree /t REG_DWORD /d 1 /f"	r8p.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Afternoon\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Delta\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Heritage\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Savanna\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Sonata\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Calligraphy\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Cityscape\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Festival\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Garden\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Landscapes\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Quirky\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Raga\Desktop.ini	r8p.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	w7games.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.EXE
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.EXE
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.EXE
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Indicator Removal: Clear Persistence 1 TTPs 12 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INCONTROL.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKKILL.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGSVR32.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERSHELL.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\W7GAMES.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SIB10.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMD.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIVETOOL.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYM.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SC.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNASTI.EXE	r8p.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REG.EXE	r8p.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1"	regsvr32.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4460	powercfg.exe
5960	powercfg.exe
2816	powercfg.exe
5728	powercfg.exe
5392	powercfg.exe
6052	powercfg.exe
5580	powercfg.exe
1332	powercfg.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File created	C:\Windows\System32\de-de\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\fr-fr\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\ja-jp\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-ua\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\consent.exe	cmd.exe
File created	C:\Windows\System32\en-us\authui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-fr\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\ja-jp\authui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\OpenTheme.dll	r8p.exe
File created	C:\Windows\System32\it-it\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-it\wincredui.dll.mui	cmd.exe
File created	C:\Windows\System32\uk-ua\wincredui.dll.mui	cmd.exe
File created	C:\Windows\System32\es-es\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\es-es\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-fr\wincredui.dll.mui	cmd.exe
File created	C:\Windows\System32\de-de\wincredui.dll.mui	cmd.exe
File created	C:\Windows\System32\it-it\authui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wincredui.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-de\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-us\authui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-us\wincredui.dll.mui	cmd.exe
File created	C:\Windows\System32\fr-fr\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-ua\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\wincredui.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-de\authui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-it\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\uk-ua\authui.dll.mui	cmd.exe
File created	C:\Windows\System32\authui.dll	cmd.exe
File opened for modification	C:\Windows\System32\authui.dll	cmd.exe
File created	C:\Windows\System32\consent.exe	cmd.exe
File created	C:\Windows\System32\en-us\wincredui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-es\authui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-es\wincredui.dll.mui	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\slc.dll	w7games.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui	w7games.exe
File opened for modification	C:\Program Files\Microsoft Games	w7games.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\slc.dll	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\uk-UA\PurblePlace.exe.mui	w7games.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6a1b2309-cbd4-4068-b990-618ee754e916.tmp	setup.exe
File created	C:\Program Files\Microsoft Games\FreeCell\CardGames.dll	w7games.exe
File created	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png	w7games.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\Styles	StartIsBackCfg.exe
File created	C:\Program Files\Microsoft Games\Solitaire\uk-UA\Solitaire.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\chess.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Chess\CardGames.dll	w7games.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack64.dll	StartIsBackCfg.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\slc.dll	w7games.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui	w7games.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\StartIsBack64.dll	r8p.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\chess.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain8.msstyles	StartIsBackCfg.exe
File opened for modification	C:\Program Files (x86)\StartIsBack\Styles\Windows 7.msstyles	r8p.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	w7games.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\Minesweeper.dll	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBack32.dll	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartIsBackCfg.exe	StartIsBackCfg.exe
File created	C:\Program Files (x86)\StartIsBack\StartScreen.exe	StartIsBackCfg.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui	w7games.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241110062929.pma	setup.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\uk-UA\SpiderSolitaire.exe.mui	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp	StartIsBackCfg.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\chess.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\UpdateCheck.exe	StartIsBackCfg.exe
File created	C:\Program Files\Microsoft Games\Chess\chess.exe	w7games.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	w7games.exe
File created	C:\Program Files\Microsoft Games\Mahjong\uk-UA\Mahjong.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	w7games.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	w7games.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\CardGames.dll	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\Styles\Plain10.msstyles	StartIsBackCfg.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	w7games.exe
File created	C:\Program Files\Microsoft Games\Solitaire\slc.dll	w7games.exe
File created	C:\Program Files (x86)\StartIsBack\msimg32.dll	r8p.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png	w7games.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Revert8Plus\UAC\tr-tr\wincredui.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Cursors\aero_pen.cur	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Windows Balloon.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Landscapes\Windows Navigation Start.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Savanna\Windows Hardware Insert.wav	r8p.exe
File created	C:\Windows\Revert8Plus\icons7\zipfldr.dll	r8p.exe
File created	C:\Windows\Revert8Plus\shell7.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Calligraphy\Windows Hardware Insert.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Calligraphy\Windows Navigation Start.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Windows Notify.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Cityscape\Windows Battery Low.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Random\town.mid	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Cityscape\Windows Critical Stop.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Quirky\Desktop.ini	r8p.exe
File created	C:\Windows\Revert8Plus\ViVeTool.exe	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\en-us\wincredui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\icons7\ndadmin.exe.dll	r8p.exe
File created	C:\Windows\Revert8Plus\SIB10.exe	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Heritage\Windows Battery Low.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Styles\Vista1903\img36.jpg	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Wallpaper\Architecture\4.jpg	r8p.exe
File created	C:\Windows\Revert8Plus\icons7\imageres.dll	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Cursors\aero_arrow.cur	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Wallpaper\Nature\5.jpg	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\ka-ge\authui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\sk-sk\wincredui.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Heritage\Windows Critical Stop.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Windows\Windows Error.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Styles\Redstone\shell\NormalColor2\shellstyle.dll	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Styles\RoundShiny\Shell\NormalColor\en-US\shellstyle.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\en-gb\wincredui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\nl-nl\authui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\nso-za\authui.dll.mui	r8p.exe
File opened for modification	C:\Windows\Revert8Plus\vanmod.reg	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Windows Exclamation.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Windows Navigation Start.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Garden\Desktop.ini	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Landscapes\Windows User Account Control.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Quirky\Windows Hardware Fail.wav	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\mr-in\authui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\uk-ua\authui.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Garden\Windows User Account Control.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Windows\Windows Minimize.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\ThemeFiles\9200\AeroRoundShiny-Default.theme	r8p.exe
File created	C:\Windows\Revert8Plus\icons7\mmres.dll	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\el-gr\wincredui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\xwtpdui.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Raga\Windows Hardware Insert.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Styles\BasicRound\Shell\NormalColor\en-US\shellstyle.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\ThemeFiles\10586\AeroRoundShiny-Landscapes.theme	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\ThemeFiles\9600\BasicRound.theme	r8p.exe
File created	C:\Windows\Revert8Plus\WlanMM.dll	r8p.exe
File created	C:\Windows\Revert8Plus\icons7\UserAccountControlSettings.exe.dll	r8p.exe
File created	C:\Windows\Revert8Plus\UAC\pt-pt\authui.dll.mui	r8p.exe
File created	C:\Windows\Revert8Plus\VAN.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Windows Hardware Fail.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Characters\Windows Logoff Sound.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Festival\Windows Logon Sound.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\Styles\Vista1903\Shell\NormalColor\en-US\shellstyle.dll.mui	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\ThemeFiles\Modern\AeroRoundShiny-Scenes.theme	r8p.exe
File created	C:\Windows\Revert8Plus\UIRibbon.dll	r8p.exe
File created	C:\Windows\Revert8Plus\xwizards.dll	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Calligraphy\Windows Error.wav	r8p.exe
File created	C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Landscapes\Windows Print complete.wav	r8p.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2280	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 3 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
5876	RunAsTI.exe
1808	RunAsTI.exe
1788	RunAsTI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIB10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	startscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w7games.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r8p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartIsBackCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpdateCheck.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3668	taskkill.exe
3440	taskkill.exe
464	taskkill.exe
6044	taskkill.exe
1140	taskkill.exe
5932	taskkill.exe
2464	taskkill.exe
5924	taskkill.exe

