hxxps://www[.]youtube[.]com/watch?v=LJ3tzeHSgJs&t=717s

Resubmissions

20-11-2024 20:18

241120-y3ebpssbnc 8

20-11-2024 20:13

241120-yzfelasbke 8

20-11-2024 20:02

241120-yr4gfsslgw 8

Analysis

max time kernel
600s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=LJ3tzeHSgJs&t=717s

Score

8^/10

adware defense_evasion discovery exploit persistence privilege_escalation stealer

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
320	takeown.exe
5844	takeown.exe
5824	icacls.exe
5348	takeown.exe
880	icacls.exe
3840	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	UltraUXThemePatcher_4.4.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OldNewExplorerCfg.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
6012	UltraUXThemePatcher_4.4.3.exe
2332	OldNewExplorerCfg.exe

Loads dropped DLL 22 IoCs

pid	Process
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
6012	UltraUXThemePatcher_4.4.3.exe
5512	regsvr32.exe
3916	regsvr32.exe
3472	regsvr32.exe
3448	Process not Found

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3840	takeown.exe
320	takeown.exe
5844	takeown.exe
5824	icacls.exe
5348	takeown.exe
880	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\NoInternetExplorer = "1"	regsvr32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\uxinit.dll.new	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\uxinit.dll.old	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\themeui.dll.backup	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\themeui.dll.new	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\system32\themeui.dll.old	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\uxinit.dll.backup	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\uxinit.dll.new	UltraUXThemePatcher_4.4.3.exe
File opened for modification	C:\Windows\System32\themeui.dll.backup	UltraUXThemePatcher_4.4.3.exe
File created	C:\Windows\System32\themeui.dll.new	UltraUXThemePatcher_4.4.3.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe	UltraUXThemePatcher_4.4.3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UltraUXThemePatcher_4.4.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OldNewExplorerCfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\DriveMask = "255"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ = "C:\\Users\\Admin\\Downloads\\OldNewExplorer by VIN STAR\\OldNewExplorer64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ = "C:\\Users\\Admin\\Downloads\\OldNewExplorer by VIN STAR\\OldNewExplorer32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\DriveMask = "255"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\InprocServer32	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 355408.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
3496	msedge.exe
3496	msedge.exe
3988	identity_helper.exe
3988	identity_helper.exe
5904	msedge.exe
5904	msedge.exe
2824	msedge.exe
2824	msedge.exe
5588	msedge.exe
5588	msedge.exe
5588	msedge.exe
5588	msedge.exe
3256	msedge.exe
3256	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE
Token: SeBackupPrivilege	5684	vssvc.exe
Token: SeRestorePrivilege	5684	vssvc.exe
Token: SeAuditPrivilege	5684	vssvc.exe
Token: SeTakeOwnershipPrivilege	320	takeown.exe
Token: SeBackupPrivilege	928	srtasks.exe
Token: SeRestorePrivilege	928	srtasks.exe
Token: SeSecurityPrivilege	928	srtasks.exe
Token: SeTakeOwnershipPrivilege	928	srtasks.exe
Token: SeTakeOwnershipPrivilege	5348	takeown.exe
Token: SeBackupPrivilege	928	srtasks.exe
Token: SeRestorePrivilege	928	srtasks.exe
Token: SeSecurityPrivilege	928	srtasks.exe
Token: SeTakeOwnershipPrivilege	928	srtasks.exe
Token: SeRestorePrivilege	5356	7zG.exe
Token: 35	5356	7zG.exe
Token: SeSecurityPrivilege	5356	7zG.exe
Token: SeSecurityPrivilege	5356	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe
3496	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
6012	UltraUXThemePatcher_4.4.3.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3984	3496	msedge.exe	83
PID 3496 wrote to memory of 3984	3496	msedge.exe	83
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 3540	3496	msedge.exe	84
PID 3496 wrote to memory of 4532	3496	msedge.exe	85
PID 3496 wrote to memory of 4532	3496	msedge.exe	85
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86
PID 3496 wrote to memory of 3576	3496	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.youtube.com/watch?v=LJ3tzeHSgJs&t=717s
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a0946f8,0x7ffa3a094708,0x7ffa3a094718
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5904
- C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe
  "C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6012
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5824
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5844
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5348
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:880
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5608 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16396895285909654120,13541517697865252491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x248
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\" -spe -an -ai#7zMap19359:114:7zEvent15407
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5356

C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorerCfg.exe
"C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorerCfg.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorer64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5512
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorer64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:3472
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorer32.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
52KB

