Malware Analysis Report

2025-01-03 06:20

Sample ID 241129-2wkrpavpbr
Target https://www.upload.ee/files/16537227/EXM_Premium_Tweaking_Utility_1.0_Cracked.bat.html
Tags
asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.upload.ee/files/16537227/EXM_Premium_Tweaking_Utility_1.0_Cracked.bat.html was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

UAC bypass

Stormkitty family

Xworm family

StormKitty payload

Detect Xworm Payload

Xworm

StormKitty

AsyncRat

Asyncrat family

Async RAT payload

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Looks up external IP address via web service

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Modifies registry class

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Uses Task Scheduler COM API

Delays execution with timeout.exe

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 22:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 22:55

Reported

2024-11-29 23:00

Platform

win10v2004-20241007-de

Max time kernel

264s

Max time network

265s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.upload.ee/files/16537227/EXM_Premium_Tweaking_Utility_1.0_Cracked.bat.html

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\exm\EXMservice.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\msedge.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\System32\\ctfmon.exe" C:\Windows\system32\reg.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardDelay = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483650" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardSpeed = "31" C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Theme = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer C:\Windows\system32\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Nicht bestÃĪtigt 174666.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.upload.ee/files/16537227/EXM_Premium_Tweaking_Utility_1.0_Cracked.bat.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc782b46f8,0x7ffc782b4708,0x7ffc782b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat" "

C:\Windows\system32\reg.exe

Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f

C:\Windows\system32\reg.exe

Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'

C:\Windows\system32\reg.exe

Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_UserAccount where name="Admin" get sid

C:\Windows\system32\findstr.exe

findstr "S-"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\curl.exe

curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'

C:\exm\EXMservice.exe

EXMservice.exe

C:\Users\Admin\msedge.exe

"C:\Users\Admin\msedge.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001." key=clear | findstr Key

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile name="65001." key=clear

C:\Windows\SysWOW64\findstr.exe

findstr Key

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineCore" /f

C:\Windows\system32\reg.exe

Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineUA" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "UseDpiScaling" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ctfmon" /t REG_SZ /d "C:\Windows\System32\ctfmon.exe" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\VideoSettings" /v "VideoQualityOnBattery" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18306510242722056120,12148795964079845581,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5056 /prefetch:2

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v "PeopleBand" /t REG_DWORD /d "0" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider" /v "RestoreConnection" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_dWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v "ShellFeedsTaskbarViewMode" /t REG_DWORD /d 2 /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v DisableSoftLanding /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "Theme" /t REG_DWORD /d "1" /f

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_SZ /d "2147483650" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Windows\system32\timeout.exe

timeout 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.upload.ee udp
DE 57.129.39.102:443 www.upload.ee tcp
DE 57.129.39.102:443 www.upload.ee tcp
US 8.8.8.8:53 s7.addthis.com udp
US 8.8.8.8:53 du0pud0sdlmzf.cloudfront.net udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 102.39.129.57.in-addr.arpa udp
GB 2.18.109.243:443 s7.addthis.com tcp
GB 2.18.109.243:443 s7.addthis.com tcp
NL 18.239.38.123:443 du0pud0sdlmzf.cloudfront.net tcp
US 8.8.8.8:53 243.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 194.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 40.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 123.38.239.18.in-addr.arpa udp
US 8.8.8.8:53 8.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 i.ibb.co udp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
US 8.8.8.8:53 182.10.134.91.in-addr.arpa udp
US 8.8.8.8:53 upon-forming.gl.at.ply.gg udp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 upon-forming.gl.at.ply.gg udp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp
FR 91.134.10.182:443 i.ibb.co tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0486d6f8406d852dd805b66ff467692
SHA1 77ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256 c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