Modifies Control Panel 58 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\InfoWindow = "255 255 225"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonAlternateFace = "0 0 0"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\MenuBar = "240 240 240"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\Wait = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_busy.ani"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\Crosshair	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\IBeam	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_move.cur"	ThemeSwitcher.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\InactiveTitle = "191 205 219"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\InactiveTitleText = "0 0 0"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonHilight = "255 255 255"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_pen.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ActiveBorder = "180 180 180"	ThemeSwitcher.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Appearance	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Accessibility\HighContrast\Flags = "126"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_nesw.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Appearance\NewCurrent	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\HilightText = "255 255 255"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\Background = "0 0 0"	ThemeSwitcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\Scheme Source = "2"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\MenuText = "0 0 0"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\GradientActiveTitle = "185 209 234"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\CURSORS\\aero_arrow.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\Help = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_helpsel.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_ns.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_up.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ActiveTitle = "153 180 209"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\GrayText = "109 109 109"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonText = "0 0 0"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\MenuHilight = "51 153 255"	ThemeSwitcher.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Accessibility\HighContrast	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\Menu = "240 240 240"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\WindowFrame = "100 100 100"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\InfoText = "0 0 0"	ThemeSwitcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\Window = "255 255 255"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\WindowText = "0 0 0"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\HotTrackingColor = "0 102 204"	ThemeSwitcher.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_ew.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\InactiveBorder = "244 247 252"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\AppWorkspace = "171 171 171"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\Hand = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_link.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_working.ani"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\ = "Windows Default"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\No = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_unavail.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\resources\\Themes\\Windows Aero\\cursors\\aero_nwse.cur"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\Hilight = "51 153 255"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonFace = "240 240 240"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonLight = "227 227 227"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\GradientInactiveTitle = "215 228 242"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Appearance\Current	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\Scrollbar = "200 200 200"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\TitleText = "0 0 0"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonShadow = "160 160 160"	ThemeSwitcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors\ButtonDkShadow = "105 105 105"	ThemeSwitcher.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	RunAsTI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	RunAsTI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	RunAsTI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	RunAsTI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	RunAsTI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	RunAsTI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5} {3EC36F3E-5BA3-4C3D-BF39-10F76C3F7CC6} 0xFFFF = 0100000000000000e6af55cc3a33db01	RunAsTI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C100BED1-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32\ = "%SystemRoot%\\System32\\wcnwiz.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\Shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Games\\Purble Place\\PurblePlace.exe\" \"%L\""	w7games.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEE1-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32\ = "%SystemRoot%\\System32\\wcnwiz.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\CLSID\{yyyy yyyy}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ea4f148-308c-46d7-98a9-49041b1dd468}	r8p.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-reactivate\URL Protocol	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BED7-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d1a42999-0adf-11da-b070-0011856571de}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C555438B-3C23-4769-A71F-B6D3D9B6053A}\InProcServer32\ = "%SystemRoot%\\System32\\shdocvw.dll"	r8p.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C555438B-3C23-4769-A71F-B6D3D9B6053A}\Instance\InitPropertyBag\OverrideResourceID = "100"	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-activate\URL Protocol	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\Shell\Open\Command\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBackCfg.exe"	StartIsBackCfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Personalize\command	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a4a8d991-cc85-493e-ae66-9a847402dad9}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCEA18FF-BC55-4E63-94D7-1B2EFBFE706F}\LocalizedString = "@C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll,-510"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEDE-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEEC-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C100BEE9-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C100BEF1-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32\ = "%SystemRoot%\\System32\\wcnwiz.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sib-reactivate\shell\open\command	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\CLSID\{yyyy yyyy}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMinesweeperSaveFile\Shell\Open\Command	w7games.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C100BEDD-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{30F9D726-93D2-4CA5-ACC1-AE9D8A2D7F5C}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}	r8p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C100BEF0-D33A-4a4b-BF23-BBEF4663D017}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEDC-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ChessTitansSave-ms	w7games.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32	StartIsBackCfg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}	r8p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEF1-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}"	StartIsBackCfg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InProcServer32\ = "C:\\Program Files (x86)\\StartIsBack\\StartIsBack64.dll"	StartIsBackCfg.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings	explorer.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3396	reg.exe
796	reg.exe
2500	reg.exe
3644	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 122488.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1368	regedit.exe
5944	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5924	schtasks.exe
1548	schtasks.exe
4132	schtasks.exe
4232	schtasks.exe
3984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4012	msedge.exe
4012	msedge.exe
4924	msedge.exe
4924	msedge.exe
1572	identity_helper.exe
1572	identity_helper.exe
3612	msedge.exe
3612	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
4112	WMIC.exe
4112	WMIC.exe
4112	WMIC.exe
4112	WMIC.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
5464	powershell.exe
5464	powershell.exe
5464	powershell.exe
3088	DWMBlurGlass.exe
3088	DWMBlurGlass.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
968	dwm.exe
5876	RunAsTI.exe
5876	RunAsTI.exe
5876	RunAsTI.exe
5876	RunAsTI.exe
1808	RunAsTI.exe
1808	RunAsTI.exe
1808	RunAsTI.exe
1808	RunAsTI.exe
3040	powershell.exe
3040	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5144	r8p.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4112	WMIC.exe
Token: SeSecurityPrivilege	4112	WMIC.exe
Token: SeTakeOwnershipPrivilege	4112	WMIC.exe
Token: SeLoadDriverPrivilege	4112	WMIC.exe
Token: SeSystemProfilePrivilege	4112	WMIC.exe
Token: SeSystemtimePrivilege	4112	WMIC.exe
Token: SeProfSingleProcessPrivilege	4112	WMIC.exe
Token: SeIncBasePriorityPrivilege	4112	WMIC.exe
Token: SeCreatePagefilePrivilege	4112	WMIC.exe
Token: SeBackupPrivilege	4112	WMIC.exe
Token: SeRestorePrivilege	4112	WMIC.exe
Token: SeShutdownPrivilege	4112	WMIC.exe
Token: SeDebugPrivilege	4112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4112	WMIC.exe
Token: SeRemoteShutdownPrivilege	4112	WMIC.exe
Token: SeUndockPrivilege	4112	WMIC.exe
Token: SeManageVolumePrivilege	4112	WMIC.exe
Token: 33	4112	WMIC.exe
Token: 34	4112	WMIC.exe
Token: 35	4112	WMIC.exe
Token: 36	4112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4112	WMIC.exe
Token: SeSecurityPrivilege	4112	WMIC.exe
Token: SeTakeOwnershipPrivilege	4112	WMIC.exe
Token: SeLoadDriverPrivilege	4112	WMIC.exe
Token: SeSystemProfilePrivilege	4112	WMIC.exe
Token: SeSystemtimePrivilege	4112	WMIC.exe
Token: SeProfSingleProcessPrivilege	4112	WMIC.exe
Token: SeIncBasePriorityPrivilege	4112	WMIC.exe
Token: SeCreatePagefilePrivilege	4112	WMIC.exe
Token: SeBackupPrivilege	4112	WMIC.exe
Token: SeRestorePrivilege	4112	WMIC.exe
Token: SeShutdownPrivilege	4112	WMIC.exe
Token: SeDebugPrivilege	4112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4112	WMIC.exe
Token: SeRemoteShutdownPrivilege	4112	WMIC.exe
Token: SeUndockPrivilege	4112	WMIC.exe
Token: SeManageVolumePrivilege	4112	WMIC.exe
Token: 33	4112	WMIC.exe
Token: 34	4112	WMIC.exe
Token: 35	4112	WMIC.exe
Token: 36	4112	WMIC.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeSystemEnvironmentPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeIncreaseQuotaPrivilege	5464	powershell.exe
Token: SeSecurityPrivilege	5464	powershell.exe
Token: SeTakeOwnershipPrivilege	5464	powershell.exe
Token: SeLoadDriverPrivilege	5464	powershell.exe
Token: SeSystemProfilePrivilege	5464	powershell.exe
Token: SeSystemtimePrivilege	5464	powershell.exe
Token: SeProfSingleProcessPrivilege	5464	powershell.exe
Token: SeIncBasePriorityPrivilege	5464	powershell.exe
Token: SeCreatePagefilePrivilege	5464	powershell.exe
Token: SeBackupPrivilege	5464	powershell.exe
Token: SeRestorePrivilege	5464	powershell.exe
Token: SeShutdownPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeSystemEnvironmentPrivilege	5464	powershell.exe
Token: SeRemoteShutdownPrivilege	5464	powershell.exe
Token: SeUndockPrivilege	5464	powershell.exe
Token: SeManageVolumePrivilege	5464	powershell.exe
Token: 33	5464	powershell.exe
Token: 34	5464	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4756	explorer.EXE
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5144	r8p.exe
2348	StartIsBackCfg.exe
5704	startscreen.exe
5864	TextInputHost.exe
4756	explorer.EXE
5864	TextInputHost.exe
4056	explorer.exe
2840	TextInputHost.exe
2840	TextInputHost.exe
5472	explorer.exe
5848	TextInputHost.exe
5848	TextInputHost.exe
3144	explorer.exe
5560	TextInputHost.exe
5560	TextInputHost.exe
5476	explorer.exe
5844	TextInputHost.exe
5844	TextInputHost.exe
5756	explorer.exe
5796	TextInputHost.exe
5796	TextInputHost.exe
5432	explorer.exe
5760	TextInputHost.exe
5760	TextInputHost.exe
3116	explorer.exe
5936	TextInputHost.exe
5936	TextInputHost.exe
732	explorer.exe
4068	TextInputHost.exe
4068	TextInputHost.exe
552	TextInputHost.exe
552	TextInputHost.exe
2288	explorer.EXE
5364	explorer.exe
4540	TextInputHost.exe
4540	TextInputHost.exe
3084	explorer.exe
5588	TextInputHost.exe
5588	TextInputHost.exe
2676	explorer.exe
1600	TextInputHost.exe
1600	TextInputHost.exe
4844	explorer.exe
4884	TextInputHost.exe
4884	TextInputHost.exe
5972	explorer.exe
1152	sym.exe
4732	sym.exe
3040	TextInputHost.exe
3040	TextInputHost.exe
2544	explorer.exe
4344	TextInputHost.exe
4344	TextInputHost.exe
3356	sym.exe
4196	sym.exe
5640	sym.exe
4508	sym.exe
3948	explorer.exe
5288	sym.exe
3916	sym.exe
2728	TextInputHost.exe
2728	TextInputHost.exe
5484	explorer.exe
648	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2524	4924	msedge.exe	82
PID 4924 wrote to memory of 2524	4924	msedge.exe	82
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 3964	4924	msedge.exe	83
PID 4924 wrote to memory of 4012	4924	msedge.exe	84
PID 4924 wrote to memory of 4012	4924	msedge.exe	84
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85
PID 4924 wrote to memory of 4736	4924	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/teknixstuff/revert8plus/releases/tag/3.3.4
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8f44d46f8,0x7ff8f44d4708,0x7ff8f44d4718
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d3575460,0x7ff6d3575470,0x7ff6d3575480
    3⤵
    PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6728 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12336514222437857788,15724922370956526818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5544