MD5
cb8e43faaf1779f8db6d7f5651087a0e

SHA1
033f5a56099cebf5afc655d99b21b480e1e91916

SHA256
38b662376e5dfb43216a55cd8f7715d11aa82e010b785a45582f7b0434d06eac

SHA512
efcaeaf81686ef53b8e7834bd8d4d9aae8760e72d94894b1098ff75ad278c5f4974ab704e0111089c067c248f3104923b9d2e399b527f42eb6fda4e1b89b6fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
128KB

MD5
63917f5c6ceafef00c83cc5c0fe96f1f

SHA1
c8d748b7f92f0e6fe29200fbeb34f20b7d026508

SHA256
5a13a7c6a7daeba4145d66f007c484b15ac5552f0c88517da09ac860d897065b

SHA512
2d9cd2ff7a58b8a6f90b67aff07c01822cc17563d0f143a26aa27cb67fd7874c8d571d7de67019dcf25176a55387e865a00a8184cfa97be056fc75684193655f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
129KB

MD5
6ecc0f4350e6f6705844d1b86c99adeb

SHA1
c67749beb833bf7bc4eac6fc5cab3f718f7ed5cb

SHA256
03aeb9b4d2057f467969f0878bdcec57e0d0a0e2e4d74cf4d9df3c08aec32441

SHA512
35b28d51103dcf807b69dd97126f30e836a469dd000d897bbc5d55faf4be5ceda78d7def738c51f0d0ce811ff5b85b120668ef9aa450d067e115d8eff9a08091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
144KB

MD5
13c30b075d5ffcb2a7189a2f24066724

SHA1
5d7171d0d6e62dc247e295cd6a28ccbaebc1b7b6

SHA256
156db399832bfbe99a8d58fc42d70728463d2dd7408bd8e857ea16addf91a762

SHA512
e893ed462590caa3e7b04dd4628fbe5f6ea9dd3e08e7c1cd0be2a0ff1805bb24a46bbe56de784c9b784c6dff5739feaef231d01996b13981cad7293068cfdb3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
27KB

MD5
dc654d5da1a531fdb3b1bedb619b0182

SHA1
49d3de45bea7c279cf0ffe4cbc43c24779d1877a

SHA256
b395c195a5854253500b3b210e585ec801a47b49ce7b90fa5a9717df387598fa

SHA512
38952929cbf8e103cad50007cb492c93a7feb8d9d1853773883e2771cc97e50d6a514cb6347c912e7945d126a35677cca854ce8542e2210d7e59799238bae8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
18KB

MD5
3d1406e17e6ef2215ff64a7cae0f7af1

SHA1
2c19c3f7a48dfabe5acdc574d259a5b2b17cac0d

SHA256
0d99d4bdb6d87f9ed86da9abfecbe1e35df47aee4d47ec217e4d20c66c8897c4

SHA512
bce53c2a9dcc0b32c2e66b5f34d8bbbff174199eb4f887d13ac5ceae0e2f01b2772bdc6ab09be36b024421901e513d28be608a41675d520580fa20ce5c912b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
67KB

MD5
672459215c78c87c86cfe4af0efe598f

SHA1
cad4b454aa573f8c199cd63f3eb8b8f9c25f03c3

SHA256
d17075e32e425f00b58b4d38c3b733019d49990bca81e3a9fbe059460f30e6b8

SHA512
eb01a2d53bfb29e8925d9d96c02c245bda9a388c1a6f4415717711f9d0acc3942f9b6dd670b2f66ec5e23ba4a168a5ce1df47df204d690091817e61e86fa05ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
20KB

MD5
fa4cc25f0f72ac052e9413b46705327a

SHA1
72127f17a73fdeaf1d867ff721f8115e90d82e8b

SHA256
62215bb3463a1bdbeab484739c056495d60f9e6feab8e3974cde6bf69504f05e

SHA512
b33ebe5aad7802e7aadf31bc490bb697a7a941c4ec9a03c211b42bf54403f05dba02fdbe42bd7c28a27e309c868f4d74c060840a4aefdff57ac9c5c2cb66921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
20KB

MD5
78b7e2bc0c3de7eac1c75d6a1eeb4c84

SHA1
b2fb8ccd4efb0195343f86b47d695b880ee204a4

SHA256
99af8df48b04e1f8036d2d85158afdc222d00bf53cd7245b0bc82583b3c83d5e

SHA512
26c78eb2b6b08205db7abe4c5a7c61a1aff33c0a49da9bdd600d299bb3e863dbba34fbc9a38f1cc879b3040d4f89c23a84046d830d5d928a97415c8bfc64d80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
59KB

