Malware Analysis Report

2024-12-07 10:04

Sample ID 241113-bs7tyavarl
Target https://github.com/NetheriteTree/Malware-Database
Tags
adware defense_evasion discovery evasion persistence privilege_escalation ransomware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/NetheriteTree/Malware-Database was found to be: Known bad.

Malicious Activity Summary

adware defense_evasion discovery evasion persistence privilege_escalation ransomware stealer trojan upx

Adds autorun key to be loaded by Explorer.exe on startup

Modifies WinLogon for persistence

Manipulates Digital Signatures

Boot or Logon Autostart Execution: Port Monitors

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: AppInit DLLs

Event Triggered Execution: Image File Execution Options Injection

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Modifies WinLogon

Enumerates connected drives

Maps connected drives based on registry

Checks installed software on the system

Sets desktop wallpaper using registry

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer Protected Mode

Suspicious use of SetWindowsHookEx

System policy modification

NTFS ADS

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Control Panel

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 01:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 01:25

Reported

2024-11-13 01:37

Platform

win11-20241007-en

Max time kernel

690s

Max time network

629s

Command Line

C:\Windows\System32\spoolsv.exe

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "E\x17÷\x0fÞ>;¤½DS\x0e¿z‘âîZ·^m¶&jèÀ³g" C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "é³'©F\x1eœŒ/\\s^!ðžt–ÞP+YƒäÑç¡åq" C:\Windows\SysWOW64\cmd.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "¿lø.\x19µ\x1a<ã+xÂÜK¯ãCG'q\x1cá@#\x01\x01–Ë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "À[§\x17z’™,;DiL™\x7f\x1dÁÉÈ…'~\x14ñ$Ä\x04š±" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Version = "y®ð¿O¶ª—k»ç\b0E\u0090\x03;\x16U\u00a0>\x13œÏ·ŒùH" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "º,û”Èlý˜ëY\u00a05\x05ïÉÙ0ƒÈÁ*„™Ä2(`Æ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "eÔ&Ìþ—ÃòL\u009dʼn\"žØÓ¡Á‹áÅ‘¨\rbyR©" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "10,0,22000,0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ëðC·²G /åo|“{\x0f¹\x0eÆ‘Ð\x1c\x7fjJ‚\x1dÈŠ+" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "À¦†‹*\x19´ˆÊ/\a+\n”YâI\by\x06 ‡c”\"6•E" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "g‰J’Íøð0ð~Ó§íW\x17ã½.?WÜ¿9û#\x14%\x03" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "ŠÀ‡T¡ß’\x12S\aÿå~k\x04ç·`Ÿ ý \\y¥€˜\u008d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "\x14ŽõÉ\x18—~\aÑ`åA\u008f©TM¿\x04-1…\\!\x14\x06 \u00adÜ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "Î’êI¸0^ oý\fPX\x0eªÝËj™\x19ð|Z\fv\r'Ÿ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "<0Ì9-'K1\x13ý¯^1I!·”D{" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "=êE\\ì|`\x12U\x18#ÖΤÂ\x7fŠ´v\x0fΤŸ\u00a0˜r™\x1f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "\u0081bÛ”É^°Ÿ3$).K~AÜmÎ\tJZÀœtVd\x17z" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "Ù:Ì.Ï:Ë\\¿§\x16\x16T¦kñ$Üàû×xœ\x1eòê\x12î" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "ƒÎ|\x1c¤‹6ð{ú\x1fÞ\x16iåc?!\bG㫪a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "ïIl\x193\x18Òk°Òß÷nJ\x047·íô³¨ÊÚÅþ†mÄ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "óÐ\x0f™æ\x12\x7fÐKxsO\"jãîjó[˜Îê¹ÿvïÍÎ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "Óð\b]ÜXüQÍ\u0081¯r³Ü\x11é[4n\x0fѬŽ\x18£\u008dŽw" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Version = "\x06\x16;éHIÖÙ)Ï“Çw×vûhÀˆd\x17é\nÑ\x06ŒB\x11" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "8Ò\x1f\x10ÐﵬîqÚ\u00a0£@JÆOÃoè|iÿ¾EzÚ’" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "—e;úÁx\x1fú:üý5w#û\x19¡n‚B,\t,„v/$k" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "õ×üƒõ×\x0e¹xV×\u008fVl[al¹Å\x05\x1c€Ü6†ä\x19i" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "`ú®ûÎ¥2}Þ/\x11Ø\x01Å™û~°\u008d»a,ät“©Ý\x13" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "Þé\x17»Fà×:¡¾¶#Þh¥¢Å÷D9ëJËkôˆ\x14\x11" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "0¬Ù·ä\x1c]\x1a=–,ãV/yemÍ}Ù»Å\b\v\x11áe‰" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "奕ZÛsÇ‘•Ä«BÖ*¡>-™¸ÎØ?›)X\x17ƒ§" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "¢\x11O0\x1cмNÇeð5Xs®§¤‚e³Z]Ò" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = "–lD\"\b\u008f\a\x1b¼•îus½\x17¨\x01Œƒí9\x19»r¯\n\x12\x10" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "\x1c™\u0081Øõ¸ón¦Õ‘\n—\x10•ñFòæ.,ìУ²\x19ðn" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,10011,16384" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "eáÕ}3" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "òC¦[uǬHPÉ\u00a0ަ\x18\x16·YyêÚÕÐ\x15" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "P™.\x13|‰g\u0090dž}Î뜯}¸ºvÝDv4¦-\x17\x17µ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "\x18\x1d¾-“îCé‚6âIÃË’{$“\x03ñ\v'IãþeoÁ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "\f\nhß\x02\x10\níG¼9Â=\x1b_~ˆèz¬Ö=¹[\x16ä\x1c6" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Version = "Ü\x10C\u00a0«Ì\x03×á\x0f 7†&ƾxjÔìê÷}Âw}®‹" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "ž]\x01¿øÚtÞ†ç\t¾\x11ŽÀ|O(\u008fÎ\fM\x1fÈȉ0â" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "‡±Tûf=Û‘’õråCB«ÕÒrºº\u009d±Ëÿíë,í" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Version = "\nô)œø\x1a\x16q\u00adñ‚Æ'V¤ëÂ3\u00a0èʶ\x0fä\f\x7ff€" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "’'¢2tçìrd¥ò èÜ\x05 j\x06LâCâ†~Þ\x14¢K" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "â¤á\bÆÌú€!nîæõzaè\x040Å;©Á¾ú\u00a00¶¶" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "GÊiÁ)¹\x02\x02´Œ9õx/¾°£ËY\x19#ج4ÊAå¨" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "#Xl\\òB˜ä*æïÇ(\x01‹4mH'\x1dÁÅN&„{“" C:\Windows\SysWOW64\cmd.exe N/A