C:\Users\Admin\Downloads\r8p.exe
"C:\Users\Admin\Downloads\r8p.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Indicator Removal: Clear Persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName|findstr .|findstr /v displayName|findstr /v /c:"Windows Defender"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3156
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v displayName
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /c:"Windows Defender"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop exit Confirm-SecureBootUEFI
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Revert8Plus";Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\r8p.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -monitor-timeout-ac 0
  2⤵
  - Power Settings
  PID:4460
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -monitor-timeout-dc 0
  2⤵
  - Power Settings
  PID:5960
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -disk-timeout-ac 0
  2⤵
  - Power Settings
  PID:2816
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -disk-timeout-dc 0
  2⤵
  - Power Settings
  PID:5728
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5392
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:6052
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5580
- C:\Windows\SysWOW64\powercfg.exe
  powercfg -x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1332
- C:\Windows\Revert8Plus\InControl.exe
  "C:\Windows\Revert8Plus\InControl.exe" control
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4560
- C:\Windows\Revert8Plus\SIB10.exe
  "C:\Windows\Revert8Plus\SIB10.exe" /elevated /silent
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\StartIsBackCfg.exe
    "C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\StartIsBackCfg.exe" /install /elevated /silent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\startscreen.exe
      startscreen.exe /stop
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM startscreen*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM explorer*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM explorer*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM explorer*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM explorer*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM explorer*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM explorer*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:464
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "\StartIsBack health check" /XML "C:\Users\Admin\AppData\Local\Temp\sibtask.xml"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows\Revert8Plus\explorer.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /TN "Aero Glass" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN "ExplorerStart" /XML task.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /TN "ExplorerStart"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /TN "ExplorerStart" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- C:\Windows\Revert8Plus\ThemeSwitcher.exe
  "C:\Windows\Revert8Plus\ThemeSwitcher.exe" "C:\Windows\Resources\Themes\AeroRoundShiny-Default.theme"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Control Panel
  PID:4492
- C:\Windows\Revert8Plus\ViVeTool.exe
  "C:\Windows\Revert8Plus\ViVeTool.exe" /disable /id:25175482
  2⤵
  - Executes dropped EXE
  PID:5512
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5512 -s 792
    3⤵
    PID:5364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows\Revert8Plus\explorer.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /TN "Aero Glass" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN "ExplorerStart" /XML task.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /TN "ExplorerStart"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /TN "ExplorerStart" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5264
- C:\Windows\system32\cmd.exe
  "C:\Windows\SysNative\cmd.exe" /c "C:\Windows\Revert8Plus\UAC\UAC.bat"
  2⤵
  - Drops file in System32 directory
  PID:1540
- - C:\Windows\system32\reg.exe
    reg import "C:\Windows\Revert8Plus\UAC\\uac.reg" /reg:64
    3⤵
    PID:2116
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\wincredui.dll" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1064
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\authui.dll" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4872
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\consent.exe" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5496
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\wincredui.dll" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2392
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\authui.dll" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5712
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\consent.exe" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3980
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\de-de\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1336
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\de-de\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3084
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\de-de\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5924
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\de-de\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3564
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\en-us\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1220
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\en-us\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3640
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\en-us\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1764
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\en-us\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5236
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\es-es\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6076
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\es-es\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4268
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\es-es\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4044
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\es-es\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2812
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\fr-fr\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3888
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\fr-fr\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5656
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\fr-fr\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3984
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\fr-fr\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1204
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\it-it\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5556
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\it-it\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5848
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\it-it\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5700
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\it-it\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5872
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\ja-jp\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3468
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ja-jp\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4432
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\ja-jp\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2828
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ja-jp\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6008
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\uk-ua\authui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5360
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\uk-ua\authui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1076
- - C:\Windows\system32\takeown.exe
    takeown /F "C:\Windows\System32\uk-ua\wincredui.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3380
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\uk-ua\wincredui.dll.mui" /grant Administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1848
- C:\Windows\Revert8Plus\AeroGlass\sym.exe
  "C:\Windows\Revert8Plus\AeroGlass\sym.exe" "C:\Windows\Revert8Plus\AeroGlass\data\symbols" "C:\Windows\system32\udwm.dll" "C:\Windows\system32\dwmcore.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1152
- - C:\Windows\Revert8Plus\AeroGlass\sym.exe
    "C:\Windows\Revert8Plus\AeroGlass\sym.exe" "C:\Windows\Revert8Plus\AeroGlass\data\symbols" "C:\Windows\system32\udwm.dll" "C:\Windows\system32\dwmcore.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4732
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Windows\Revert8Plus\AeroGlass\install.bat"
  2⤵
  PID:5992
- - C:\Windows\system32\schtasks.exe
    schtasks /Delete /TN "Aero Glass" /F
    3⤵
    PID:2016
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TN "Aero Glass" /XML task.xml
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5924
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Aero Glass"
    3⤵
    PID:1668
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\ActionCenter.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3356
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\ActionCenter.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4196
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\ApplicationFrame.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5640
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\ApplicationFrame.dll"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4508
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5288
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3916
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\ExplorerFrame.dll"
  2⤵
  - Executes dropped EXE
  PID:3832
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\ExplorerFrame.dll"
    3⤵
    - Executes dropped EXE
    PID:2584
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\pnidui.dll"
  2⤵
  - Executes dropped EXE
  PID:1132
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4268
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\pnidui.dll"
    3⤵
    - Executes dropped EXE
    PID:1596
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\van.dll"
  2⤵
  - Executes dropped EXE
  PID:5164
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\van.dll"
    3⤵
    - Executes dropped EXE
    PID:3436
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\shell32.dll"
  2⤵
  - Executes dropped EXE
  PID:5424
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\shell32.dll"
    3⤵
    - Executes dropped EXE
    PID:5232
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\SndVolSSO.dll"
  2⤵
  - Executes dropped EXE
  PID:3832
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\SndVolSSO.dll"
    3⤵
    - Executes dropped EXE
    PID:1420
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\stobject.dll"
  2⤵
  - Executes dropped EXE
  PID:1948
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\stobject.dll"
    3⤵
    - Executes dropped EXE
    PID:6032
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\timedate.cpl"
  2⤵
  - Executes dropped EXE
  PID:5872
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\timedate.cpl"
    3⤵
    - Executes dropped EXE
    PID:5360
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\twinui.dll"
  2⤵
  - Executes dropped EXE
  PID:2636
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\twinui.dll"
    3⤵
    - Executes dropped EXE
    PID:4192
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\uDWM.dll"
  2⤵
  - Executes dropped EXE
  PID:552
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\uDWM.dll"
    3⤵
    - Executes dropped EXE
    PID:5148
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\user32.dll"
  2⤵
  - Executes dropped EXE
  PID:4044
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\user32.dll"
    3⤵
    - Executes dropped EXE
    PID:5940
- C:\Windows\Revert8Plus\sym.exe
  "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\windows.storage.dll"
  2⤵
  - Executes dropped EXE
  PID:1196
- - C:\Windows\Revert8Plus\sym.exe
    "C:\Windows\Revert8Plus\sym.exe" "C:\ProgramData\Windhawk\Engine\Symbols" "C:\Windows\System32\windows.storage.dll"
    3⤵
    - Executes dropped EXE
    PID:1248
- C:\Windows\SysWOW64\sc.exe
  sc create Windhawk binPath= """"C:\ProgramData\Windhawk\Windhawk.exe""" -service" start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\Revert8Plus\OldNewExplorer64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3276
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Windows\Revert8Plus\OldNewExplorer64.dll"
    3⤵
    - Installs/modifies Browser Helper Object
    PID:5036
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\Revert8Plus\OldNewExplorer32.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\Revert8Plus\RunAsTI.exe
  "C:\Windows\Revert8Plus\RunAsTI.exe" "C:\Windows\System32\cmd.exe" /c reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:64&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:64
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  PID:5876
- - C:\Windows\Revert8Plus\RunAsTI.exe
    "C:\Windows\Revert8Plus\RunAsTI.exe" "C:\Windows\System32\cmd.exe" /c reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:64&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - Access Token Manipulation: Create Process with Token
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
  - - C:\Windows\Revert8Plus\RunAsTI.exe
      "C:\Windows\Revert8Plus\RunAsTI.exe" /TI/ "C:\Windows\System32\cmd.exe" /c reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:64&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:64
      4⤵
      Access Token Manipulation: Create Process with Token
      Modifies data under HKEY_USERS
      PID:1788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:64&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:32&reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:64
        5⤵
        
        PID:5368
      - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:32
        6⤵
        Modifies registry key
        
        PID:3644
      - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} /v SortOrderIndex /t REG_DWORD /d 66 /f /reg:64
        6⤵
        Modifies registry key
        
        PID:3396
      - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:32
        6⤵
        Modifies registry key
        
        PID:796
      - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E} /v SortOrderIndex /t REG_DWORD /d 0 /f /reg:64
        6⤵
        Modifies registry key
        
        PID:2500
- C:\Windows\SysWOW64\reg.exe
  reg import "C:\Windows\Revert8Plus\vanmod.reg" /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-WinLanguageBarOption -UseLegacyLanguageBar
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Windows\Revert8Plus\w7games.exe
  "C:\Windows\Revert8Plus\w7games.exe" /S
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3620
- C:\Windows\Revert8Plus\HoldEm-Inkball-Tinker.exe
  "C:\Windows\Revert8Plus\HoldEm-Inkball-Tinker.exe" /S
  2⤵
  PID:5728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows\Revert8Plus\WMC\InstallBlue.bat"
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\whoami.exe
    C:\Windows\system32\whoami.exe /USER
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\find.exe
    find /i "S-1-5-18"
    3⤵
    PID:2476
- - C:\Windows\Revert8Plus\WMC\NSudoLC.exe
    "C:\Windows\Revert8Plus\WMC\\NSudoLC.exe" -UseCurrentConsole -U:T -P:E -Wait cmd /c "C:\Windows\Revert8Plus\WMC\InstallBLUE.bat" ti
    3⤵
    PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Create /TN "Revert8Plus Repair Task" /XML "C:\Windows\Revert8Plus\autorepair.xml" /ru "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1548
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i "C:\Windows\Revert8Plus\8GadgetPackSetup.msi" /qb!
  2⤵
  PID:2844
- C:\Windows\SysWOW64\shutdown.exe
  shutdown /r /t 0
  2⤵
  PID:5368

C:\Windows\explorer.EXE
"C:\Windows\explorer.EXE"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4056
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3732

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5472
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5848

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3144
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  PID:4328

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5476
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5588

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5756
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1896

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5796

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5432
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5364

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5760

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3116
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x31c 0x16c
1⤵
PID:6120

C:\Windows\System32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Windows Aero\Styles\Redstone\Redstone.msstyles?NormalColor?NormalSize
1⤵
PID:4764

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:732
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6132

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:1328

C:\Windows\explorer.EXE
"C:\Windows\explorer.EXE"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5364

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3084
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3588

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2676
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5876

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4844
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:5972
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5228

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2544
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5840

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3948
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456

C:\Windows\Revert8Plus\AeroGlass\DWMBlurGlass.exe
"C:\Windows\Revert8Plus\AeroGlass\DWMBlurGlass.exe" loaddll
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5484
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5332

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:648

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:3000
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5924

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1080

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1616
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4480

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3588
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5996

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4412
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5472

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2948

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4468
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2668

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3148

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4128
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:660

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5656
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2592

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2848

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5352
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3380

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3592

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:1848
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3180
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3880

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3956
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1668

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:552

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4640
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3688

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:5076
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5232

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4384
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5512

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5908

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:1112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}" /v System.IsPinnedToNameSpaceTree /t REG_DWORD /d 1 /f
  2⤵
  PID:1996
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5332

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4428

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5432

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4220

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5376

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1420
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:5352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4344
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:5104

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3736
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:796

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3736 -ip 3736
1⤵
PID:3040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3804
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:4944

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5384
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:1848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2348
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  PID:2232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6951AA9AD2BB20A59557A74908CE8983
  2⤵
  PID:1340
- C:\Program Files (x86)\Windows Sidebar\8GadgetPack.exe
  "C:\Program Files (x86)\Windows Sidebar\8GadgetPack.exe" -install
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe -s "C:\Program Files (x86)\Windows Sidebar\8GadgetPack\Install.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1368
- - C:\Windows\regedit.exe
    C:\Windows\regedit.exe -s "C:\Program Files (x86)\Windows Sidebar\8GadgetPack\Install.reg"
    3⤵
    - Runs .reg file with regedit
    PID:5944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EAB71D1968EC38E1573406594C3E73F4 E Global\MSI0000
  2⤵
  PID:3556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5296

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2480

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:2948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4864
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:5952

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:692
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:1396