MD5
27d4b0310ec1ff567f51a361ba9a89ff

SHA1
db74bf5e145da3dcb839c98a647b03af2e0bbfd5

SHA256
3664575694e7f097b307dcccf9eeebb3aeab7ed7c541f145bae68c176069eba4

SHA512
72d81ff7c9b284fdad3bf1ba273e8702e8e4b10d29906f2c9f4232247ebba87acb2812fb6826ae1fce92f06a6c9f46c096c1fb2b44a2d953b9531e732bd24115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
735KB

MD5
8f52cd2791679ea36f9e51b0bd3531b6

SHA1
d6bdd188012c1b1c10a632a9341294bbd1947974

SHA256
7cd9621446b31bf5bb83846d1bd5bcfc36480e8c7523ed434d6ce3681c02718e

SHA512
20b543874abbd672313c067205b5264d9532f26ef268a013af589d04aa5789093289370536956e909686904c68f25dddcbcc068156b6bb05098058257db2c9f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
41KB

MD5
503766d5e5838b4fcadf8c3f72e43605

SHA1
6c8b2fa17150d77929b7dc183d8363f12ff81f59

SHA256
c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9

SHA512
5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0964bcab2451c6ce_0

Filesize
3KB

MD5
31b6bd471a2bfb4168126bccfc905e65

SHA1
258a4f27e0370ad68c3a69c20c70dd42608e9260

SHA256
9eea605d6c6cc3d502415c007a9c7ff0b9e65f79b89f60a387102506621cd42a

SHA512
855f0af1dbddcd105ac1adadc7000542d31f3594565828ba23dfaa9585b01889ef544b45543ce1101673b7c9b27ace80f0829e52661b2968fb62cee7c0a97ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\38ec6aaa20914062_0

Filesize
55KB

MD5
12fccb78ba1fc4b91b3fdb09656eaa14

SHA1
002f042a1ae5d10d4d3927477c0bff4c934f65a3

SHA256
c60bad81cc21c0d61a5191d9b48f933ed30ab57549a6d75f0ded8bc929284bd5

SHA512
40b840be044f5215f81b98b548655779c63ba1d0256bdcbd681a27926efc7bd025aa9eddf13e6700a6b81267cb8cb9769437ab60cb576b5deef742bea7471015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\624707299fb1250a_0

Filesize
3KB

MD5
9bf099b48af03f5ed7e350d2457d7da7

SHA1
6b7a54f9ab0f7408850d28a4064a6eaba74483eb

SHA256
d77654103d40faba34d224ebd9b91bb4debd21351884bb466b81c152a7efa8ab

SHA512
8b847df211d41dc17c34dfa0977eac47f44390ffac813a8fd148672b5c1a731e917addffec36a311b42a58746b0fd73bb0958a00b2414c9ba22bdff845ad6264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\70de4bf191ba3788_0

Filesize
322B

MD5
7e1ec75cd7c579418d5262ad17573f62

SHA1
427e95b96bd6cfdade7fab2efee7f28cebcd25ad

SHA256
bc6739ade3735ace3a7b3f16d0940e127bd9ca05b6ebdc9c04874aabe327a22e

SHA512
a4be7204b80cfb60e746d3eb006ccec020cc8c05b8f30c2d6a326d1324cee98c94d75abc21fd882fce7711e31bca208294b13b99ea79dd1fde8bb9438be84e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a5dab6e32a512ec4_0

Filesize
32KB

MD5
4c699684f6290e0aaa417e9b2d8a72cf

SHA1
e299d932c0ae01ed9b3372d2a84dcd37f12bc784

SHA256
19f5fb45025cb0021e7bd9be1a43a619be11db8e6832b0fac140111e794ffa70

SHA512
bfe115d6bb697285377c35207a11134cd8680cb5d792b0d483228870823ab64b7593fcaf6356bf1e204f5a020693605795091a54c3b00baf9b32a0d8d00b638c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f42871b813c540fd_0

Filesize
66KB

MD5
8e18fb164449d14d0c73947920c3282c

SHA1
04cb6b9b2b0c0cf2ac5112d2d1cb05a014915b67

SHA256
a549763ed24333e253654c1f98754e5ec77900fc978189800827f1647a8ec802

SHA512
c7a310485ebb23748e0ba5a989308b2eea9254fd307f750f232fd98a9274217bca6b9555aa55021204f3b78c4916692474b364bae06d1958532bc437df1308ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0afb3e233d11f6e97bf005e7ac8dc44e

SHA1
af2cebf7125dfc75d8195289370982926d781057

SHA256
85842f2c362209732e60f7a0ed843e2aadd25cf0a46b36959be9ffb5ca17d631

SHA512
0d2945f03f6becb98cf4ed90f69accc9e294412f5aea95b7a82909a2eb6ad14c675d1608d99995d3520d849b22a0c9c8e4b658ebe5076e888887baa96b282e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
287af98cee036132859279f760e6bb0c