Boot or Logon Autostart Execution: Port Monitors

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\System32\spoolsv.exe N/A

Downloads MZ/PE file

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "¿'ÇðÀÃ\x12KÔ\u009d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "‰'›àB±Ž*a†´#Sø9¡Ù§g\v÷\x06PÝýå\x10¡" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = "\u0081Ö\tÖ}\x1f»)&¾ò\x056äì̬»\b£™\x12Ñ£ç\x1fƒ\u008d" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "Ç;\x19ÌXýž¥µ\x19™Ÿ¡š]³\x1aÄ|K¥œ\x04¼vãRû" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "sú>¦:Lë\x14$f\u00adEV‡\u0090…\u0090Ø‘ì\x7f\n\u00a0]ò®\f\x17" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "4Õ×ñÕ$\x02ϧéËlmªû¹}c\x1eßr¿\x14{•z\u0081!" C:\Windows\SysWOW64\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\FuncName = "”késâl\x042\x01Б¢Ãn]Úˆ\x14\x15Bá@\x01ö\x01(nJ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "\x19$a&\x15Mê%ªèÊq‰\x1bÖÞ\t\x0e\r0—Â:ý3A_" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = ">\x17ÑY…(þ\x0e£M|ó\x04\x1czæ³b°.8\"€KÏIÐ-" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "ç”>Vt›–klÚ®í´G<¶—APWñ\u008d\n<Ô¬pl" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "¥š@oÈzrQÀè£jöóĽ‹0\x04wmY¨\u0081}éR¹" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "N-\x14çðÏ\x0fY.%‹Š#jÌ¿\x18¼„ƒmx³T\x13¯Ž\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "Õ\x7fGFO‰;G]ß\x1b,¯Jú’x·À75™4ÜRÌ\x1a€" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "`©Í£+*ÂF æ9\x1c”[ˆèÕ\x12¢B\x0e¬\x1a˜eàHì" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "‚šXsýfê\x1dÝ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "lrs䯇_¿\"Ç\x18\x12\x1d\x1c°‡Ô³\b½ñ\x1a»Ê2<TÓ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "rû\x1bq¿d‰*Á¦1±9”õ\u008dßã,›\x13]\x14>\x17C¹š" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "`$\n¥Ž=C\x03\x1dJ.\n\x12íÆžŒ\u009d\x160r†a‡åM\u009d\x15" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "’ST¯©ü|ÕâL\x12mÝU¼N4¼T²ú›Î|äÊ–Z" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "(¤ü\x14ý\n][¾\u0081Äü\u00a09P†×4-ØÇj¦ºä<ª·" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "Ðq½\x17.¾ú7>”'ž\v¥Ã,þɪì}ûØ7æšgj" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "\x1bL?ÞÁ]‚sjà\x02?Ò|¥L\nÆÆg\\±\x1fDÖß?" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\FuncName = "í„|òh\n\u008d-)\rVÆe7\v{ƒeØù:À¬)«^mU" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "U:ÔOØÇÒ\x7f*º¶B\x12\x1a\u0081›D\b—׌µZú%yÁ¾" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "\x17¢2Þ?.Ð\f¢À%Äü^ÔCËsÜ`xÎ\\܉0lÙ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "Yï\"k•Gr¾2h<}û¬´¤\x17Â{´‹W×”Ó¹xí" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "âc| Œø2\x0eB" C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllProtectedRootMessageBox\DEFAULT\Dll = 1f00e700c200ae000400d30015003e00d100b9006300c0006800e9003a2059007900cd00e9004500fa002900b000b90030000600bf00b80000000000 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "™œ™MÊš9þ]êÑO" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "U-m\x04\\Kæx\u0090\u00a0±Fß\x13Ä©.\a¿\roÝ€‡A9Rö" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "ÑH·Ùm\x16°ìõèÊ•ÎÏש™ëE¬ñÑÖ\x02\vrª³" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "\x12¬¦¨ÎÒb}—vÛ7ë\u0090v®ºl]\x18:~Ê{µq{G" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "çH®¹“üèŽîÆ\u00a0;\nd!Á\x0f´‰Q®€%Ýf\x1fjÑ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "f26ßA³É\x1eÒ^âÜ‹Å&\x7f£n¢ac–Å7Í\v×\x15" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "”tájÂÍqóX\u00adª‘uÌÑ\x04yÙâÞóñ×O”»¯v" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "=¨Ê‡+\x10ÄÛ\x06Ã\u008f¯;¾mŠ6Ff'u&ÌȤM(X" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "à¤;~Ó\x02¦o\rXê%»#Ït„ì÷d\r\b˜vØ¢_ï" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "ét6•\u008f†Miר‘\x05YŠäÏC$Á¬D!èØÏ\u008fÒù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "\x0eüqšÖ$èNTÜäÿ«5ÎT*ÃM“öl¼¦.å±…" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "\x11ov¡\fÏ\"œìäÐ;e˜¤éØ$”eý\"Å\x03\x03ÇtT" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = " \x04›‘<´\x1a4ŠZ)TjM9e\býÖÓ¨ÃüH°b‹|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "°KGñŠôÜ:_\x01°”12“2\x12\x0f\x7f0V}\x13ÒÇ\x19Ž5" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "ª«\aˆé‡\tæÎ²5É2–Œ~ùŒiXuï\x0e\x1d•ÞUe" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "ž\\}\x17\x1eœó/W]‡<\x11^Tj1+\x1b?\x0e…x™ä瘧" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "‘›\x16¦×F>T´ÿ|œw\x04uŒ6×Ü\u0090ó†\x11\x1dˆØ\x0f\v" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "\x01û\x01>öƒ\x1d8oPCK\x11úG\x06\u00ad\\;Ø!\v–4m†ä¹" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "ãO¤{\u00a0uÞJ\x7fàýµÛmÂí™%m7·a.PñÆìô" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "æ ƒ`.‚«\x1dfêTÓ×X’ÇQ0UªZ\rhhw&+ô" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "]UqϧAh¶½\aïë½w\x11ú" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "umm\x1f\x1e0Õw\x0fA\x16¿\x0f!¤f>\tƒU\n\\Ü^RÏä²" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\FuncName = "å´ÉûJƒ\u0081Ó&\x18ÑÝ\x17§SpÇjãw¼n0ép\n¡{" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "\x16ÕM„ís\u0090\u00ad#\x13E‹H\x0f$\x06€f×\fKØ\x1cÒ‡#E”" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "ynœ\x1b™!\r†m\vÜ¢m\x1a2WpéæòQQ§!ÿv\x1eF" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "õ~ \x1b=™7§U‡A:W\x19\f<\x1dŠäðW—)Ÿ\x1a—¹]" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "óå\u008dа:Û¨\u009dQœ›·D1ínL\x14³±\x04Õ<Ñ\x1fnU" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "k¦\x1fvØDøe\x14\x1c\x17Ûâ\n¬’ŽH§™9s™\x7fø\u008d|H" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "¾K@u¥ßŇ_¡hPLJóÓ+\x1e\fßÊÏ6ӣDZV" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "ËM\x01¯â‰‚M¡~sœå\u00ad†u}3¯d\u00a0/ˆ2øj\x06ä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "\x1e\téké!ô•\x19@™£ÞÞ´\u0081:œð¥ðëAôÒË<\x1f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\x17" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = ",”ðwö+Ô ü\b›»1Îêò;PVUÇ“òÝ”9" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "\rÀ\vÿjæ¦w‘d\x0eœïÎ\x12O3\vO\u0090ªÞ\x12\x7f8ì Þ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "<_f¤å\u0090Îê ,¿Å\x02RYï¯M\x06’\x7fK0…\x17¯ö˜" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{000C10F1-0000-0000-C000-000000000046}\Dll = "<\x1aâ1\x1e9\x1c\x1c\u008fMÚ\x1fÅ·˜ÔD\v\x16\x1aÂîš\x05cÓ>þ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "^|‹)ª\x1a^ã–À\x11^\x18Ÿª\x1c,Á€" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "Õ\u009dÎc\v\x16ôµ\x10\x14\u008fÝ¢¤ƒöóì\x1cal¯\x03ë4\x18\x1c" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "GU\x1b=ó0\u0090w™‹\x02?