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6008
- C:\Program Files (x86)\StartIsBack\UpdateCheck.exe
  "C:\Program Files (x86)\StartIsBack\UpdateCheck.exe" reset
  2⤵
  PID:1452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3807055 /state1:0x41c64e6d
1⤵
PID:2948

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5eeb3c.rbs

Filesize
366KB

MD5
5ebbd6f66d6ea812dc17297bb7ed47d8

SHA1
3cef0c13987701a5e093fe0a15861f505fa994ba

SHA256
2a0bc5b06763ce30df1151aa50bc5e04027556332ba87afb76dfcc284799fa82

SHA512
0718f8767797369c04da31cc34ac808acc409c59ce00ba5416ba4196acfde175c9ccfba65e6530e28835c0a8c0d13c66f4b573601c9177251eb73308a798c471

Download Submit
C:\Program Files (x86)\Microsoft Games\Tinker\Tinker.exe

Filesize
1.2MB

MD5
ebecd40476795d5020d65da831fea9bf

SHA1
26bbac3d52fde6ba20c39823041944a3d94d2212

SHA256
24bb8c2efa71d35f94e27c18e081affbd5f3d4c787113b01efd33b527cf913fa

SHA512
4e1eb40993a5153af3b7ff677fb91a30deeeee98039b3e450a91cab45e97ae665bc2395c88ac80ef9b7032a2a55763e35a611c093f3724950c746838e1c9486c

Download Submit
C:\Program Files (x86)\Microsoft Games\Tinker\TinkerEditor.exe

Filesize
1.4MB

MD5
16367e873d542a572993aca2b1bc7ead

SHA1
816fb4b2e5b523fa4d4ccc2d37b3042e4d399c56

SHA256
ed1aaadd6891e674476457a18296268c507746f82d9f99d70b286a09f100793a

SHA512
62ef9523555daa8680275fac5cbec3e14f1868b6ff1b69d0542041745b79a1ab42143b3b9dadc9d558346a60d3c8c50389972289b6c72b94253f2964e04922be

Download Submit
C:\Program Files (x86)\StartIsBack\StartIsBack64.dll

Filesize
688KB

MD5
18c65390a8319230b9d0ddf6b32628a3

SHA1
ce5fe2c9ae19c0b4bd202bbcd984c882f6aedff9

SHA256
8835e294477e6177979f80e05a622ffc7b4d0ad7bbc8077ae0f81733804d3cbd

SHA512
058ac7829f01cdbe8fe92df5863665fcd1b341e916969062d70fbca8224a801039973cdd786095fc794d6b568980054452c593103802ec42ca372990ef4c9eb5

Download Submit
C:\Program Files (x86)\StartIsBack\Styles\Windows 7.msstyles

Filesize
438KB

MD5
ae2d99598c4cef23536891e66a253ca8

SHA1
c72ec083bb26062b81f3aaca0f50864ec89156f5

SHA256
c6c578e729f76eaa1fd6ba0286c383b236245cab3518e46d7eaacae3395f25b5

SHA512
4f1af265f91c0a1a3031cc9989be40b453577d45b043efec1443f4a4fd998a9dfebbfa5029d233f1c4626b175e8cbd74d2deb617f2b090b5c672202dd2b9afbc

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ru\css\clock.css

Filesize
674B

MD5
c3adf6a62f420d0926b817bc570bcac7

SHA1
5f2fdbe6e421079dadc1f3f15f61af894875fea9

SHA256
dca69ac4afb6fe543b7adbb2645bf3df57464383236fde6d82703106869a03f9

SHA512
f34ed769bfd01eb2fbfc05386f7ef587b3d208b68943f5c2fc10ef4a705e64aff99954450013b3e2e05699f51f8335749b820742f43d5153aa586817be51317f

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ru\js\clock.js

Filesize
17KB

MD5
c678c8640b7ebe2250d1590b6aa49ed3

SHA1
b72c9e3a34baf274af26a00f8ea33497475da334

SHA256
85959807a632f0791dc6074be606a46c17a13e95324a2e2e3aeec71336cbfc8b

SHA512
cfc4433f72f10c6424cbe6598d995f7c352f1994f1484b09a3105a167d8b2b802f47ba178ed3b071a930ba06e6e4e8d2cf401c1e276d4af33be3b0390d0709f7

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ru\js\timeZones.js

Filesize
9KB

MD5
559ecfb98fc63d046fd6240d2b09df90

SHA1
1b36d4676afd5796aa37ed7750dd937e775e7108

SHA256
cc1b9a765f597e30df92e8958428dbd39694c52c70627b777008b70b00b37b86

SHA512
643fc3c22382931583ab5df72d95f5a40f54c08a61049583be009db32d0499bd6fe8e71772453e27911682539454598c0837aa284a02c4c8d6f2b7b7652d2c60

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ru\currency.html

Filesize
5KB

MD5
d4abafd3351277c4c6cca470c688725b

SHA1
9cedd1aa2aec70a75a0a50af5a3e762ad23a37de

SHA256
5a0a25ffefd3f647467811a1f60a7573ece6211fa82fd8d4be19b20c5dc3fabc

SHA512
98a4a4c98f5f76acd4160cff3de104db99b1aa738d985526c866f1a554e25752c7f125a8bf0ef9c2cb178c919265a2088c73bf3c4b972c41f8e4858c0132abdd

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ru\js\currency.js

Filesize
65KB

MD5
39053b6853da8972a05020728ec0df10

SHA1
7369fa28da358f3843d3ebcd7d2a39ded05574c7

SHA256
66cc94d33f120a2ca1ab63708d767b471b7dfa1c4c483d795f191fc5d7a52fc2

SHA512
59a7bc1a71ee1ba444110cc16aa9de98f01dffbee014842e5bca1126a63c56d1cb80e57f91cb304eb53bfdbb531e2217a365d01f04a6310b786ac53fac7849dd

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ru\js\init.js

Filesize
724B

MD5
9a9229799041e3654635f805aacc31ff

SHA1
99decfd163cb4f113b65e0f2729442297bdbe48e

SHA256
f95ddb7fd27e5d834242cbdb1de8ed6c0005311c585d1988c3e48750b392b2a3

SHA512
12a850170ced59d991c2756b3fc0bee5ddc16366d46eef11f9a522de08bb0017ea2354e4d6c747208ce65cf12e69bc1ba685609472e7516657aa978faa567ab0

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ru\js\library.js

Filesize
5KB

MD5
82e7206c004e0d793f27ca6fe1b68eb7

SHA1
e201cdac02106be9b1330d8f9b6d8ff01a42e0b2

SHA256
03f503f7abc328db6ea8254291c92575e6557d9496d33e20b08b8a4190080e6b

SHA512
4aa219a31e824c0fc41f01efeb3dd94486c2f0008bbd0a6495e66beb45cfccd0f1bf04d71bbf3d85397ad097a1a9d6a0e49df1f493ee777ec1961bfbe82b32ee

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ru\js\service.js

Filesize
7KB

MD5
32830f3441431dfe48864af66de41c15

SHA1
23338b2bbcb6ca77ff0515869722080e07f42150

SHA256
726b42ee090b8f9ac70cc5408d27d2547065c7a47f120da9a9a83128011c1c06

SHA512
755abec7e7159e0d73131193b485c84325bb0bfedf8341cb54aeaad720b2631e069699d31b0adb8a5075c938715d9ec7a54f8afe3f4ab06106dd75cf3f8280c0

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr\css\settings.css

Filesize
5KB

MD5
951cf41e8d54d9346e0a03a723e549c1

SHA1
0f368f110bc160ae85a77ac687454b951d6d7090

SHA256
6c722a469a4afa79506b654f37cb7bf392290868b3f8a1e9b0afda003ec1ea64

SHA512
f890322609ab186086d4f433a808c77a9a46313fef28dcd77a9189039e12d0de41fcc2315a65cf00f2e8a437a0a63a038fbb53f04f5ca9b922832f23c48e5eb6

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\zh\js\settings.js

Filesize
5KB

MD5
f577243ba7494d714363f11d8d6d122f

SHA1
abcb51b339cebeb95b638f9a93a44eb024ddccca

SHA256
247846b3807544feac30ce1e52ae81cbc97fed16948a27c404926b9d5d78ca23

SHA512
863aa77caa8028521787599c8d97b2e7616b80bda7c32fed59a40f9706352b307c0f2ff2100332bb2b92263fb26d4bb741b9e7fe3bae94c73601cc8694e437b3

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ru\css\slideShow.css

Filesize
4KB

MD5
f4ab06a44f9c0767574204ddd6cd54bf

SHA1
727d94b66abc9e7d5f2d5605b398f9d04bd6bc57

SHA256
0af3484552719a12be64d09519d7758b76402769a7bffe2c1b6b22b9ff733139

SHA512
7f80cf7b95d23e1267d198854896e0f3ebe88c1eddd62db0c90baf98f6ee3b7c8723172ffd3f0a6a6612c27108ae00862b1c480734d89dac7d0dc3dc44e227e8

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png

Filesize
5KB

MD5
b0c889d581786f475a00888fe647bea8

SHA1
0648634f2fce77c380c4ec95e332a756c64d651f

SHA256
d4d74fa3f867e41db1e825ee61055a91940cfbfd3e731ab00121317d2dca6c6d

SHA512
2eacf5d7965dd6b6d4a6b33bd08d604ead8b5642ffd303403bcd109414d4285f311886175fb21f3bc874ce6ba5e849a68a74518bb697ec0d9f2e60f556fa6a92

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png

Filesize
5KB

MD5
afc51346f430ce5f861a445ba7602f78

SHA1
d4d33e258f45a217d6792969523f906aad8a4063

SHA256
e5594e0d76c16811ae316ca81684e7e4dd9abfe553396046457b55f11f49f1a3

SHA512
3872a073e193aa1cbb58870f622fc17af6c1477f7cd91462306cdf217701ef45ec8f66aa23b7035ecef984effd39dc7d7b2ad5bff931235e3cccbbb237337ff5

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png

Filesize
3KB

MD5
eb8aba3e277f65e219fd74db777b9e53

SHA1
30158256879164ab4b6d80c11c4101a2a4e5d421

SHA256
917b1fb74f73aaa5f9fa0e5905508a2c91cd4e7e825cbf9a3452ab1f0356f9a9

SHA512
7aa856929f47b55241acc7f87d0b9d3c47bca41632669e6b06601f98e3a86ad52506a99b7c72bd499f4c7151f293c5eaa2c7a9cf28532226548bf857f83ef575