SHA1
86ed75826117b9ecf49440aa0c1b4211cf946272

SHA256
e2bae7997ebed53b6fb8d15efc4dada9cbcb2662b0948fce84a53455bdee6484

SHA512
409f9b9edb56bf096ac037292277b484299610ad540016a9191bb460e7ddfcb8d4cab772d370ce993c892d44fc491d4613bf60c07eac50ee79f06c02022ab51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
dcbcef44a43e36e4f311b37443c11f96

SHA1
9d0a02db56633010a1548c0a9eebf5763fcbaacc

SHA256
b2c5e1da8f5ea64bb58bd430ec17377b5f36e428649cbeedbb802f2425de3821

SHA512
d892547602d4c1e32294e8ce7b4bd1c8a8beeb7fd5b51de5ea922939553c14380ba3bbfdc7484e9ab0e0eaeea1159b0570ea42419595eedb7e6b499422e2b10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a10bece9a9c2b08e40a039bbbeebeae7

SHA1
2359183886b03033717313a325efe52663909bd0

SHA256
cab8559358540c320ec28921b8c5d3e3e4ae618def297a048297588c5c31ce9d

SHA512
541871d4754d33f8041f29bb7a3738e906d5141c98e185428ad2bed99fa1e2a79522e54f2d9d336abe5c6a370972d9cbd5b3102ab327ea1c0abc2cd9ba9894df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
1482c96bfb2f145952bf706eb4e3fd8a

SHA1
472b96bcb594705b692324339429a0adcd50c713

SHA256
c5ede5173078515f46e532744a5f7b01deb468cc86067d8e0bbe54b1c2342249

SHA512
a624ff5339b7aa0df390767cce66d850749e28c49ab454304dcfc2990e744f96ff44ea9ab9f8d20beb8400edd033f97580016aec042fb8784dbc54581a20ee5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
42ada32dffb67a2b7120b15c85e3f54e

SHA1
05b89adeddf25fb76cd989e533e30fed3e673288

SHA256
2b865a87cc13f94ca0baecd67109c279ca2fceee8d54084701091ac82531bb4a

SHA512
88eb68007086ec9de64d4cf62fce81c4d3337a1c3ce5cade1505b2479fdb2dbabfabc45951e5d54d4e46bbf38921eabecf0b3738ca35aa99260563e87301d47e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4b95fba3162dbcba63b9b73a9b6c7cb5

SHA1
d28138486506f510a49598d91ae08d069ca56195

SHA256
484d7dfb1bc9f19001e29fd870fcafa759482177c66da8dae302afa2e00e0139

SHA512
74e1b7e0ce1e6180a839d14d4a6783295190e3a2c1f52473ee3f923efda812dea49c1927fb93bd257bd0a4be75269e27b889042c7566e7d892ebc3b2cca580a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0c234d1437a35e55186f52b96abfc369

SHA1
e907520d0e60bfb91655b4a8058cca83f8211ba4

SHA256
be9a1d65e4c700d73e2fbc44162e4d02adf67f15729be1c4c8e4a25544480425

SHA512
d87baaff4b4d52844276d53844b9516d4f7cd36d0ff71fe4d81515103cec040be727e4dc9b61087b9a643a131707147ac2ad08ff256d6c852bab258766672257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a89a8ce7a19fe68a97204ae1c258856b

SHA1
d494c67677633e5de159fb7cedd2c98abd3864b3

SHA256
323a67776242226eb58bdfb198bae8fdaade63fcdfedaff3f09f86cf245842c0

SHA512
8fda13a7f0667651d715aa89aa5648049275f3575e42b9b894ea7fdaaba0def7e3886f387934bf8b800e0fbfdab3d4fe750457e99de2cc93be07f2a62c35b55e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06140dd4983c9edcb7c139c34e80e819

SHA1
0dfea323bf9fab791fd55439570188504efea07c

SHA256
41caaad03f6abe44006804f412610b7faf72ca6f0f4f69aa0774bf11a0b76dfd

SHA512
d489fc1b2d6b2ce6181717356d97c6a8350664061c48b20760a40d075c006933d452d98209e4620af9008e9f3c41a76e83f9803cb437389285cf06255df6120c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d232a226f1e182c02136e6be060e60b2

SHA1
53797c40015ed93db8953884366aaa93aff3fd3c

SHA256
56b5248242f4f6cc9e5b7ea124230fdc220ea9e54625d05773376639ed8fd0c4

SHA512
5e0843ec0e9fef52d820e1992ae0f589e86b565ad2fd7e171403dfdea3d11a766ae2d1c1338fe3e94fbc88b67a8945c4d980c777991df6efb00732fba892186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ddcc59e555498702027ee1ca0e0e8be7