\x1bvÙ*Ÿ\aoôM!6\u008dTÒ«¬" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "\x0f„´¤P ma.\x11\x7f½Gò5‰\x0e\x17\x1du£hÃ6\u008d\u0081èï" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "þ ´i:´’ay°ÿ&ÄfyZ\x05\b¦¨¹i#\b^\x1b³Ü" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\FuncName = "¯'9èg&È„\u00ad\\NÇˆŽ¼>Vc\x04˜èì-‹+" C:\Windows\SysWOW64\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\Geo\Nation = "\x117·j’4;OrM ò¦Cµ9\x02ò\f\x01¶4É~PŒŠ_" C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\z: C:\Windows\explorer.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "dõÓfÚM`\x18,å\x14\u0081S\x15\"K÷M\x02\x10\x1fP\a¼åölO" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "!+•¼DŒ,¡H!œ‹Jü\u008f„‹(\x053ÿ¨8o\x067\x19j" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\SysWOW64\cmd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DisplayName = "S$\x1e&u\u00ad\x02\u00a0ØI\x13\x16c\x06_\u008d\x05hCË#“ÄÚòåð˜" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "VY2Ô¬áOfÇàVt" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "²þ\x10\x12}æ\u0081Ž\fj’°”\u00a0\f\x13šÊ5¢Ø" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "Ia†Âç)º©dl•\x19¸\x0eÒ¥\x7f›½Ëü,<׼޶Q" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "_îœû1\\åäAp»\x15" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "\x1d'\u0081\u008d\x1b½÷‚²BßÜó\x13,’Wa\"'û÷J\x1bÑzÉä" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "ߺ'@\x15¼é\x7f\x11\x19£\x0eù®µm¶4Ñ&¢½šòހſ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DllName = "Àmÿ®<áÀÀ Ô Äâ\x03ðµ-j\t¥\\‘¼\x15Y±g." C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 6b0053001e001c2078003a2022212d00df00e60068004600c200aa00f500b3005f007700c5005d0071009d00f400350065001500e700e00000000000 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "ß\x06'~^\aN\x06›t¸Ð¬P-/\x1a0›²·#ÌX—»¢Â" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "]ÍÆ_‚´©S\x1eöÚÕ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "\n‰º\x18<6—Ã\x0fú\u008dÆ4”\u00a0§Œ…\x1c´Pª÷ÉŠ½Ê\x10" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "\x17{§\x01ˆá\x05lÈà¼<”Æ¢);é\u008d\x01©X&‘²\x13äß" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "½,³®\x1a\x0eì\u009d\u00ad¢ÏI„`À,±äKº0º§öÚ~ç\x05" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "&×JjºÖ\x02\x0eœ\x1b”‡ìiˆ‹æyÒŠÎøBr¦Á\\e" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "øË'µE\x0eQ`Œ‹]5-5Y\x04]Â\x13µ \x1b%£PóLL" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "“¿œ\x17à\x03&›òÉ•\x16$4'^ÝÀ”ÿ~é†ÿÑìwV" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "Èd\fn\x04“éîV'\u00a0?+\nc2‘’9P\u0081J6o\rÆfk" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicyEx = "ß½!ˆ×©’A\x7f¶šg]Ç2ƒEÒÙ\x15\x15(›&üÞ\x1fF" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\GenerateGroupPolicy = "ç…\x12w°Ð¬C&‹'+\x1d:l€055e“AFÒ“K.d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ProcessGroupPolicyEx = ".ÓZøu7gyüÿÑ\x1cÕõ™§\\+”!îÏÎ)7ß“\x1b" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7909AD9E-09EE-4247-BAB9-7029D5F0A278} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "ŒUãÃI" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "¿< ª˜\x16•ÉŒ’¨€W„Ï\x17" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ProcessGroupPolicy = "c\x13ÓÄ®\u00ad\x1bè4ö½òêO\x16=øÕ\u009d1<÷\x05\x18¢ÊÁj" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "+³\u0090øŽ‹Y\n%+þbÆ:xHÜÙïéÚ€jã»2S=" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "—¿»:‹\x7f+`G\f.+\fƒbÁß\nfµ‰rÍQQ£ž2" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "ŒÏpþ\u00adÛž\x05\x11,PcM9ú˜e€f\rß\x1cΩA:…–" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "Sv‹žž/vÉzˆXôm'êù\x01bcx;r”¯[}Ín" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "\x1a›Æ˜éIçÃ5Œ…ø&[€E\x1eF³\x1dŸX¨ñ=\x03©û" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "*ö'è›\t„V÷4O\x1dèŸù~;\x1b‚,̸”4¼¢S1" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "/\x05Y\x0e°¤³Ž|OÔ\x1bm\x0f\\æÆ\x01`ÓJ¸lƒOb\tÛ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = "]næ\v_^Ò\x0eÀ’)ÎÞJÛ\t¶G\u0090ÍD®" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "\x13D÷\x05\u00906¡\x05¯á‚Ÿ¾m)öò.\"ŒH\x04\u008d¢Œ\x05ZÛ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "2åsôÅq±–7í\x1b‰„NpÑÏÉdæÄúó‘hS^\u008d" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "—,Ÿ\"\u008dk\rzItO¹¼xÊsŽŽì¸iŒœ2{\x01xÖ" C:\Windows\SysWOW64\cmd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\MXDWDRV.DLL C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\unishare.gpd C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\unishare.gpd C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_69e8e0efb212ba16\I386\MXDWDRV.DLL C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_69e8e0efb212ba16\Amd64\MXDWDRV.DLL C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\unishare-pipelineconfig.xml C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\PrintConfig.dll C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\PrintConfig.dll C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\unishare-pipelineconfig.xml C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\unishare-pipelineconfig.xml C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\PrintConfig.dll C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\MXDWDRV.DLL C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\}½[\æS'2m\åèßQO1ŠOž7ûlûó#´\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\unishare-pipelineconfig.xml C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\unishare.gpd C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\unishare.gpd C:\Windows\System32\spoolsv.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\PrintConfig.dll C:\Windows\System32\spoolsv.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "àM\x1c‚§ílÕa½õ.êÆ\u00adSÑ\x1eO\fçe#Òjd÷T" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WallPaper = "àM\x1c‚§ílÕa½õ.êÆ\u00adSÑ\x1eO\fçe#Òjd÷T" C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2772 set thread context of 3844 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 set thread context of 3548 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 set thread context of 4868 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 set thread context of 3144 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 set thread context of 4636 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 set thread context of 4344 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 set thread context of 3188 N/A C:\Users\Admin\Downloads\VeryFun.exe C:\Windows\SysWOW64\cmd.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\ie4uinit.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\ie4uinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp\Crashpad\metadata C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\System.ini C:\Users\Admin\Downloads\VeryFun.exe N/A