\??\pipe\LOCAL\crashpad_3644_WVZVCDWQUBHZLGYM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc058ebc0f8181946a312f0be99ed79c
SHA1 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA512 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ceed05cf6fce9aba56afe233fe48361b
SHA1 8bd50ae9ccff66e4cc9bd6421d19f3b539a1a783
SHA256 83a6c0ff5f206294df276297f4934d3fdf64b35993f2e62e3062ee3c4b6ff229
SHA512 283dacf30f6839c226f3ac5d03621f1f03de3c4a8b146c1ba5756f459133f0a3ffd911368f368826636c5a851b49a784ef1640462d2999f1c48db68346438700

C:\Users\Admin\Downloads\Nicht bestÃĪtigt 174666.crdownload

MD5 f9ca73d63fe61c4c401528fb470ce08e
SHA1 584f69b507ddf33985673ee612e6099aff760fb1
SHA256 16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca
SHA512 6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b708e6d24207f1a0e12717c5e87b0a33
SHA1 7967ff24714e253d9e06f7212ee454caf65ae8d2
SHA256 67b51817391310c66acce0abeeba82529364010b4c9964e5b8c40792763551e2
SHA512 4ca759cdca5b080a33a1b5ad9dec4bf78201f404261c98441d462309b0c60ff633e0afde664a7f8fa0e0f0d19e9046b7f2fadc0b5411dd3c6ead172ee5581315

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 03f41e57b59c0fd643a60da84ae107c0
SHA1 f963b8b46979fb5cfd9e11463fdaf644d39b702d
SHA256 e4d71f61c71700b7de3a5dd81d00ed8f3caf67035e55ca11fb89b3707f6e1098
SHA512 910c379cfa064f5be1a8148f3220f27ad813eed7451a5089acfba01d61b03c07d9e4c6683fd61303d63862975a231e9dbad350023132be5c9e6e6bcc3c508ba8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2ffe73c0668c56cefcc27b3944d67b99
SHA1 b37ccfbd9399d5bc846d6b0a9109c13f6d4c68d0
SHA256 ebbd67167246612d53e46e5044ce70a822e7a1e8d6d79f86c9e141468793a58f
SHA512 1a704116d4d74d80384fe4d24331ffd774c7b12a5616ef4c0b6af3df94556a42f86cf922ef9d980c43f196582a9eba60eb214813121a90626206baeef2c671ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e65f2f7adf4b44069ed61e192f6a7db8
SHA1 8c1a61803a5c52ef86156d617d9b9c42068925e4
SHA256 ff4406823b67ae3ae9b7c044f2cb5ddd53f6c2074c99d7c22686f8f98339042d
SHA512 77cc1348aa79f00142eeab14ec39d38cf8b35b6408d72342de15fd9a8c919c87a24120e46c2be5bc1aff99331834fb29d9adb55c805ddddb6ae6135b4553a39f

memory/1220-117-0x00000232258C0000-0x0000023225946000-memory.dmp

memory/1220-123-0x0000023225870000-0x0000023225892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4z3xw2e.eui.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1220-128-0x0000023225860000-0x0000023225870000-memory.dmp

memory/1220-129-0x0000023225D60000-0x0000023225E64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/2452-153-0x000002A0F3700000-0x000002A0F3716000-memory.dmp

memory/2452-154-0x000002A0F3720000-0x000002A0F3732000-memory.dmp

memory/2452-155-0x000002A0F36F0000-0x000002A0F36FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exm.zip

MD5 57a6527690625bea4e4f668e7db6b2aa
SHA1 c5799fd94999d128203e81e22c6d9fdb86e167ee
SHA256 076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17
SHA512 d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e

C:\exm\EXMservice.exe

MD5 aab9c36b98e2aeff996b3b38db070527
SHA1 4c2910e1e9b643f16269a2e59e3ada80fa70e5fa
SHA256 c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f
SHA512 0db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779

memory/3436-197-0x00000000005C0000-0x0000000000626000-memory.dmp

C:\Users\Admin\msedge.exe

MD5 f1c2525da4f545e783535c2875962c13
SHA1 92bf515741775fac22690efc0e400f6997eba735
SHA256 9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
SHA512 56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