SHA1
bb094edb45440e577514a0dd87a269cf47e14b80

SHA256
9a68709a3810ae2bcda699dff6d1b3e848e6ef9bab571d567fc9e0b2f9601c5d

SHA512
50c9773eca200bd727ac660e2ada36888dcbd7430ab8b20b1f7f2ec941c8a139e2efad1d27c7537bb30e06d28618d48660ad0c360f12d47ae2559ba6eccd2c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba7e75a6bc017448eafb494e28625f6e

SHA1
41635740f9330707d02730fc9db71f1ebdb881f2

SHA256
461bf234e3d09320a3f027e49cdd005126225ddd32d8210fa9563cd9cd656fc1

SHA512
18896683642df17151303b2b4d8a3a6c84b52ef2d40c01c2852547db47d1c336fd278de261846c229aed0ada45b510b7fc709167eb5a02fb6e32299ddb6795f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5caa822224cc858303d14bcc57d45749

SHA1
a0ac5a27fdeceb9778d9b103c443d1782caad7f7

SHA256
71be4f3419f10c27a52564220988298fea0d7423e592b2a134e40f91eb6522f7

SHA512
12907553f8fa1ed5d755a6ff436ec7877f271d2d2b0aa037d9736e93cbce0fc253253400be4c62b6ba95648e1aeedae5e94b4ad1ecd4c31fdf02a11c939d5274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
279873bbea59254ed837030e11402b98

SHA1
8dfed72313900595b277ccca5868d373623d3969

SHA256
f800a57aa06c669b6cea65a87e00425925add6ce1ad28c9d0852e4c64f8cf840

SHA512
b283e687774466f097c347b94f1445f1257894812e66a5b7767eccec4e0e5780eee2aa21cb6c5324d3cf59b66edd1f961ea365888ed996b1551e55223a721133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\996eda2b-8187-41c7-9704-23288620e808\index-dir\the-real-index

Filesize
2KB

MD5
eed53b13f90bdb080a89da1f03b23a7c

SHA1
28c13e42f3bc3cb12e7333197a643b94b4278537

SHA256
24f9577c0958f0c9cd45599138d03e42f87afcc55b66eb8412b7ea10a542a08a

SHA512
adcc61688e990eef2681ee990d08df315c7f19a01e457362c6d25769a8d58198913d0e73c73c3bcf1f2119a68c72b178fbe6f01ab83decb8fc171b43e3a2ec70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\996eda2b-8187-41c7-9704-23288620e808\index-dir\the-real-index~RFe580f4d.TMP

Filesize
48B

MD5
7e7d7d6d878995b0c8e6b5420661de52

SHA1
abce5eea20531a5adfcac390ee4d4f47cd9df5ae

SHA256
7e23caac41e535b1fb76b781ad94f08e60946895507e833618119b1527122a9f

SHA512
5a7f6bda363726179959ba1792cc2866cc753fc27a1832648cf1bf74da0e40c90d98945b8407dd2703d463986fa7bdcd112784d744af66ee38eb9223fbb5b589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
d6a5fdaf5e3cae146ea70f687f40efcf

SHA1
26186591bf1a1b9abe9eb7cee486fbef4e016673

SHA256
b7376d7ecdc491b06b802b985b0f65e7d6d501c5e7a5235dd953572f780a3822

SHA512
bbe53da497f9c4899fcbeae47f8a642ebed66ceda59dbf5b0523b87232cf8237ad222781a62459c823a4a5bb9fe761d4afb99af7a7ab889064e66931d1b4bc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
01cb5b715ef503e3414b719f7e7e8f72

SHA1
dc64903968a687efb76632d861b83e8aaa6341b7

SHA256
e6e81488c08e93284f1dbab9981de66ecfd07ce952c3b65da8a869ac0c53ae1c

SHA512
8dbfc45fd00d14199606514071fd55582296b3495978feef728f753703e35acf9df4ae4690585fef9b8a4b08b011db5df813a7007f787c9903d7d7e424a09001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ed3f6678f52f03b2b8476b360314e036

SHA1
cfcdea235313d5ed650e309f084fe1e759ccf185

SHA256
8990a3048df19ee3427b9fc82c12dee9c7d33776d09b336bd71fe51f4b68b881

SHA512
b504fe67ea4a19f25beb64550e6e277019ff90a79bee7632e1acacc8b59ae978aa6359455a9c52f3ecb089192fb9e5f8eff21026b76b204ffb2261f4af915b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57a9ec.TMP