File created C:\Windows\brndlog.txt C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\SystemTemp\Crashpad\metadata C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\VeryFun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\ButtonLight = "ö\x11[Y!Kš\\\x02sš(·Ññ¾_\u00a0ôpG%\\žS\aiI" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "A'™+TØ\aË,0‹æ-¿nKS\x15óôekŸ\x1fð=k" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\HilightText = "\x12y—2ä)°ö" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WheelScrollChars = ";^\tI\x04±ûŸ*sì·\x16ç–]ÕG\x17a±¶\x1ft‹º=)" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\Help = "1\vÌQK;B3”A\x15ö$¦\r*\x05GLX:oîÐõ€Oó" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\Scrollbar = "ë°“éd¿µ_¨§d\x7fñÜñ´Ø÷5ŽâÏ\x1dD=õ™]" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\AppWorkspace = "ÍõÜ\u0090\f PPµ¥Wr\tO0\x10¢ùhk\r\x1b#9tËã|" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response\BounceTime = "°_Ý`œ¨W–?³f‘zb E›&ó\têFòdàBÀë" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\GrayText = "&\x16\x11\x121\bš:\x13ï‡ð&Ó¸BGƒMÖûîžk\x1f \x1f\x1b" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\FontSmoothing = "“Ù\\J\x1b\tl¦ç)Æ~Œ\x7f’S½HB¤ö#<j\x15Std" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sYearMonth = "'ÏIhBj4!€„ôZ3E—b³›¹÷}8vw³èó)" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\MouseKeys\Flags = "õ|¹§7t-)wŒ¡\u00a0hÌs'Cŵ˜‚ä\x01áâ°¥v" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\PaddedBorderWidth = "ÚjõT°\fñ›D\x19œ¸BM\x15HK;Ï7Ïô#¦yË_ú" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sCurrency = "ί\x1d\r\x04s\x0eX€Ÿ!Hš-\x05ÅÝ-ƒCLjí„\nø«_" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\CaptionHeight = "/¥†\x13ûÛ\u00a0×Î5Rµ3Eüý*Ø\"Î\x1bù9Q\v)Fp" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Input Method\Show Status = "V‡\x05\u00a0\u009dAL\x10ÔKkLØC\t\x1dü-+\x1eDϿթ6;¤" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\Locale = "\x01BHy\x0eµ d}HÖš¤ðß’ìÅt`›ð0u’\x0eöÔ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\DragWidth = "{?Ÿ3\x10\u0081÷.öÛžÅþR„Žu‡Ç):Í=äàgèò" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sTime = "‡‰18›0û\x13”ÉG›–mZtÚ{¦rYa~ Ÿd`·" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\TileWallpaper = ")ßtÌ\"“1¾œ»c\x19\u00adež\x18«¹4T)âÄì¨\x14œ&" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "ÿ½¼!&µü'Æ\f(Õé4}®M‘õóìŸ9o\x1a\\\x0f”" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\SlateLaunch C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\ActiveTitle = "C8\x0f\x03ò7úrÙfSç\u008fŬ=(YvöX~Ô\u00a0Mè†y" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\AppStarting = "\x7fˆRL{l\x1fhc\x11©÷ŒhxA©@4" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Sound\ExtendedSounds = "FÄZ1ÞÏ3#Æ\bÓHÇï‰âç¡" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\HighContrast C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonFace = "\u00a0r\x0e¾ú\x14>ÏGÃ\x15oU¶Ÿ(\x115œÙ“»²´)urw" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "ºE\x1d\x10 \x0f(×Â:z‡hd¯À@r.q^½u,²ÜT«" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\MouseKeys C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\SmCaptionHeight = "»\u008dº¾\x15‡Â‚÷ƒ@B\x12ü6®ó.—á….ò\u008d«\b„s" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Preference C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonAlternateFace = "'(3µÍ«\u00818ù–œ!EµŽû²š‹\u00ad*F7\x1fðí‹:" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatDelay = "R±\n\x1eÀSI»¢‰ãX\x11:\x13\x16ZH>v8x(V™*:²" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\PowerCfg\PowerPolicies\3\Name = "Ô\x1b`9ßôå\x04jl\x1c:jƒÌNÙÁíÌkœñðòÜ\x1d?" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\MenuHeight = "väð÷ª^\x17ÃÝË,´kz\x1a`J+\"±]3þ¬îXØ6" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\MenuHilight = "rô3€\x1d\v˜Ì›_\x1c[ž„½ÿ¤“;µöÿ©\x12¸ä\x12," C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sShortDate = "®Ú¥Lé" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\iPaperSize = "-äB~Ë–\x03\x7fá\x0e\v/\u008d—Ã\x11È-¼5\x17\vacæXí " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\AudioDescription\On = "Ío¿\x13_\u009d[\x06Š\\ÿ(u…–…ó\x05™,2¶C\u00a0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonHiLight = "WÆÐûSMŽ€eÇ`ð\x01ê¬ÒqÇlž\x1e[†LÁ†ß\x16" C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\User Profile\Languages = 1b002600c800b50030207100280000003a006500c400120035005a001920e300cb00fe003f00b700a400c1006300fb007900af000800d00000000000 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Keyboard\KeyboardSpeed = "–aºÂ>ÐÙÇß@¾\x1c‘~¥8\\‚?(¼\x0e\x02<Ý•¦´" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\StickyKeys\Flags = "6¸R‰`ËÒ›*h©ÄCm~°<¾îH9àNÜ}‹\x05a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sLanguage = "óX" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sList = "îœ{Ê|áUò6¶k›\x03Úâ&ªþø„Þ\x12qÙO³ïE" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sMonGrouping = "1¡ó\x1dn¹ç=\x10XË&kÕá@\x1e*æ1iÿï\x0eõÜïò" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\GradientActiveTitle = "¸\fŠ,ÿÙ£È\\×\x13‰¡¡\x12èÜÝÉ©T\fß\u009dÊÚ•î" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\SizeWE = "äöÊþ¾-Ê\x19â\x1d-[´ØÀ‰‰K\x15¥#ç,s\aŠÕƒ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\DragFromMaximize = "AgÚU\x1e8c•õûK)\aÆDiÅ´\råVÐ\x18b\x0e+Š]" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\SoundSentry C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\User Profile System Backup C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Mouse\MouseSensitivity = "t\x14<»\vÂÞµq\x14hƒ`Ýh\u00a0ʶ\x1a¥j1„\u0090\x10¥Ž’" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\InfoWindow = "þQ\x19,1Ÿ\tŸÈpç\u009d!