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja\js\library.js

Filesize
42KB

MD5
fdb05ac511bb912ac9d92b046d8b36d0

SHA1
9826dd418a39f46d2b42752ea9757da2d6378dea

SHA256
d13efba10d58e54ce40add2c891cc083f018ccf5dc0531ddbdaeb9a607e8a20d

SHA512
b476f807e07d6d103bd0ff0218a49e8e5286fdc86436b6338b52a583dd1910ec21d96ce3e579fcfe035484bf3adedb26059c861d4567ad1e8a1dbdbc114b4d67

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja\js\localizedStrings.js

Filesize
12KB

MD5
8aa4e307722e04d6bb697b8597bae829

SHA1
17baa1996f219c9ed8599e376e1ae5c3ad52a011

SHA256
7db9f6003523a44734d26d61a8cc73a69e1d82cc819648ef47b900d822f48b4b

SHA512
3a5b88c6d3259f2adc393c62339f9f90082a7b8ec1cb5d82d2802ab866dc7ff8be77d30ac2c5eb400e27919f2edc57cbb6bead48e200cbe86301e56d6e0659fb

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\css\localizedSettings.css

Filesize
974B

MD5
455e12b1a2bbfa973487f35e2c4d476f

SHA1
717c46c371efc1e70f19d32fce4347ff463a4242

SHA256
d3d9bb5c378d5a522afa38f53f8f2989b3eff089d68e14e2a70049a1af4ad29f

SHA512
15b27dea0aac91e7a1af7f836b0f7d1543519a241c4b99e90adf3d594a8ba5eb3118cf4b47c11c64f919f4b59925a77079f2251252f3a34cbe4a97eeed80a5f9

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\css\weather.css

Filesize
24KB

MD5
feb1c5d1501cce2cd5dc52cfb10f0e9a

SHA1
b9038ceea201231e82d6c645f17f44089c21f161

SHA256
cb9a61101d99305ab26956610385093d790bd0c2145ead3a51212fa72a214a7c

SHA512
ec6b29fdd28b2691adf905a682834bb3ffa82d2da4ce2557d61b593145a9aeeb94799528b907c1942932b06a002a20eb1fe578659db1e4f2123bcc19cc4c34a9

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\js\highDpiImageSwap.js

Filesize
1KB

MD5
ef9d56e80f446dc32e5838cfbc181dd6

SHA1
84162ef02f261fd3d5c32e6f8ba75d0d6e1b6ef1

SHA256
881d05322d7d06a5c2042256e2bc44cdc1dba02c984b839d55122e10cb26e147

SHA512
0a40aebf8cd4ad1d26ebc1b6bc70057cf4db538b302d58f49c19a597f013c91640697224196aea21ee7b673300720b90ec1788d8b65bb352d62b07d4a5aceeb6

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\js\settings.js

Filesize
56KB

MD5
023b5c1b5b1f0af894b829a5466f9748

SHA1
24fbd393795fda1499f891713f1b7153f560e37b

SHA256
4d005737e6e9df58bf2124f30c4dbdce0ae557ff7333bfd5d70002ade7a6c328

SHA512
473a405ba5bb0cfb0a16d766d0ce76b7e4787901f79efb74cb44fcc203b5b04245d38e3aa5f3a400fee41609bbea2a48056e60363fad7a5ea00aa761eca0ebf9

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\js\weather.js

Filesize
132KB

MD5
a805ed462ad9a81a3e8b8e0422f781cc

SHA1
025635fe06812ba52ba417e6e1dd880500aba193

SHA256
bdb4f2a048cad27aa3aa4d53741626eeff3919b0d80bd5ab90c3ec638b78e87c

SHA512
980753cced19520c04a0a2afe1278d92bfad6460274e91c24dad214df39ff8d45a5cf2953765ebd8a86188de7a6961acd767360aeee022987baa224aa068525a

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\settings.html

Filesize
8KB

MD5
b1f7a0082855a0bb9c0f8b7f1c06304e

SHA1
8e44ac6c532696d2c1f22802926408b0bf98b576

SHA256
b35bc1fc08a1373c3f98828ce5cbd421dd3dd2beb8020dff84d2107c8676096c

SHA512
2e5a6b0425572d7ea3486ce1cf3b3bb6089d61c0cd08c09840c486bdd0b59f3ef28ee31f5b7163c73ec5dba090a2877a799bc8b7587b287f6ebc0ab2bb2a29de

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ru\weather.html

Filesize
15KB

MD5
174d2c6240621f7f8be218c7f7947539

SHA1
45de3cb9848d8b060ab3e05500be3b75c72898d2

SHA256
c9953e0e8b7383ced294490d84e8dc79c2c2930adf7c1be078ba60c26d22029a

SHA512
ca78b0bcbe361e6888e58ba2ee9dd0300cc004ee146f3902389aa736ec54d0994d6a9a226ccefb567edc71a479e04ed50afacc0480d9949ae0afdd7a7998b6df

Download Submit
C:\Program Files\Microsoft Games\HoldEm\HoldEm.exe

Filesize
1.5MB

MD5
c4da94761681142c2079ec34dd5b1357

SHA1
78ccf6cbbda60829b70f2072517270388a04b2f4

SHA256
bd5df433b2392c9a02ff0fa8f181f44391b1bf508f099ca3cda8b802968bf1c9

SHA512
5f3a48d00a1621bf05e9803ffa0450fcf256d0d6e189f4a0249d01f27531134290394e0b1e9c96ad42213188d8fdffe3eac152ed3ce672e9d077cd8d4005d49d

Download Submit
C:\Program Files\Microsoft Games\Minesweeper\CardGames.dll

Filesize
5.9MB

MD5
6794d9d442e31dc5e95bdf65f37e4386

SHA1
2d89db0e066099e514f5f626ce427a0cd39b9d70

SHA256
959f28d9c016d64552321a46c8179fdb5241f24dedfacbb71c4dd2d51da0b05a

SHA512
6fbbb495d592e7eed498e4106576433ca695570e5eef0edabf311d5e039e194c3cdc2e2f6bba7909c95e263c151ccb5f29014415a719699f9c17bf3d4e4f5459

Download Submit
C:\Program Files\Microsoft Games\Minesweeper\slc.dll

Filesize
2KB

MD5
aabd4974253599aac885e14b8b59c0e6

SHA1
675305e6d3b557cfd849182c0052222d95d8d817

SHA256
9c2ad5c652b0c183e8f9451232bad811f040d93be5557febf6ad47a694642148

SHA512
8f75cdd0d5e57b98b3a79ea317aa6b6beaafd2e1c4415caa7071741558d69d0425c1dc16812592c223e0c3e99f8b7bc9d6edf169c80b4d1306a17883ea841668

Download Submit
C:\Program Files\Microsoft Games\inkball\inkball.exe

Filesize
1.2MB

MD5
720c10630951ec8f0397f5491ed84119

SHA1
706edc5fd613d17226d881741b506efda595abf4

SHA256
b12c82911c180203c6d101f7671076ea8e87ced4fbc27a93f4a79f8a011eac8b

SHA512
6d82d3180d234c21e0f5e05ebc17c86849b1a5189722658f86ac9e00e29b1fc88e180e2b21fb24aa6dc65c95786f2f613e5c133972d3dd6928e40fbef02ba280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63716c70d402b580d244ae24bf099add

SHA1
98a3babcd3a2ba832fe3acb311cd30a029606835

SHA256
464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233

SHA512
dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f09e1f1a17ea290d00ebb4d78791730

SHA1
5a2e0a3a1d0611cba8c10c1c35ada221c65df720

SHA256
9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167

SHA512
3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ce024a9ba23d46e375f2db64b59c70dd

SHA1
1949578385602ae2fe9ce343891f951a3deb2665

SHA256
e627e151a9c24cbd2ba5dd1080a8542775fe63260ab9e982cd1dc6ddefaa0639

SHA512
e7d8bb4e46ddd4287075a560c9c903b71e1d9904e67c077d7dd9e010d950c84710d20f9eba980cf1fd705a39ab3acc25df50f7a7a85e05d20114d944338df689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3208cffaf3567362d1791c260446c83a

SHA1
5a49e5c4047eb65565d4ed1263b0f99c1a9f0151

SHA256
0e5becd839510a1cff0508808a211b16540d3e0452958d3fb0738ec09210a8db

SHA512
f939d68e29326ccbcbd5069bbc9c982612ddc0c820b3d9347646ab5a96b6a68f9a72630bb36914281428afa5040ddc722c048230ec7e426ab51a3fd879c22054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58e402.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e436bbd696a014addd74b9183112728a

SHA1
3efdf1a6c17bb5626e263c95c7a947f441df2681

SHA256
4c7037d7271b1ef4ed0ab00f9f142d1c68491f01db302cc540fa5570678bca44

SHA512
5565c2f37be2b12a58692ee08869b0294b622f09d374c022618e86d0ef93a87c72f2677b0ddf3153a52e2bb08a871973d8121afdabd35645b2422d50f6544c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
295581d918be9690501eb0ef5127ea32

SHA1
5bc38a08d563a95c5aef937df8200af76310a2ff

SHA256
3e035a42c0b8e3e6aba3802c739bc24ebc46e0f2ea8bdcdf4cbefdc4c4ca35c2

SHA512
9466043d027bdba9abf024f461fecde4de0ca873ed5275a89fe0e405818a99ee6bb5776bd31cd9679d93c006073e627598621bd488164afa3d12e7d708540454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae9abea2b0e4162f320cd86fb2f7a641

SHA1
b8db58e509b661e207a5bcb0f98d001154dfd3fa

SHA256
a2f92bf9d525d302a44f008b5964b88f1f787f9707478189e305f78d8b6a81a3

SHA512
3cf5b7252bbb8aa261dc11c2fd71642b87719118c661a0a8c8bae748213544587081cf7f39cad31153f47d188cfa00b30186622a5eecf015421f5e33d39df258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
196b385f3b4dd6c5f03aa175e8cb6e52

SHA1
cb400895723c37781767f4119e9e3e5a1bfd244e

SHA256
e8eb841e29c3f770de08e63d8f1e857e784712ea3309f343fd267f447e2a5208

SHA512
6a56aeee062b00646d5b9ceec2b8bf7b32e32dbb04185c58053b47020f40bc916a9c9a76bf4c6d2958903446f6b8d0a2f41e6c9bd417bc6184a78c91ed5a3bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
aa10f656cc16d036a580048ba0bdac0b

SHA1
52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c

SHA256
166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d

SHA512
748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ee8e616a03201ab31e032c60a6d81b15