C:\Users\Admin\svchost.exe

MD5 1bea6c3f126cf5446f134d0926705cee
SHA1 02c49933d0c2cc068402a93578d4768745490d58
SHA256 1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638
SHA512 eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

memory/2936-253-0x0000000000E70000-0x0000000000E9A000-memory.dmp

memory/3544-258-0x0000000000B10000-0x0000000000B4E000-memory.dmp

memory/3544-265-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/3544-272-0x0000000006010000-0x0000000006114000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 1bdd9dee30a145ac77f1bb0e512cc50c
SHA1 ecda32b1dd9e6e1b59951656b1d28ad65b4983e7
SHA256 75aa0699dc6119a55716a3088c913e513dcedc38b98e92877fea1b4377ae8f05
SHA512 13c6d8dd4ed0a0e9123eae29215f77ab512ea46adb8999202b8a83af01c38198c6ee62af7a63699ef6c93cb1ce35c57f155d09e001b09ea5c4053d1bf6770310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8b17486d7cd1e77cd448e339c8f08de0
SHA1 1525c30489ffc401a1f4786419af615bc944edba
SHA256 80c646b9af9332332ea3c5613954e4531c3343f02259cf9ef018f8ee746c9f05
SHA512 79ddb8b9430fa2676b16e7a0bf6a7985eeac37df3b4a4f61a5aad6482bc0b929ae012846356a3b9abca513cb2e0e00c36356bd3a9cf193aabde89ce136dd5b37

C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Browsers\Edge\Cookies.txt

MD5 fee302333cb8b53e438beb2b2e5fc18c
SHA1 5a41c5ed8da9a518c757cc44e0120095cb0eaa2a
SHA256 1968091069d88745c3b6dbd583908542dbc46237f0c8cfbb2f276572b56d955e
SHA512 694792d377a2bb53c836c4ac0706409b48665ed6add9d758f86205ba4bb2264b09c8105ce267262a102e62574daf13df1c9d7f929e1048ea7c71e6222ec4e551

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 07f1b5455d1ed3403742e4f80aaed22d
SHA1 93d6712b46336b018632ead43dd83a8dcea7bd7e
SHA256 a205bdd4aa0b2453396312c887119eb347c2bcc697f7750b318a4afac2f9853f
SHA512 640838556b5c9116992cc3a12f22c5541127e472c7c678a1ec2c3d782545349bf02c0d7a3d8207d0ea5b0c264be4432c7a255aa9c067adaf5eee39a3f4beb712

C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3544-334-0x0000000006120000-0x0000000006162000-memory.dmp

C:\Users\Admin\AppData\Local\84cd062140476b7060b43475e7db9d50\Admin@SPDEBJWH_de-DE\System\Process.txt

MD5 158cdbba8412195887b1f310d0c93e90
SHA1 8a9ecaae4d65d715cb1ca96dcd437ed344ae80be
SHA256 ceb2ec56a892834473494e2a901c63bd1296420df9e77ff50f2358174f5fb209
SHA512 8cb5c2ad374eaefa719636e8719abc6036f0fa0a56eb677fad15422e4c69b3ac48af75c6afeaa0729a5181db0c11a177e279535ee44b8312bb99a3a34fa564d3

memory/2936-447-0x000000001CBB0000-0x000000001CBF2000-memory.dmp

memory/3544-448-0x0000000006710000-0x00000000067A2000-memory.dmp

memory/3544-449-0x0000000006D60000-0x0000000007304000-memory.dmp

memory/3544-454-0x00000000061C0000-0x00000000061CA000-memory.dmp

C:\Users\Admin\AppData\Local\bbe2dbec5da16fe0d6955b21dff4e87d\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3fd600851826562cbbc2e6666eb5c4e6
SHA1 9317336d295e074f2fa60e792874041ac359e60d
SHA256 ea623f281d0048ac79e70f26600ed27166f0f45e944529c42fcf1c9eff685e20
SHA512 5ad033e0f905488da08676ac8f5ced554d7f31c5f048d06508c634d351535096c41e4fcf60abd2336fd9942c82adea68c73bdf4745bb7f1d2aacf0855e14eaf1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1