Filesize
89B

MD5
fdfe9fdc650059904aeb9acefa6b41c2

SHA1
4c587c7e7a6ccd53b470882e25da873f4894583e

SHA256
4b269c8cd19e4ff71911934a7b2a6b77b16b3e9aa90d5ebce806351f07f23cf4

SHA512
42bea43af427d2566639bc636904d6b983befa470bf1d941d8673dfbfb1cc34dfb91ec90f1517c75a563f4704eda954ed8e4ce5ffc7525e4368ff6fd6a424445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d1efbe177db08afcba19ea1bcc8be5504e691327\14b97739-c520-4913-ab33-d02e8ab7ccbf\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d1efbe177db08afcba19ea1bcc8be5504e691327\index.txt

Filesize
96B

MD5
a31021e3d2c49d25d3d95a9401abdc12

SHA1
f01993142773cb0907bf8beba4a815e6bf4b856c

SHA256
d81da7c1f5a2e836b32b10c46764b31a35e932d05b53ec8b991f21b8b01f5097

SHA512
dcaf9fd53a389ac1404eb41b3936609c75b5619a5936f35951f4793ce96b0c7e5d218b4ef1e168b61b7604da4693dd35187b60513eca855b892f2657a8e1f531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\d1efbe177db08afcba19ea1bcc8be5504e691327\index.txt~RFe58aeb9.TMP

Filesize
103B

MD5
40147716c83e2f1d04670981b9a3adaa

SHA1
c822d42b1b2c6d7afbbb27e6f62c13e030109092

SHA256
e4de719a375ec13d7000442e4bc8b5ca1e18e79ae5f65f1ba28328a7eebed1fa

SHA512
79733d367ba9afdbf06b632f025c6364f4544b1bb418ee306c2682b44f633ecdb4a73f2e3c95a31f302b93cc975c7592aba7f0b357938b3e0650f1fd28e7bc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
05b7ab418977604bd359078222ef0686

SHA1
4850fa8eebbef93a58b078e32912e3b74461f496

SHA256
76a80fe66713db2023436f4ebfd0ed8c5126d805f55904f52920e747b77651f1

SHA512
e4ffbb68d6af7dafd0789f1d8aea6ea8e2aa83d0f3d246163fa629f19ef99002dc298d416bfdd8418677fe0b254d5cedb9dbebc2481bc40cb72efb00f2f26ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1b7e1a7a56deec029090d4543d24bc09

SHA1
95e08582da095fc66faba3de54af74addd425f6c

SHA256
e8a78c6323d519e3b1dc13eb7e87602b616a082a31fae70d4d0abcb491fce921

SHA512
cf1c9666b01c78b0ac2ac1ece6ad32672b3d57f668efa52ed6363654472955b115dff4a4092e8623505a48737b82beeb53153735db9d88df90d75e8ba3468241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1a15ea135409488d260c0f81bae6a49c

SHA1
ec76275b130e4c4a3618ca1e10a7085d2a213ec3

SHA256
29243e8a630ae21ee5b87988399263a1b2d9709bd77ad4e180c3eabfb79a307b

SHA512
e7c831283ee045bce4054b6c805e88b9022d48c9478ab874710f32926907cd89796701ea6007c4fb209e0da32e38432e20da3649c86413a0d8be4a089a9a27a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f9b2.TMP

Filesize
48B

MD5
788199d69f93d2ec23380bd28c8a3860

SHA1
69dbfa394f261bde163571ba04dcb4eb6b32bb49

SHA256
968ae3d8005c829faac116e6ba6dc75c53a8d4c9c5557db6e0bc2f2aaf2579b9

SHA512
14129f0576eac7881994b2caa013d59289c68ec9797e9294d2299f90a7d042ae836ae8a12e69f24d0cee4e88f2ba8c4b8bec5fc857e6990620b5b54e63cc2f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2cda445352bcb6d1f5ad2d723c0a94c5

SHA1
a28a9662da8c90d3ca57371a627f469afe853412

SHA256
9a753aaa806c6f5c21988bfd525ce22f10cd8c97067f77eeafa1d95d252ae538

SHA512
8913f47e693f8a2b7eb2a9f94f1af823329c84696157cd87880d15de3f589bddf2bdda8ebc6039cefc6aa4abe0a6e548def7686f7d3cc972248a4abfc8de43bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8bc718c8b4783bfa9a4883bb3e312b09

SHA1
a91885c06a4edc208c98e6fb5059ca4f5cc01faa

SHA256
9216d8bf9c9e21c5f8552df19810cb97048cb34a06fb88abbc03b96e73e186df

SHA512
9065f90b6144925c2b7b790f7981363b427d6f0747a0ae14267b0103013bfd916bca2d9f0ffc4bf19db5a2ab23d5c3fba231b4d675e2ca8544859287e25eaa76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
7523ce452c6ac860272de69b3d545743