SHA1
4fa72ee1a3ed74f7798b3b58cabe174c675adc12

SHA256
2d77f4c62538359ca9c795a3be97c3817adb7954e004fe4b85cfffbf216f64c7

SHA512
97640f1aec0c917ca0bdda6f0228eff1d4274d2d681c73206be660697d3a7fefbdeeda23d6e3fa853228be633b4988e543a41f84bd027493c7d633089c863151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ba41e75a58d42e3625493a102c200a0f

SHA1
cfcf51f30c3bcfebae5eeac5ec77a3a0acfa547e

SHA256
2326221333abfc1b0ab706dd598c8060b808abb9ea20fc565d5264b9e37ed35f

SHA512
8444c78f834344aa9ce89ff215548f6337cf245daa8b3a579c286b15e69c13c514fc0013560d4e79ffcc45bc9a79699bb1dde97b847d7fb330e7216a1cc3db3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
02d93379c63afa3a3db81fae8267eddb

SHA1
003ab540791d61823aec975bac19c04c48b4258d

SHA256
cf9479ea65b4793ad67ed132aaf6c3c7d417961656fa07ed8e41ca3d6793a00d

SHA512
1707706644f5d275d8008c10a61f2cb16d09919444fd6176cf7f6855b860cf2842a9a61c85d1292632f0359e32dd8ed9f33e909adf543dc013652bfbdf61229d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582074.TMP

Filesize
874B

MD5
719b8061cd8e88b30355fdb43ce6261e

SHA1
62f4f8b1bc724859dfa2fa7901d702d781bfabbf

SHA256
3531a629ed456f9d3c223875532f92012f8f95c8504f26023def79264e9e47e8

SHA512
380faea4817ba281da69486349405c509775153033ecbd430000bb1026de7d4bd0b7b34383ffac292a0957332060732e78dba3cb6c9bb0e297a2f8fbd14c31e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ab3406fc7106311d16150389b709390

SHA1
d90be383fe97cfd01a79861affe09cc658b28336

SHA256
b10ab9e31efd6c8f150e0f8231ea1b1dc3925861d09c7a2e413030c1a98f7709

SHA512
d403474796041c9b49ebb30db9308e081b71e028b7904cff5f8414608534272350ee1d9d651aafdab2946580479d3003ce5f4b679f89f980a08fc5ee0663a095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
718fd51c8be2218950204f69398eb8c4

SHA1
79d3267795708e6386b0889cbde76089b4375aa5

SHA256
f215b99b48ba329571e2fe6193c64aa7d7d564aa2571af8b59fbbc7bc15abee7

SHA512
23d23c7dca050a621d39415273813e798dbba2dda9361859484408660418f5d8a0b1063048e7bb131bd9823af62a76e9127d3b49853d6602ea1ec7d8dc84848a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a89f0d8e9364a693aae8601d70a71b19

SHA1
7c34fac569cad25a4daddee8287ad2036c8be080

SHA256
814f82cd06c6dce94dd5f589be731534cf7ae3ebaefa42214764565d58bbc45e

SHA512
64a52b711f8b6fb70e52544890e2c0f44da9ba837d4d082fc6a9cbcc68ee26058aa833fcc417902e23027c4724fdf87d72b8da84d65527b8e223f8a19292c6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
45c5abef0dac4a7af676745f93427625

SHA1
2554360f2199d526214946aa048532ecb28b55dd

SHA256
960404070ea8579f6df4b1c3ffebdb2f9a8a00f41b8d96325901269145541987

SHA512
0810f084504ce83af770ea4c37573d723fab30e810137897bd94fc760ece66ccb9bb3154dac2a31efe0b46dfb1a85dd7138818a0e682afaa602de7c589108a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
c4ad034141094c168e909fa830fc7cf6

SHA1
e3c3f94d93effa9702d0868c43fdd09912c9d599

SHA256
e11810508811a599a6fce49e6d268c789096291cfa674e75cc71d55c68d53f35

SHA512
5b14545417581fb972009fa036f3dfd9683a4359fd7b5ef99ac654d6ded43e414e368fd2100afc79ff0f91bf830461728bf93d8de0eb12a5cb7f8a2785cc81a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
1000e0712a73ae25eca3f5543a084844

SHA1
fda2db10c3c53aa1218e16c45b9d53375857a58f

SHA256
2099ac2fc45b2539b6d5efa32d69343765c7178270026a83ada17e4f7750e177

SHA512
caccbd9f24e0618566bd52e418cd51106dd3b13f35e81afe51a4714f2cb9d52c752a0b03e0c694cab19c014398d5e6a25426207e0410262a42929fe040c8cccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

Filesize
1024KB

MD5
6b55468644c3f0fdfc82b2b8601085d8

SHA1
ce65e74d9afcfc6ce57d0ef29b47938e5a6de0c2

SHA256
3a877056e6f78a32a084714621a9cda62b1df270c76219fb9567a561fb6bf567

SHA512
947395f45d126b716fdec944967df5dadf91366fe81344b18bf94f74da1fd8ae48fe448319cd33aa6ffc920aaf8177c8c059ae83a25f9072035b6a7def7dd697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
7KB

MD5
83110daff477ee1ea906276f16c984c5

SHA1
bf82592e1d6ad7cc6efd5ad214180c96ab9a14f9

SHA256
c8d1e0b639567e89b17b0db0309f66460216f393233b60ed713f89460e646a2b

SHA512
ae3eb0b40abdfa2ce5ce59a102176ec4dc8bb963e7e247452f7aeb10e9ffc3e17bb8abeb920d0945c45c3ed818e0d9423ab90828fd1217189ebfe5a2283110da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9cf8f807835d711ed74e14e6f02e142a

SHA1
b8aa5d37a46bf9934b32260dbe2b2f9ed64eec7f

SHA256
a127f852aa1259fff283200056dc7174c9027f35a084896902b7874e65e9405e

SHA512
709041e47a9725e9c6eba3e0eb95f46466b18b68f4aa20838f3f8dd06dfcc59ae1bcc786f58efaccb1d58c4039e3c054093046af278f19541ae3800ad1323f34

Download Submit
C:\Users\Admin\AppData\Local\StartIsBack\Cache\appsfolder.dat

Filesize
2KB

MD5
3de7d67246fd6d4dd74d81d24f052d91

SHA1
4839a6cf82003d2baffc033cc97a1d5cd3fbdc97

SHA256
172bebeab51e4e457fef75e6d1c4b3cd3c0192c3c65d2299ac10a5d8e253858e

SHA512
c0b488897941b4a9f6e95773a83ec127592637ba5a9c052426029d83fe77ed0411e5d7b5024d1bfdb0b565dd236cdd3ef56c1ff7dd411656d8edb5007b730a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5n8n7d6w.tmp

Filesize
28KB

MD5
db2eb3078f924bc0049ae6e98653f2b0

SHA1
fc058c55c2b670dea826418aebc602ad737f6285

SHA256
f37b5230deb0e25cd3721e8b6653036b26dde8c7d567e4639458192daacef9f7

SHA512
dca8ec245c856def9ff56536537b91456c967966939e94b602c085282ebbe5c95e12bb9f48772d3dbd43087ce3317debdc87bf635f3972b048ea4ec811d1b50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\Orbs\Shamrock.orb

Filesize
295KB

MD5
ef55e07e1a2e47bb2bb749046cd150b2

SHA1
68362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa

SHA256
1a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5

SHA512
9c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp

Filesize
34KB

MD5
641328c75e6b117545211db22dafcaa0

SHA1
df4061f2b30b8cce58c2446cd6e8b86968ab46d0

SHA256
76a72c9ad77843b58223dd588483ac1265a31c15aaeb47ee66d1925de787644b

SHA512
54f265edd24cb26b4a550f65f8c3a70acc4fe2a95e03a43c14919d2b67f817162cdbd06aa9ccef86942f04a7e115b70b44164e83001f965cd7a627a06186d6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\Orbs\Windows 7.orb

Filesize
295KB

MD5
85328e698e8a74852b4061a683915dc8

SHA1
b898267f8574a34e6d605e541e5234c27dd53f5d

SHA256
e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275

SHA512
03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\StartIsBack32.dll

Filesize
563KB

MD5
075826b376a9d9ec86da0d7a8fc812ab

SHA1
9041df41e2f16e12bb36013dfd8431fc18ec2f94

SHA256
8c2a79ecce2fb5780ed6a4726b338707864e55b4223fd9920af45262a6c602b1

SHA512
994d8c1c1c45c3344cca6515da2833eb3424e0f9c116de4a7518a004b1ca9c97d72fa9e66cc64f49078e2e2cda19a5f03f41e5e2a1d6e8b9dbeb2977feff6d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\StartIsBack64.dll

Filesize
667KB

MD5
1a8a24f517784ea606f42cd104ea55f8

SHA1
9f9d3ec7731c7030c1f7e05dcc361ee58bd0dc0f

SHA256
458bfa42d621a2f28cf61241637503d970d3d9b7af9e592d9930a1b6636b3f3a

SHA512
2842f250ff659cd63cb58c1396d96ae0bd7ef3bc543eb636cdf3ab7cd67dd62f27c11c1ab6ebadd2a21cef11551952903619ac87b97729ce10ff1e772860eb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\StartIsBackCfg.exe

Filesize
2.3MB

MD5
d7a319ad8f2493c97b09b3f8c878a76b

SHA1
2d8dc08f23e5fdb171119f282da4f1fee1adf048

SHA256
5f69d9e29cdfdffa73c9b24bb401c4284bee06bd715b70cfdc124530e6650701

SHA512
0eb08b3bd05573e0901a3af71442e3ebb22b7a9fbb0a6c942f9af818f5659708c42c20f574b9fdacb568504578a98f71bfb958fd2273d6ccc8c7b0277d43a3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\Styles\Plain10.msstyles

Filesize
48KB

MD5
a69385279536210958fb9c86cab229d6

SHA1
6ecb118cfb9b8ef42c79aa0d795c3d8b51f0341d

SHA256
3955fc60d3b7c4a1badd831fde82269261407cf9d459c65b429e8abc769adeed

SHA512
f1cf5b1ec22416e645c0dfc128c25166585e300a8db2de6ec51e0689e26e54831dcf2b26a03115423b9b71f1b109389a3e14173fe0a8bbebc2547f9ca33cd412

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\Styles\Plain8.msstyles

Filesize
118KB

MD5
509fd060516d1971da8d0c2173748358

SHA1
67ccd63914312b1f491467bec42232916df109c7

SHA256
43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442

SHA512
de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\Styles\Windows 7.msstyles