ŠËääŸ\x19\x10]Î-¡Sq\ná" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\SizeAll = "\x01p&ïÑ•òEÀ¯3UZÁK_¦žMJ\n\x19^,O•vÅ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\RightOverlapChars = "\x01Í÷<d±\x7fôÉ#½8¥\"ì9ÙPƒîÂâ0\v\u0090\x1f¯#" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WheelScrollLines = "Ø\x1bÙ¡9ï]…q\x11žÎ¸~1º–Ãà–úk\x02R\x1d3 µ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\Menu = "\b\x1e\x13¨fqP+;\x0fÁcÅp\x03\x11üf®ÓµäqÕ\u0090\bú†" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sTimeFormat = "CBÖ“¸ä\bN\x1e$‰\x135öÑ,×Þýn–¹\x18\x05ž\u00a0‡ù" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sShortTime = "o(cy6 ‘G|ûG3rä“ý#¸üÊ\f\x0f™$ær_¡" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\ShowSounds\On = "M¹?\x03Ö>sã¹”ˆÝƒœ\a¸Ï+n„†4\x7f73¼\x1d=" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\iFirstDayOfWeek = "s¯Ì\x13utñžÝO˜¸‰+Kvò\tñP\x1ftF)¶Ã\x14Å" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1B}\DllName = "7q(\x1a@å\x1dáÛ¥M™ã¡\x10&\x10\x1f\x1bʨ‡\x18\u009dç׈\x01" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439}\CompatibilityFlags = "úºlN*Έé+|a´¥ËUò›[©¯7\bK?}âk®" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407}\BlockType = "\v\u0081¹z\x12\x1a\tqz½ù3w´v~\v@bhXò\u0081=+úão" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\Version = "œMÆŽfU,—'ðfÄhG´âág\\Ș™Î€/×wˆ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}-32\AppName = "\x14_…\x13ysx\u0081Ób\x11\\\x1cGÌF1¼åiI˜ÌXÓ\u0090xŸ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS\HelpID = "ܧ÷h.öQÃ2!'Ò\bì\x1dá\u008f3×Ö\x11(ÙÓe \x14w" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\GENABLE\ValueName = "P‰fÁײϢ\u008d$Ô?Q¾›•É—§\x1a›\x04QTjÙÿt" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\FWLink = "4\x12ÇܺÐÕ•>ßWzºÄ„¯Öà*e–RÔÓóÄ}¸" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\DllName = "çUɹ)o\u008dqÐ9Á1t3ˆ\x05\"\x15;LÆC2ΣìÄÂ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcVersion = "Ù2ÍÕþ\x19UÂá@%\\J‰a ’NÍm0\x16\x7fB%¯tÏ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ZOOMLEVEL\HelpID = "\u00a0ØêÇ\rŒ¥c³Æª\x15\x15w=Ü̈ëß\x1a\aœ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\Bitmap = "‹Ð\u008f¸‡\tpY²9\t-Ý2Þ˜\x1d8Sæõ&\u008dks\fv\x13" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B29-F830-49DE-A31B-5BB9D7F6B407} C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\International\Scripts\7 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12}\FWLink = "ÿ$çÞé\x01MŠ\x1bçÑÏÛ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "€cƒ\x10$}ÙX*ª\x14¯m¯é¢öÊTë€a0j¿”i‰" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CONSOLEBUFFERALWAYS\Text = "\x11áNz/î\f2¸Öà„òÙ‰’¾Y<ÿüºÐî6Pˆ," C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE\Text = "PCJ¢t>Û êIó¢ªä\x11>öOå\b<±Ré\u0081‰õ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LegacyTLSAppcompat C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS\CheckedValue = "\a¶\x13¦R‰QÀµý´á\"’À°öà\x16\\\x11\x0f–ëI\u008fæ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR\RegPath = "—”<\x1et|¾0\x038H´à\x14Ùc\x10ÐMr-Ë4Z®‰|œ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A17B153F-2267-4161-A165-73DCD6C31BEF}\BlockType = "mš×`\x17¼×œÀ`\x0eÒöØÍ;V†&U ÝÝúh\u00a0(±" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_ALWAYS\RegPath = "™\x16\u00adwcüÈ#hzÉ\byÿ-R>:¶rzò\u0090Xƶ_f" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{9030D464-4C02-4ABF-8ECC-5164760863C6}\Version = "«†/U\beÖxЬÒÀD\b9A³8\nÁÖ¥<\x1fÁìO\x1a" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\Type = "å¦\x1e•\x15ï\x0e»îøÁ^·\x1aìI“4ÏéH§Iƒ\x16\f:s" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a4fbcbc6-4be5-4c3d-8ab5-8b873357a23e} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E38FD381-6404-4041-B5E9-B2739258941F}\AlternateCLSID = "ô•Ÿ\a{>" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PLAYSOUNDS\Type = "ÄO\x1cà‹\x18\x19H•̵ ’¾»\x1a\x10O\x17ûÉëܵÍÌ\x19%" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPath = "\x11|yƒ[Ðõâ§ôUëv?\x1fË\u00adƒmAZnWØ»\b\x178" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1B}\CompatibilityFlags = ":0\x0eU¹.$™Öª3¯Žý.\x17\x10RYÓ’³¸ß\x05‰" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{E3286BF1-E654-42FF-B4A6-5E111731DF6B}\Version = "Ø»¢\x0eÃ…Ñ®ÅÈþå©K\u00a0ÂG}¿¡œ\t¡Óž·È9" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "\rfHh.Ù\f\x05-×{%ê\x01XkË—·—ÅÍÝ\u009d\a\x10U[" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE\RegPath = "ÆÈ\x0f\x02™½\x15G\n^û#Ú³£º\u008f“Íð7$È\x1eŒòëD" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HelpID = "\x7f|Rßé\x1f„>†ì\u008d”Óø¦®hüµ=ÙÅy0h>ó¹" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "]w)Aþ&\x19üN\x19L¶?XöÀ_A*\x05åêÔ\r:Ö-" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}-32\AppPath = "•j\x16\x03bäRÒ\u00a0\u00a0\b<ÁÜ\x1eòk\x13K\x12í\u008f\x03ú*tsž" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}\CompatibilityFlags = "Ä\x05\"@\x16ÙØ„TàŠÚ\x1e{òfrþßYî²óvö{¯Ñ" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\CompatibilityFlags = "\x10†â‚žÃ;‹ï\u0090‹èrŸ¡©{?ýÛ\x1b«GlÚ§å," C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9}\Version = "\x1eIÀ\x16\x0fréád`NÛ=¶aßž¬æÊùöt\x1e\x11" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\Version = "z\x0f´æÌ>:»jǬ\"Ý\x19œ\x12\x0eœßIÁßá‘·Ð\x17?" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ClsidExtension = "•\fw¢“SÖ¤´\x14\a”NóÓNO=ôÍ›î@p@üj+" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BF09613A-4564-4936-B6BB-B23B1D3D4FD7}\BlockType = "¡ÕUò<Ùa²Œë¹‡$½xeÚ|//jȨ°Àê\x018" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC7E636D-39AA-49B6-B511-65413DA137A1}\CompatibilityFlags = "<\x13ùH1¤Kò•\u00ad\u00a0Ô‡‹H\x17ô³\x01çp57E½î•A" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\Text = "ƒÎW¨mrú!;Ú›ÐB\u008d»K1TV\u00adgœs\x14Äo‰Ê" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D}\DllName = "îûˆS¢ð\vŽŸƒ‰Ö3œ”dzןdeaùŒà\x12\x03™" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\Type = "–\a\\¦%Š<T\x1fÁ>–ŸÒCŠ\x0f!Ë––‘PŠ@Cáì" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\FileAssociations\.xhtml = "`¦ƒ\\jºÂ\x7fÏ\x17I3Â;ëŸÇؽ\bB„Ùø\x0f\x0e‘>" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A5BE5EE-CFAD-11D9-8FAD-0007E9AA247E}\BlockType = "žò‡®å%K\\fäçÒµ\u009dt\x1alòQaŸzÅ,÷\\ã\t" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\CLSID = "JÿBL\u0090w¶ñÐMµ¦ô*ò¢J8ÞØM\aWZ:LxÉ" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\International\Scripts\9 C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ALTTEXT\RegPath = "\aæ§Ê\x14" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\TEXTSIZE\Text = "ñŽ\u0090Bà´]¯ïôÜA€" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C1D79200-7718-4656-A7B2-F23046E264E7}\DllName = "±™ó:lìbØ~Ë\x18ŒŠR¢\x13M–È\u0090" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies\RegistryRoot = "8\x05¬mž\x7f\x13\f\x17‡¹Ï¢o<íX'²NRß\x0eÓ!