SHA1
9af4a8e0234763199f1253e44002ce1f5283da8a

SHA256
15c99212748f37281000c779e0e969818a6c2ad71f5ca063afc1a72ab247ae4e

SHA512
b3644c8cb5f23f2d8e20f1439961d2a973434b5261a5816559b49b75817a796a909a81fae769c68dc01492bef2a29fd024e3c8f17a4829efadb5f4f4e2dc2ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
834f3cc9f25e6f0e7623176219139e08

SHA1
d921ef1cddd7287cba7e9c33e9d8acb81f42ae46

SHA256
d089c9b5924e9c412285d4a9595e658b318e1f561ab5ebe407b64738a636bbd7

SHA512
feb891762d5fc8e6e2a6b43c6aedba51dad952a414be4a86e999f742c6bc77e93f8079b554d80ffeda57f930571f56c474a7ca17b089824d3edd12bd56826dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfae8637d55ece69faae9557474a27ae

SHA1
3c97bc6e2a8514f92cc9eee44bebb4f40d031ebd

SHA256
515854c3eb7815334ae9953940bfbfc95dcb0289a7481ba5ba5284bc7003b6d5

SHA512
9391c3df3b8843f15d21ac598b7968799d18e93d93240a10facf5259f11d67ab4dd26650e8b96603a84f5f593e3a943d4c22976b5033f282a2ef095cb4ca5cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fa0f.TMP

Filesize
704B

MD5
a01f24c454e332e1803665814e2bdc5f

SHA1
be63c1d87ff90a482786a0c1177451a7fc95caa2

SHA256
00078947481ecae886f9d4fd6f259695faf9ae2ee35db5841095742fcaf88dbd

SHA512
077a4e0b65dda73e56c8c2650747552d65dea05b7060943946efba7e0731a03d2a7f21e57acd4b1a16cc4f9ef3667d74a68bb9c1330226bbfe3fb5380ea6ace1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e7ce8d9bbb4cd07d00e9527a364d28f7

SHA1
df125d33eb8198b3c0eff1ff7818660ed46170e8

SHA256
743827d55f1c8b72d420a399e209e0a9c055f3678ced1225afc78441852cbd94

SHA512
a16128cc10d5a536e26b4e0e77a75fe47d363bf01de2c3a0509a34f9b1334890edf597a385ef449049b836ebcdaab8221224f7a4cc38842dab1037fdebeb547b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52a28147b193d4b04f3ef05fb0ce4896

SHA1
55e2de1087698af1dfb9813019114e202539b187

SHA256
ac6fb3cf24eca8c97e2d062a856b71a55bdc60f7af593839834e291565db57d3

SHA512
e45e236132228e082e2c0c6d1db3a01607fdb720f808b7c540783aeaea455b58f29dbb71128749b6ff4644399238c73a344e1f5534734f3fed89a89ec3e585eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f945ff92651d539b266db08139c37b6

SHA1
581143e5b772fe80102ce747751d67d5f69401b0

SHA256
0ad535e902a45843b18ba9f846557ab894b5fb512b869209947dfa3e4a0035fc

SHA512
8da3c5ca9b73237ef8796d20b06f767fe5386785b33996ad407c106d0aa7bf5309e76c79b089a7a54c1309e7ab2244b721d6d03529298b1dd23d8bfb1708f668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3dbc59fc721f10b30d4490c993d38ce8

SHA1
9301e9a6021853a82071af89f7fcbce740bfa60f

SHA256
db0b8a87515bedd33514f940ae827a6da3e4b8b0b0e9b99edc4f2f17b15e69b5

SHA512
6854e2233180d8a008671fe2da1283c9381ed451a042d96d4fef3fff093fb0a063126b153a73864ae1f2f2daf976339424cc127492cb5bab0d1af90882e9b6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d8e2766f330c0dcbd33caacc318318e

SHA1
c4fe37364b3e48925befb7de0972879c4c9e1fa1

SHA256
f788bdc4a012c9b58587a2e5e5dfa938ed6bede37ccb82b2dbe660ec02bc5d8c

SHA512
0ed503c1338948c11a8528aa8d160d8158b20144d70559855a8e20aa565b37fb909cd1def8a40cceeaae5c4448e7016995756d0270974a9ebec9e3bfa9501f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz28C3.tmp\SysRestore.dll

Filesize
5KB

MD5
4310bd09fc2300b106f0437b6e995330

SHA1
c6790a68e410d4a619b9b59e7540b702a98ad661

SHA256
c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e

SHA512
49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz28C3.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz28C3.tmp\modern-wizard.bmp