Filesize
405KB

MD5
b6a2892c151ccd59d0b4c4c1777daac5

SHA1
b34791b4db3956620dffb2e11e1fa160e2d20889

SHA256
0c6e681a8091ba888e58473cceeae590c88a405bb30dcb344f940acf27290ce8

SHA512
e8fc5c96d155bf9657c07d861e2597d681a23ce1d46ec3e779251126e989be41c883e0545e80b5291c96a3ead4eb6c2affe8b419abb506bc5e5376fe2fa212ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\UpdateCheck.exe

Filesize
33KB

MD5
4c6ebcddb218e4c62cd12b930a5894c9

SHA1
a2e9b5712b8bc92fdd925f6649ca8452c65f5aff

SHA256
1a28ac87c0f2aff7ba63b38f43b05aea45d03c31096e6525df9e880d44f6ad96

SHA512
21eae056e3d2fcb63389f645ab90cd0f2ace10c54b97978104acd292c947e9dcc5bdf8891632ea69465a278c56056ea3732069bbf675ba2217f563db8f8c5be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIBSFX.A47AF3A8\startscreen.exe

Filesize
71KB

MD5
a2d6e2201be02973328038457aa64bba

SHA1
684338bd758a92449d43c49a0aa539f323760215

SHA256
f4e76abf0df055fae97863708412773b51197bae0ddd9692a9509e824d847df0

SHA512
21002b3b3cd01beb923692addaef4e5d0fcbee972154e25bea2c4ece591185bf8e6221959fbcc772fc7e7f73dce18747909dcd9c04423a0ade70f6cfba72f135

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_bz2.pyd

Filesize
82KB

MD5
37eace4b806b32f829de08db3803b707

SHA1
8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9

SHA256
1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b

SHA512
1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_decimal.pyd

Filesize
247KB

MD5
e4e032221aca4033f9d730f19dc3b21a

SHA1
584a3b4bc26a323ce268a64aad90c746731f9a48

SHA256
23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c

SHA512
4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_hashlib.pyd

Filesize
63KB

MD5
ba682dfcdd600a4bb43a51a0d696a64c

SHA1
df85ad909e9641f8fcaa0f8f5622c88d904e9e20

SHA256
2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd

SHA512
79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_lzma.pyd

Filesize
155KB

MD5
3273720ddf2c5b75b072a1fb13476751

SHA1
5fe0a4f98e471eb801a57b8c987f0feb1781ca8b

SHA256
663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948

SHA512
919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_socket.pyd

Filesize
77KB

MD5
485d998a2de412206f04fa028fe6ba90

SHA1
286e29d4f91a46171ba1e3c8229e6de94b499f1d

SHA256
8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76

SHA512
68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_ssl.pyd

Filesize
172KB

MD5
e5b1a076e9828985ea8ea07d22c6abd0

SHA1
2a2827938a490cd847ea4e67e945deb4eef8cbb1

SHA256
591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b

SHA512
0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\_uuid.pyd

Filesize
24KB

MD5
b21b864e357ccd72f35f2814bd1e6012

SHA1
2ff0740c26137c6a81b96099c1f5209db33ac56a

SHA256
ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53

SHA512
29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\python311.dll

Filesize
5.5MB

MD5
d06da79bfd21bb355dc3e20e17d3776c

SHA1
610712e77f80d2507ffe85129bfeb1ff72fa38bf

SHA256
2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1

SHA512
e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\select.pyd

Filesize
29KB

MD5
e07ae2f7f28305b81adfd256716ae8c6

SHA1
9222cd34c14a116e7b9b70a82f72fc523ef2b2f6

SHA256
fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c

SHA512
acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38322\unicodedata.pyd

Filesize
1.1MB

MD5
5cc36a5de45a2c16035ade016b4348eb

SHA1
35b159110e284b83b7065d2cff0b5ef4ccfa7bf1

SHA256
f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20

SHA512
9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikbma4jl.rco.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseDC3C.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC144.tmp\Aero.dll

Filesize
8KB

MD5
0cb4305037fdbb31b1763beed3564f7f

SHA1
b584fd7ebffc331b2a08c6c7c74ed1193f3fa22d

SHA256
4f8ac32dd2cca85f9a018eb6a29bf0405af41a725a8a6ff6a7429704feef8d7b

SHA512
e85449f23ac1742b59fb5299737cfdc1c0aae79c0c247f47fcc7887c433d085087d23e7bb521b9f63e470772e0b5e1e3b3afb9b9244f12b425d43d5205a21a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC144.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC144.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC144.tmp\nsExec.dll

Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC144.tmp\w7tbp.dll

Filesize
2KB

MD5
9a3031cc4cef0dba236a28eecdf0afb5

SHA1
708a76aa56f77f1b0ebc62b023163c2e0426f3ac

SHA256
53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00

SHA512
8fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss1905.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibtask.xml

Filesize
3KB

MD5
331691375e3eb33ed12214c26797c23f

SHA1
3719bd8407dcc0a40f5d9eedc927eea80d0ef9e4

SHA256
2ffd12fcc5e8c87af2f14605602e8602dcfa2d5638ad6bd690e0a1014fe2c772

SHA512
e002ce601db8cb4a3ad3ce02812752f5c547739df2aa2501de248899775a939a7a6652a3695a0a56b6cc3b2d599230f3278f1d8fad19066be30ee0ddedc2d7ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
a8c9e74c4fab475666f7d90b5faaf849

SHA1
ac27f646b0e12fd7d5a9fb7b68df8b1f1614603a

SHA256
6755e54e94863c297bd80725aa278fbe3ff04744b922825343389ca27332e0f0

SHA512
0d0c7addaf4231029fac80eb76eb0ef429d053b2400e4e28d6e36723d59ade8a3ea03360129a5f13263908b0625584448f6310d0b50d49350eba2df5c0987749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c5d8e1945416ee974cd26faf7b430da4

SHA1
f4e199185f0c5fe1f94b5e86cb6509c197cddb00

SHA256
085d2f6f2cabf5dfc272d4e92534d5afe523652e798ec73a4bb4315c6256ffaa

SHA512
1b1482624b4571e6b54e8df8ee61c9a91d6dfeaa450665d2e423479c9a9883ad165377a0123e644ad3aae3aec1dda6c5548280ef52afa657b9a3c1ed0609b7ae

Download Submit
C:\Windows\Installer\e5eeb3d.msi

Filesize
17.0MB

MD5
68adc7e2b81c54048f86d2e0eb0bae7f

SHA1
438a0f665ceb02502024f4c5a2321747414088aa

SHA256
9dc917bf28bfb8eb56e7f67df2bbb95cbb4ec05d4ccc987ca687cc6fcd7d346b

SHA512
4633d862cd2658adea6f06d1e03088dc9a695c0152c46b58c0b8508292fee3803792fe8faeb4832c8e28c5c896efac8848616c62f46637ff81913ca4ea393782

Download Submit
C:\Windows\Resources\Themes\AeroRoundShiny-Architecture.theme

Filesize
5KB

MD5
c7c0dc480c504eecc971288e627bb88d

SHA1
4b9354fd425c531646cc543ff3252c0fcf5fcec0

SHA256
048a1e11f170e048d4f361372cce16c77d35d9f339d91ad01b31dd4d4013babf

SHA512
ff6a2aca191d5b952641790f7bbf6ef5b88ff2c6c4f30fe55c4f29752a4bd890082622ccb89cc6654294443ec05d8c713e8e59f146a2265f345eb679656768a6

Download Submit
C:\Windows\Resources\Themes\AeroRoundShiny-Nature.theme

Filesize
5KB

MD5
d0dcdc4f133f12da5a7b04ed1829c6b1

SHA1
d1507fc3088f18a45f86f56e2a129e56e8cdb671

SHA256
bda9aab6b269ad785f21f6a677be61e13c243e408b490361f2ae660d546852df

SHA512
050f8444733ef1bf643237ccf85469deffd27729394a21f9d9d1fcfc2091c9223d0e02662898ca6b80dcdb6da0488160aa04eb3322ffbb51cf5fe90ece579a68

Download Submit
C:\Windows\Resources\Themes\AeroRoundShiny-Scenes.theme

Filesize
5KB

MD5
1f282bbeafe838c861429fc6134f9f46

SHA1
5e40faa22bad454fb2667f0a8e89ba80546902f8

SHA256
67659791a9e79da4d01cca69ca04672c994c9b195863897fd985f7e3a270a2c6

SHA512
d78ec74bd70337bbb779f672371cd93df158c29a01695d185ed1211b96396917fa6d0fc1365960b338a1aa4b6a5937a778e5185e2aaeb71774cef3abf0a75197

Download Submit
C:\Windows\Resources\Themes\Windows Aero\SoundSchemes\Delta\Desktop.ini

Filesize
1KB

MD5
794f1975f13b0fb6c554d96006237cad

SHA1
4a3989d06826b5e8ed30325e3a2527f62de6ae5d

SHA256
b77586f906749b00246a8d8ce73e48ea42ac69355524afe3b1183e1ac6d8d201

SHA512
c4e91baea7b0621765c5da6254be846acef4f90570950e02c8ca733b255afc5ee1ec3378ef479c6bf22205a780d22c5b14b264b55f5f471c66dbce7b84d332b5

Download Submit
C:\Windows\Resources\Themes\Windows Aero\Styles\RoundShiny\Shell\NormalColor\en-US\shellstyle.dll.mui

Filesize
120KB

MD5
60353f535fa56911c1f14daf4afc93c5

SHA1
6079e4b4406296df901206137042a826109fe0aa

SHA256
cfe9cdcf88974d445d5e5138f8243400ecda828c9e5c1636b2638e52fe6ec042

SHA512
4073fc865cbe10a05472b943aa0616e9a25612e7192feca2d66858566192aed3179c521efedcf8d2a25860ee9e26c889077f3ae3d08ea79c6c68c4a1015bc9ce

Download Submit
C:\Windows\Resources\Themes\Windows Aero\Styles\SquareClear\Shell\NormalColor\shellstyle.dll

Filesize
717KB

MD5
fd8c2e3a44cd37eb31a9759b075c7770

SHA1
89d0098a376e3df4466acfe8489905a30f7a6897

SHA256
fe1144fd5eace45936d02b49b14f01a6f04d39fc8cab5ae94f8c8eee8dd246e9

SHA512
e26c71124fe247d9f2e6e11cf6914e66aa238b31c645d3fdf9e956659799dde9374d2e6c5b3b5a2737f69ef76b0a7ac5433f90870b01db94f1b13fb302759e6e

Download Submit
C:\Windows\Resources\Themes\Windows Aero\Styles\SquareClear\en-US\AeroSquareClear.msstyles.mui