®Q" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\Version = "@\x14@ºÊU6‰& ¸olÞ¬ï8¨Ó¤Ê\x04‹E" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\NoAdd-ons = "4p)I9å¼L\x032…¥f\u009dˆ\n%tå¬ü7\u0090˜E\x14Àª" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ALTTEXT\HelpID = "\x06¢•í€ÅÇýi7î³µ§‘Ö\x12{I_ÊІ©fL/¬" C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "š‰§,i™\x031B5Ô\vþþ\x7f\v*ÓÅbvÊ®\x18÷ȹ5" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "2H¦\x01Ý\x13²Í\x7f‚\x10 Òáê{Xìó8–HMɹ\x12[¦" C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727754256483455" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000300000014000000494c200603000400480010001000ffffffff2110ffffffffffffffff424d3600000000000000360000002800000010000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000097928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff3f3f3fff1f1f1ffeeeeeeffecececffe9e9e9ffe8e8e8ffe6e6e6ff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff5f5f5fff3f3f3fff0f0f0ffeeeeeeffebebebffe9e9e9ffe7e7e7ff97928fff97928fffffffffff879d55ff82a259ff7da85dff77ad61ff73b165fff7f7f7ffcdcccaffcdcccaffcdcccaffcdcccaffedededffebebebffe8e8e8ff97928fff97928fffffffffff8d944fff899a53ff84a057ff7fa55bff7aaa5ffff9f9f9fff6f6f6fff4f4f4fff4f4f4fff1f1f1ffefefefffecececffeaeaeaff97928fff97928fffffffffff93894aff8f904dff8b9751ff879d55ff82a259fffbfbfbffcdcccaffcdcccaffcdcccaffcdcccafff1f1f1ff7ba95effecececff97928fff97928fffffffffff987c44ff958448ff918c4bff8d944fff899a53fffcfcfcfffafafafff8f8f8fff8f8f8fff5f5f5fff3f3f3ff8b9751ffeeeeeeff97928fff97928fffffffffff9d723fff9a7942ff968046ff93894aff8f904dfffdfdfdffcdcccaffcdcccaffcdcccaffcdcccafff5f5f5ff977e45ffefefefff97928fff97928fffffffffffa06a3cff9e6f3eff9b7541ff987c44ff958448fffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6ffa06a3cfff1f1f1ff97928fff97928ffffffffffffffffffffffffffffffffffffffffffffffffffffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6fff4f4f4fff1f1f1ff97928fff97928fffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaff97928fff97928fffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ff917968ffe0d9d3ff917968ffe0d9d3ff917968ff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff00000000000000000000000000000000000000000000000001000000080000000400000004000000340000000100000000000000010000000000000001000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005100360035003200330031004f0030002d004f003200530031002d0034003800350037002d004e003400500052002d004e003800520037005000360052004e0037005100320037007d005c0070007a0071002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000e8070b0070007a0071002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000012f5ea3a6b35db01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000bfe5616faf18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{FE87EF6E-3C89-4619-9A67-1760D3D522BF} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005100360035003200330031004f0030002d004f003200530031002d0034003800350037002d004e003400500052002d004e003800520037005000360052004e0037005100320037007d005c0070007a0071002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000e8070b0070007a0071002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000000000000000000000000000000000000000000000000000000000006b91ac156b35db01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000bfe5616faf18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727754256483455" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000300000014000000494c200603000400440010001000ffffffff2110ffffffffffffffff424d3600000000000000360000002800000010000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000097928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff3f3f3fff1f1f1ffeeeeeeffecececffe9e9e9ffe8e8e8ffe6e6e6ff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff5f5f5fff3f3f3fff0f0f0ffeeeeeeffebebebffe9e9e9ffe7e7e7ff97928fff97928fffffffffff879d55ff82a259ff7da85dff77ad61ff73b165fff7f7f7ffcdcccaffcdcccaffcdcccaffcdcccaffedededffebebebffe8e8e8ff97928fff97928fffffffffff8d944fff899a53ff84a057ff7fa55bff7aaa5ffff9f9f9fff6f6f6fff4f4f4fff4f4f4fff1f1f1ffefefefffecececffeaeaeaff97928fff97928fffffffffff93894aff8f904dff8b9751ff879d55ff82a259fffbfbfbffcdcccaffcdcccaffcdcccaffcdcccafff1f1f1ff7ba95effecececff97928fff97928fffffffffff987c44ff958448ff918c4bff8d944fff899a53fffcfcfcfffafafafff8f8f8fff8f8f8fff5f5f5fff3f3f3ff8b9751ffeeeeeeff97928fff97928fffffffffff9d723fff9a7942ff968046ff93894aff8f904dfffdfdfdffcdcccaffcdcccaffcdcccaffcdcccafff5f5f5ff977e45ffefefefff97928fff97928fffffffffffa06a3cff9e6f3eff9b7541ff987c44ff958448fffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6ffa06a3cfff1f1f1ff97928fff97928ffffffffffffffffffffffffffffffffffffffffffffffffffffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6fff4f4f4fff1f1f1ff97928fff97928fffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaff97928fff97928fffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ff917968ffe0d9d3ff917968ffe0d9d3ff917968ff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000003000000040000002c000000010000000000000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 990982.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
N/A N/A C:\Users\Admin\Downloads\VeryFun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\VeryFun.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 1060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 1060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3788 wrote to memory of 3400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "¥Ó¦Ý›—Q\u00a0•WOtb{Nw\x17–»/W½†¥†6b\u00ad" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "°î¤\n%þç|ÑíÚU\x15ùΩg‚AÅÄ^®ðÓ\\½d" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "öÎ\x1c-£X(¢ÕK^¹ß#‡kIÒ}ˆ«ú|®l" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = ":|¢Äí*¤ú±‘ªo+\x1bã$CÀÉMïc2\x19Á‘\x16s" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\cmd.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NetheriteTree/Malware-Database

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8

C:\Users\Admin\Downloads\VeryFun.exe

"C:\Users\Admin\Downloads\VeryFun.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x0000000000000478 0x00000000000004E8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4860 -s 1196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7412c4698,0x7ff7412c46a4,0x7ff7412c46b0

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=2 --install-level=0

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x80,0x254,0x7ff7412c4698,0x7ff7412c46a4,0x7ff7412c46b0

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff7e47ceb10,0x7ff7e47ceb20,0x7ff7e47ceb30

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5992 /prefetch:2

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
N/A 224.0.0.251:5353 udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
GB 2.18.66.41:443 tcp
US 20.42.65.85:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.167:443 r.bing.com tcp
GB 92.123.128.167:443 r.bing.com tcp
GB 92.123.128.167:443 r.bing.com tcp
GB 92.123.128.167:443 r.bing.com tcp
GB 92.123.128.167:443 r.bing.com tcp
GB 92.123.128.167:443 r.bing.com tcp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e11c77d0fa99af6b1b282a22dcb1cf4a
SHA1 2593a41a6a63143d837700d01aa27b1817d17a4d
SHA256 d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512 c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

\??\pipe\LOCAL\crashpad_3788_VDAFFNYLBJFQDAIG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c0a1774f8079fe496e694f35dfdcf8bc
SHA1 da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256 c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA512 60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 35b049736e59b2c3636a4e5a1cf6b9fb
SHA1 413c2bb114cb2cf87f334537c96a70cd5534855a
SHA256 9ea8e3e466176976880c23aa10825c05159d79fd9f229040cdbce724ed982977
SHA512 39f203b0ff16c72ef7a3914b3be3ad8fc6ff1133d1cc9e5b799c8f8e851097a068784c7285f6b81fd151f3affc480352f158f73ecaacccf27c3ac33c8e1c0969

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f70d6acb22b246a7469047841f55a128
SHA1 962864cfc5988d0bc02c93f96293dcdbb3feb5a8
SHA256 9047f412e3c95ddc7f3a87cb6f81a2d256de0146aa6d0dfd7c357c0dbab92cb8
SHA512 ba2860757cb0227f6308b5ea7510e5628c048e68881cd7589eb2e211f79a116f9341e40129506857e3b8878e2337a8ab7740d99ec605970c6705242e99d368af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7697e9ff795a2048d5df18e8470f2014
SHA1 4f9dc3a486a338e2b19aa129bbf02bb164a9e068
SHA256 e3c994b19066a05f347af8fbc270d25d28e040cb8b6856bbb0a25079773fe176
SHA512 1d26ff8146a4786fcce4cc257680ff777d54887dd202422a28e8238865f3178696c4e52ffdbdaa0cdbe8c3f4597f26f01cc122e3699109925b762a60895d7d37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\Downloads\Unconfirmed 990982.crdownload

MD5 ef7b3c31bc127e64627edd8b89b2ae54
SHA1 310d606ec2f130013cc9d2f38a9cc13a2a34794a
SHA256 8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387
SHA512 a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4fab4d8b6050aae57fc3ee4e84f97908
SHA1 510849ebd979c9e51da24abb9810fc5e0d37b00f
SHA256 b4dbdae727c361978593a347f88f18f03b930c0d956b5c2c3058ae7ecc4d0514
SHA512 a5076966cc5f06894130cccb5fe8c37ade7f79be11812fc2139cbab3aa9dd90e007c3aada17e5d675c0bbe1b57bb0a5a2b30d6efcd6327198658086b4bdbb497

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 87f9a80542ef163ace4fcfa23877d40d
SHA1 67fe372410844a00bef1950b2d98b47f4aec5782
SHA256 539dfb8f23df223b3f9b5ea8a15acded7e56357431b9545cabeef398cd7b816c
SHA512 a221a3a9b82b9c42368d0f3d09e2fa387fa3b4f89db9df7e2b9e230e5a3d3f9bd6d68f54653bde739d331e63604b2a631440a8635abfa5a3b8b7f40a21106eb1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5800a7.TMP

MD5 7f7d8e814ee48d3c52c7653d81038ea8
SHA1 d6eb8fda47fb4086a832701b9fbdfe4e6e7f6e9b
SHA256 3b46aab595ff0f2bf5fbfbeafa81a7d7ed0b8b3e0f76eea284f0b7b0f6d61a92
SHA512 c37988f33f4dd48015970d559dc8d7e8b777f311ca605a2cce8e746c279f546537468900fff89d3ee8db2f2b21d9823cb4b5198f26a04d5946290c2c5ebab7b5

C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

memory/2772-249-0x0000000000370000-0x00000000009AD000-memory.dmp

memory/3844-251-0x0000000001300000-0x000000000149C000-memory.dmp

memory/3844-250-0x0000000001300000-0x000000000149C000-memory.dmp

memory/3844-252-0x0000000001300000-0x000000000149C000-memory.dmp

memory/3548-253-0x0000000000A20000-0x0000000000B14000-memory.dmp

memory/3548-257-0x0000000000A20000-0x0000000000B14000-memory.dmp

memory/3548-256-0x0000000000A20000-0x0000000000B14000-memory.dmp

memory/3844-261-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3844-260-0x0000000010000000-0x0000000010013000-memory.dmp

memory/3844-258-0x0000000010000000-0x0000000010013000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cb9ec50751f12ccd38067e12b88d730d
SHA1 7b020da7d2ea3fa997d565a0f6674efb87c4fe4e
SHA256 2c3c2356804d7a3b385ea519a04f0ca54c20018d5345a9237b7295217d19b4cb
SHA512 d776243c511d57c0e431a0816233fe3ce80bcec2a12f315c8bedbc9669989e2699e22e88cab22f1a557c11e39f9f69ff750799a18301c92586c38a64628988a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fd5b0bda344b24a6c274c31cdc528460
SHA1 e957ce775bcb4effa70da9f2e55fc6ba0c6042ef
SHA256 453da77a8b1850a1219e144b855a2d37d7daab1e9ca5dd24c585910777e8472c
SHA512 d4c2b836d9cb7505edf94437b1412d492b0885feae866646176369acec4a5fd7673f934623b0e1c5e623d6f0b4654416cda3a697da4071fd86f3584b1e10ca17

memory/4868-287-0x0000000001100000-0x000000000120C000-memory.dmp

memory/4868-285-0x0000000001100000-0x000000000120C000-memory.dmp

memory/4868-286-0x0000000001100000-0x000000000120C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5febf11061b104b47edbcddc5cf7a8f9
SHA1 b5feb5cd7b4cbd7b2de923cebb121c9cbbfe0626
SHA256 e66bbf6b1aef49fcde650a17986768b3f01d909ed6202be993404d7e1a05ea6e
SHA512 319965dd87259314151dca5434be91cc6230ed88ae9289a984350ff3a55430c2d956e4ab385a6187562c6c5a02e88f8411079f438d700fc518195676fd04d202

memory/2772-297-0x0000000000370000-0x00000000009AD000-memory.dmp

memory/2772-298-0x0000000000370000-0x00000000009AD000-memory.dmp

memory/3144-299-0x0000000000D00000-0x0000000000E0C000-memory.dmp

memory/3144-300-0x0000000000D00000-0x0000000000E0C000-memory.dmp

memory/3144-301-0x0000000000D00000-0x0000000000E0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9fe434bf71edbb1ad897954f3c3634ba
SHA1 1afeac9261202c7674e1c939b795a73babd9816c
SHA256 6129d4980f173221d6104de95e78c1c3090b0ef89403650ff5ac9e3dc29809cc
SHA512 791123eb19285143b93534a531fe3a9cbee516472f8679699e05df2cb7c2ddb39ff78dd2c511c9ed42733cb66d21e7ed50584cc1fcf771662dc910ad49f4d3e4

memory/4636-311-0x0000000000F00000-0x000000000100C000-memory.dmp

memory/4636-312-0x0000000000F00000-0x000000000100C000-memory.dmp

memory/4636-313-0x0000000000F00000-0x000000000100C000-memory.dmp

memory/2772-323-0x0000000000370000-0x00000000009AD000-memory.dmp

memory/4344-324-0x0000000000500000-0x000000000060C000-memory.dmp

memory/4344-326-0x0000000000500000-0x000000000060C000-memory.dmp

memory/4344-325-0x0000000000500000-0x000000000060C000-memory.dmp

memory/660-352-0x000001C023240000-0x000001C023250000-memory.dmp

memory/660-336-0x000001C023140000-0x000001C023150000-memory.dmp

memory/660-368-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

memory/660-369-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

memory/660-371-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

memory/660-372-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

memory/660-370-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

memory/660-373-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

memory/660-374-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

memory/660-375-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ed5f4213c17629776cd75510648fc019
SHA1 ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256 e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA512 71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

C:\Users\Admin\AppData\Local\Temp\RGI67D8.tmp

MD5 dd4f5026aa316d4aec4a9d789e63e67b
SHA1 fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA256 8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA512 3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

C:\Users\Admin\AppData\Local\Temp\RGI67FB.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 f03191fa5af81f76c48bd686e4aca2f1
SHA1 901a1344fc96b972ec0b1db0176f06ad7001f18e
SHA256 179403a3a5c6a4b89aa5d8f9a0d98dfac86b83a5c427ae99886180461a32fb78
SHA512 eab37e61255821e197bb56d8cfc0f4f0ab8eaf934a4c8259be5ea947feff2b5b13ea52b0940fde5534c4e47e2352a20fa0475d44e8599bdd54551def7ee93563

C:\Windows\SystemTemp\Crashpad\settings.dat

MD5 5ea0af3df0a58bf83db24d7521c3144d
SHA1 aafb9d67aa452da608434ec3da86f564d4297d77
SHA256 bc1bd356997ebb74c1f7a4a6516aa179c4c03d9cbf1ff6759ca4aca6e74f31d7
SHA512 e543f28992ee947278fbed6e2c2f5844403595d3aa1f17fd0652f3a9a4d5823398342811dfec958a5946261f44564323bb802b0c4598d4384212a15974a467b2

C:\Program Files\Google\Chrome\Application\SetupMetrics\8617899d-a479-4236-8267-1a0839bde056.tmp

MD5 d7bdecbddac6262e516e22a4d6f24f0b
SHA1 1a633ee43641fa78fbe959d13fa18654fd4a90be
SHA256 db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9
SHA512 1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 446add48d432e65f715a2058b14acec1
SHA1 a513a3e5b37f5dc0cddb71ae67bab0dc35567297
SHA256 952093f5ee18ece0a1f6dba5d2e3da695848b752ec243d1966eb9703bed4c023
SHA512 1f89f768b83ad82c19faf9b81e99dc09eb66eec784ff6f7954eb5e6129dd615895e0f86324fbaa1ce2d2e49aa8517923bfd87dd4e24351a3a79a546ef432fe9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1f1320913e5599ff13990c090ee9fdb3
SHA1 e78e63ce8d4d403fd5e74d4fd3d4d6a4795c3c73
SHA256 f7e138b3d28da4c5b85115027417b784bfdd58cb8feaa1461fce35255dbbe8b9
SHA512 5e42e8402ecfef5ac6928797160741bf99b3a2ce3ff01082cba6cb1223e1fa2032e51277b283c1985eb9576f7f7efa3da4e8c081b5c9c60e55825845c6023857

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e05f8379-c3c2-4466-9b68-f6f3855934cd.dmp

MD5 f737245b6523f2515ff50894ee4aaf6f
SHA1 5527e5dc12f46946d06970d67e3ce343ddadda2a
SHA256 f0d9a253b2a01abb458fa41cc397552ca4509bade32184deb13d41170c23cf61
SHA512 8556232a760c6234988fb286d3dd04f869afc18192ba9cc13d28887772274978c7efe302d99883cae18a8940c48aa5d06f87ff192b6174a379f32d1afd0b1f60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 08f91db41321f9dd678c9962d9432d6a
SHA1 3c658c3aa83f6bf384b5f8d4c06ba0c7d278b5a5
SHA256 ce1d96c3832b805f4e56539949126e4197b4d09745964ef2fec5dccba2159b46
SHA512 98188575cde25c590791bf1dcb71dbbefff13bef5cd3ea9bcc4c5d1e128bb7eea6d654b771a39a9a0dcffcb0b37fac51b8720c962c0a1df652cd906baf57bed9