Filesize
201KB

MD5
5f728e4e6b970db76c64be8ca3cafc87

SHA1
b7481efd9f6938903214451d792a8b13a645c922

SHA256
aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5

SHA512
2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz28C3.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz28C3.tmp\nsisFile.dll

Filesize
5KB

MD5
b7d0d765c151d235165823b48554e442

SHA1
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

SHA256
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

SHA512
5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

Download Submit
C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR.rar

Filesize
272KB

MD5
e0c44daece14729c72d264e5f364b987

SHA1
45a7bd0d6ccd57a86a623f55b5bb326d1a5581f2

SHA256
0de3b950715922b12181fc051d24ef996a10b484cc3e490d3f448a6a90d96034

SHA512
d0bcdcc84ae9e06024a20aba8ccbbf5ed0b2286d560a1df1f16b77d2331023f7011b1581a195909f192cefe9dfbe8ec540dbff6cd4e7c2e37ac9248331aab543

Download Submit
C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorer32.dll

Filesize
249KB

MD5
a72e302c3f4e4dc8eaa365592aef97c8

SHA1
83000d226d885e71ba3cfa4603c26768c6ec03c7

SHA256
76f3780b3a124f17dbaa369fb8ff54fe6d69f9297795af0cee720a7de213a92a

SHA512
2d0dd7b4f28da1ce6074361c5ff34b93183b6e81ba5d092e44e8f22726cc85cdfe0d8c01ceaf6a8bb37f72dcc7bb60e869172ec18b9dcf0607e5ed6389bd3848

Download Submit
C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorer64.dll

Filesize
255KB

MD5
fcf194e3b9101064939a000075149f29

SHA1
7a3767dabba5368da9092ea17b0dcbdd23b23bfb

SHA256
21e76d101c19571d254e649c86f2588c7a46e7fb8f0911880ebbbadc7acf4d18

SHA512
e3fc693f1e7f7ac80d45f3b3d6df6c659f8e5aca5ef02d6a020d351927b684f71be4aba7c27aca2f82893cd98f431a89b21f5e78a7c35207964b161749fc4d24

Download Submit
C:\Users\Admin\Downloads\OldNewExplorer by VIN STAR\OldNewExplorerCfg.exe

Filesize
600KB

MD5
c0c6230ee05f7bbed58a0f5fecaea27e

SHA1
0e2747a1d229894a9c33345a0ac6d334fa92e116

SHA256
2f089092b24d77c9170a3c50a80b6d9d58eb69ec9e0042f7ecb1703de8407d89

SHA512
7ed881f7f20a15c41f13719dd902fd60802b003a68645677786423d9ff4c3728f89fd641b406ba6fe3c58096992cc253a08a67bb11f93ca1174fdb01237b5172

Download Submit
C:\Users\Admin\Downloads\UltraUXThemePatcher_4.4.3.exe

Filesize
159KB

MD5
8992718c128b589e19216ef1609c50c3

SHA1
dee042937934ae88ba0adb59752ef5ed13edb0ad

SHA256
431675fcbb448567fafc83fee2b93c620ab7a7f5d3d7a7c7b922fec52d58deb2

SHA512
b517d678e8590fc100a9aae590f6d37d440452cfab97397a8b62f592a164598cbc0f5a21f65bab22e3c623faeff205d1b137d1f6d104a4792b472682767d65c9

Download Submit
C:\Windows\System32\themeui.dll.new

Filesize
390KB

MD5
bc377febaa39552cd323cf2d46805e91

SHA1
c812c62292c62f518a9feca5c0366b22c04aa9c3

SHA256
0970d5aaab9247f5b6c63534cb29ff6e1b2b99ba0e4d96bc69eae895e67237c3

SHA512
5c5adb024d051eea9d16dc6411a1445359e5d219c3776fddefc51ea098a2d3c9db4dee22db382976e6911ec159a09bebe4f6249b36a77891d69a490cd0a8eed7

Download Submit
C:\Windows\System32\uxinit.dll.new

Filesize
121KB

MD5
1249ecbaa8441b5f2425ca165b18bff3

SHA1
388fb66c58dedbd29e0b300406e7d20b2c7e8f6c

SHA256
79bfb188b481a28bfa4fced64dc45eaa7fab7b0c5f435e85b02025ae6910377a

SHA512
8b75fa4df32fad47f249fa581b5a969cdf78df84bfe9e95f8bdcfbbe00a38da4c3711d797028a1f63d8cccf6cdbc40594c26aadf0ba419782b2991a474ba5c4c

Download Submit
memory/2332-1384-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2332-1400-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2332-1401-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download