Filesize
4KB

MD5
a60904e50fb271a83790a20796611410

SHA1
c028fea54f86e56d9d0e06231e6e8db073c56b1d

SHA256
719a6a7980b77931861f31ee5f4f572192d5d6ea008a6b6919693bf7f4370700

SHA512
f9d5d87b76a053f61d5dcc3a17484c13d5d75b108b865ee25a501fe726a52e2e43a5d1009bcbd02110fd38faaf8b6832048ae8431aeae447be95984cbb82b05b

Download Submit
C:\Windows\Revert8Plus\AeroGlass\task.xml

Filesize
1KB

MD5
55f2df53f31cb4fecb90332f3e8ab460

SHA1
a66e9bc009eeafc5e71e96d5c36e824170987e05

SHA256
380a74cfb3fe146d11adedbeb0f0a522fae3127011517e36cfb2374cc76c4ade

SHA512
b5fb64236321c780a30647dbe4bff19fcebb042fdd26069a4f5b4fafb0b4e82db4c3dcbf2b6c33c788e9fe5ec53aae68061e0d17a9e6a4f899a694e7e7e835df

Download Submit
C:\Windows\Revert8Plus\AeroGlass\task.xml

Filesize
1KB

MD5
87e67a7f91a808f061bc2be037b432da

SHA1
107bebc53c242f247a6dbcb7fd6fe3fb665be3a5

SHA256
2f5656afa7a5289c1a884a3d57c4c53defd2b4e01aa7c0eba898b2135d2a52c4

SHA512
955f0fbb39ba77f273cfe6e2050dcbdfe974af536ce325d2a78120b87bb0813d0819ab525af5356aeddb4dd22a1f499c8bad7c8eed63b12c12c29f570fd8ae76

Download Submit
C:\Windows\Revert8Plus\NSudoDM.dll

Filesize
22KB

MD5
9b3f76647db04320f175f030dddaf465

SHA1
99cdadc7ccedae16d5e8bd786e6251313d5e04a1

SHA256
9655cee86ca3f32bee059823d39eba449f91306a666e13f33a9e000feea4c8be

SHA512
e8c0c8f6e951a0f39d673a51eaf1fdfcd85658fe941139bcbb9633708e29ca6f06df9e86a39dcfd2f43cebdb004d1294038d01f6ffa3855848dcea73e2f72286

Download Submit
C:\Windows\Revert8Plus\SIB10.exe

Filesize
1.5MB

MD5
6e1869386afd5769243e01c746ec7206

SHA1
41724d13d5a4f124c5c93b468a243cebd3bbd102

SHA256
7ee8c845568b8787c7930152925a05682be54fcd866c46d6ef54bd137e1c9fd2

SHA512
3eabad446d1d6dd91a48c765402254de908cb62986df5925cb10b882fcd9c68e88315c5578dfdab83d53d90b2a6f03a3828ce512b0c954e07626e88f41adb8fc

Download Submit
C:\Windows\Revert8Plus\WMC\MediaCenter\Windows\ehome\de-DE\epgtos.txt

Filesize
15KB

MD5
dd29313c7ebe203229ff21d0b1c880c1

SHA1
5d69721d8d9d49080f1950160a8c09dfa6955b80

SHA256
7cee8c4c54f79bcb36ce12e35e7c93def04724896f35232052ccbb7aa5a89685

SHA512
18b201d53792718b622bee8f4063fb0dd057ccd1ab1dfce22b43b3d788cb5611af7635674fdd6d03d497b3e249e71c3b6a305af93a092d445164a182652bd04c

Download Submit
C:\Windows\Revert8Plus\WMC\MediaCenter\Windows\ehome\de-DE\playReady_eula_oem.txt

Filesize
35KB

MD5
3afe63dda0e15bf2fab14238d091f6ed

SHA1
76ef49a529bdbe65be3bf7bd374ea9ab7e1f3302

SHA256
f4de8529e61898de73ac3fd4ceb8ca512dc3e6c8b17febb9624b01448359104e

SHA512
c80326c7de0666705a4a6265f91673b6882ed4849d149b184573e5bec2009ed2a928f67bf8986b4e87eec43310a39574f3bdad6f685b459d0cb50cc368e2dd97

Download Submit
C:\Windows\Revert8Plus\WMC\MediaCenter\Windows\ehome\de-DE\playready_eula.txt

Filesize
14KB

MD5
c805a6e962a3b14869f1303874047d95

SHA1
67154c33e232366fcecb500ca2c3d4b2f030ed3c

SHA256
0e987114e15b607ca27e0859d37bb96b4735b4705ae9baeac9c32f997329d2ec

SHA512
047ca26a0681b3f1454c8dd4a5d5fa1049fa0ef8b059d15095a6c64a9bea1dbf712021fe687edecca94f894c4af5866bb1782abfc5b23da7cdd3ede6245af224

Download Submit
C:\Windows\Revert8Plus\explorer.bat

Filesize
2KB

MD5
0579d17228afc93c06cad33105bcb0e3

SHA1
58706635ef1b41046eef93bf2e92edaec05fda52

SHA256
617d6d8ff3e749cf084f29b1a27743fc7fc5a405622ac0d884aedeaac49dd6bd

SHA512
7a94af8cdd4bd6b1ad8a67f30af253afc12c55c560f55f7b2c4e996f68b7821ab1ed40053216d0f4a81ebe70736d929009f577e3f79a48e3a397ebe34c6098e6

Download Submit
C:\Windows\Revert8Plus\incontrol.exe

Filesize
95KB

MD5
69080ffac1b3b5db82eeb0ade8105ca7

SHA1
69c77cec8f8b184848047900656d510302681b60

SHA256
340a0b14e5e94c0ae6412872cd4f8d4338dc9b8a18b96883c45e1e8988524b2a

SHA512
8763964f17e4953228dbea97340d9dfc9afbda5823b8727fa5a6013dee010aeb1b9c69bb10ae7805f1f9a1fe01c02701f0d9894004f8a42888c1c510f64879bd

Download Submit
C:\Windows\Revert8Plus\task.xml

Filesize
1KB

MD5
b3855da62957c136b78db5b897c92b9a

SHA1
98875ff5475a45fd5a76f1075ea037323948c0e6

SHA256
f1f0d158afc9568e12beb0041153334c182d434c7ea92218f1f872b51d8dcfd5

SHA512
be173a197d46136cf1c9aa62c507c90a4dba024cc9b06aea23d33d6ab121689392db49c8cfa14ee6bbe05291e46d946541dfcc779ba69e8d7062a8696dd2aaec

Download Submit
C:\Windows\Temp\1n8n0d8w.tmp

Filesize
28KB

MD5
9e7bb9c31083cc3a0f561d12311c9d83

SHA1
9102b88339566d5f0490c25180632043c8bb1809

SHA256
2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1

SHA512
1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

Download Submit
C:\Windows\Temp\autC595.tmp

Filesize
11KB

MD5
4a83df1d945c2f5801ed59650d7460eb

SHA1
31827890e1df99268c0f80dcb26774225e4c3a5d

SHA256
2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8

SHA512
eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

Download Submit
C:\Windows\Temp\autC5A5.tmp

Filesize
10KB

MD5
09ca17eb552722bd7004097f59b07518

SHA1
36cf9da188460542e58acb97fa0ef0bfd9a4e172

SHA256
365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b

SHA512
3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

Download Submit
C:\Windows\Temp\autC5A6.tmp

Filesize
5KB

MD5
96c0e61f3298cb745b021f67e7dd0d48

SHA1
a61adbe460c68a3087ff1ba75620dbb86af28e40

SHA256
3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333

SHA512
dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

Download Submit
memory/732-1291-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1112-2200-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/1616-1835-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1848-1997-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2288-1388-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/2348-606-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/2544-1667-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2676-1402-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2924-465-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/2924-449-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/2924-477-0x0000000007F80000-0x00000000085FA000-memory.dmp

Filesize
6.5MB

Download
memory/2924-476-0x0000000007800000-0x00000000078A3000-memory.dmp

Filesize
652KB

Download
memory/2924-475-0x00000000077E0000-0x00000000077FE000-memory.dmp

Filesize
120KB

Download
memory/2924-479-0x00000000079A0000-0x00000000079AA000-memory.dmp

Filesize
40KB

Download
memory/2924-447-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

Filesize
216KB

Download
memory/2924-464-0x00000000077A0000-0x00000000077D2000-memory.dmp

Filesize
200KB

Download
memory/2924-480-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/2924-463-0x0000000006610000-0x000000000665C000-memory.dmp

Filesize
304KB

Download
memory/2924-482-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/2924-462-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2924-461-0x0000000006010000-0x0000000006367000-memory.dmp

Filesize
3.3MB

Download
memory/2924-450-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/2924-451-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/2924-478-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/2924-448-0x00000000057F0000-0x0000000005EBA000-memory.dmp

Filesize
6.8MB

Download
memory/2924-481-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/3000-1795-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3040-2199-0x00000000070A0000-0x00000000070AC000-memory.dmp

Filesize
48KB

Download
memory/3040-2198-0x0000000006D60000-0x0000000006E03000-memory.dmp

Filesize
652KB

Download
memory/3040-2188-0x000000006FB40000-0x000000006FB8C000-memory.dmp

Filesize
304KB

Download
memory/3040-2186-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

Filesize
304KB

Download
memory/3040-2185-0x0000000005580000-0x00000000058D7000-memory.dmp

Filesize
3.3MB

Download
memory/3084-1399-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/3116-1243-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3144-676-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3180-2000-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3588-1855-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/3948-1754-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3956-2003-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/4056-671-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/4128-1935-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4384-2012-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/4412-1876-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/4468-1920-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/4492-1184-0x0000000000910000-0x0000000000950000-memory.dmp

Filesize
256KB

Download
memory/4560-562-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4560-565-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4640-2006-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/4756-666-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/4844-1405-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/5076-2009-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/5144-1293-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-875-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-494-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1774-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1668-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1626-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-554-0x000000006F160000-0x000000006F170000-memory.dmp

Filesize
64KB

Download
memory/5144-1853-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-668-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1796-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1998-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1287-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-2215-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-442-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1080-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1933-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-594-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-1396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-2050-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5352-1959-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/5364-1397-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/5432-1074-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/5464-505-0x0000021BB18E0000-0x0000021BB1902000-memory.dmp

Filesize
136KB

Download
memory/5472-673-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/5476-690-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/5484-1775-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/5512-1286-0x0000019DF1470000-0x0000019DF1482000-memory.dmp

Filesize
72KB

Download
memory/5656-1938-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/5756-919-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/5972-1619-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads