darkcomet | a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d

General

Target

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Size

848KB
MD5

5ff6c4af76faf74394c79161579e8a4f
SHA1

c36bca787b4629814a34d116b7c3ca5262fc4cfc
SHA256

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d
SHA512

d15f6aeb2c2ac911a1c50356a8db5960d299b440bbf2e059a7ee5cfc4d3efc8c121ccc7fe737434ad04ef76f64000e77ca7fdc34b0193a2ad103b735e9ccf6d3
SSDEEP

12288:ivBIQKCR4KeHs+1M2R2D3wOLDvBQhA0UWgyjh/jWydrkaYEYhl97bjHk8OtAut01:rQKCR9uMVZBr0UWdwAYF7Ei1

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exenotepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe

description	pid	process	target process
PID 1652 set thread context of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\PCGWIN32.LI5	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
File opened for modification	C:\Windows\PCGWIN32.LI5	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exea69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Modifies registry class 8 IoCs

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exeexplorer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}\ = 31b15d7f7b62487433ac5fb5031dff3998a53e72182247a4cfafc8176acf4ae8d2100b3e8bd90c7969dd51b94d26890eee6837902f77f7af10e875cf51f74d20556fb1b7daa03c7b269be1fc61dbe983919c36c5200198317fe66720ff7c27a6ff5118b9841a43bc43dbc3c42caef5d71d804553510b3db325a35e24c64d5d53b553ae33c9636ddb29c3b584decfb9976680208ab24dd5d581415a25c4bd60a6d2ff7027ee3f76a7d0b076e920319c11fbb1dc5e8406ff419829862ddf09383118d2fc4467c0df6cb8c861aaf9351e5ef90625107d066530711c95fac21dca85cb62eb5c348451efb5e85eec78ebe2331d1b85bb429c44fbd0230d0ba9ab4e6c5614c07fc5e761f04dac29d54d4e0956f230ac280b286ce94a3514ad43353351e3457c01da4dbdc966e9d0763d9eda473c5f66c780d06d8449ede94af1129abcbce7998f818886cd7115a93deee60920d680c01a15440d2295d372836a2c8a4bcb6bd3338c1bb63bef1b68030accaa7494a00141f241dabd05a5722e92d775ffa158cebcf665df8dc7f6f01ee806c9e1cd590ac132a5ea122b7dab5914394d5e49385122814d82e90a8ef228a35013444b1c3306e46f8097c9b08e5b88bbf51c528474cfdca8fa719bdd8306aca0aa354b52ab4a132acb0aec54348c624bb4539ec379c3e59c01c7d17f0a27738f93e874ed5cc9fad6233edc180684a09104c252124c0c168a7eadd835f8ed5bea43123b0a1bcb7b3b15afe7b13a1264d775e52cc732cda28deb5ae25af854063e6063a5b441a57ca066c75ddc92379a53379b4c87c85c52baca248adc6dfb3563ad63d6e3f1ec9994c6b1af9d9786b0baa27783dfbb07a4afbe37a79f9f07b8af9ae8bbcc64b58cd2f5b2ee5b8803b383d4d4728d5c89c4b2239a937b74db6043982b83ab44ecceb74950e9feb62751f035dead79a95df6052f62c804d430411a81c41663bec3e764e0e2e89d37396019504634fe53d93b85239e23f93359ec3956e2be9a26fdee9a894509f111227ea4e603e18ba5d482bf8ca797a0bfb25895fa4e5cd6f84f6617c0cf7248dab484216d81d51a3d8299337e646602eefc369bdefcf9986587a19f5278b4e02366fc209aff3d6719cf8597914032e2eb02d39a04433203dab37ddc99b8469b4e83b6ac91b4056f0197bd3f9aa73ad01ac443a38b8baccc5535b1d2d6f4c151e98d321653f1b3d9ac3e77679f8ff848197601908d8176316e1db685d19235cd21359911baf2dd6279fa25a4b14396c3cf7357eb0f73b7d3e073fb1ba38384c4ef91174e0f36b75ea0061e1006007104d5e0ce0f9668ff8a58553c7de6e5a1eeeaa8b4b39f93f88458737aeb22142a8c0a6b0c6bd5cb71f499ae42a982d615708152da32c31c937bf4db51c43daee5d78eb0d7654f3d7765ef01e8ea8c5495fc815a9e3c47e78f8fc8e82d57357f91e78d3f0ae72ce0885473802b088bceccf7aa6f53970b0f4cd708b0f222656a9d323ad3dd73f9eb22b31c14c6002faab7aa602d62eac4f41f51f875e02d5b297b511bc903895b2efb49db5184399e5ec73800e21265fa91253ead98363f5fa70720cf92483d885a6b7c7324eb2eec487692ae4d2895b20e14c9b0a9ef2af734909ec747bf3f586738df65873d40e532725b92c33d84da6fbcf7e550aefea859b73d50d9804629a0b501d285f3eed3c9fc9118ca3e4dd9490135992d3d75a5a1315261446d9e69f969e1918ebab61ae13a56653e8dd84abd7219e241354dad750a51b2b1dd92fa3a9ae2bde5da510489106ac54c4dcac9d4958f7ee818b4849f8387337013e04c22c8cc8bcb540bc253357bad5b6a7b54a3bccc992b012bc1ebd2543c8e6469ac91a8c649e0919d3d85a59e0db88999ee7ac8a2b10b91ccf2ca2d130974cd6c364a614a4992358a212b41cce1d4d90146298e9137b5e012a2cd23e91b2a432ae3d4b3415c81c65e20b8fe18e7823f1c2786bf2e98883cebe48bfd742522717351eb3d9425433103dd9346bbb02417edbfb518d2ba75e51d82f9535afb842421cd85d5127ebc98257d42a51c21f8955bfefbd864850ceec896b5b1d2a5447e40a6fe20d9a8bdd1a6b5df6e0716ff41180d8215157eb1981abd7d6619a0c13166daa0821f05f80d9a55fdfd9ad943bacba22ccdb6161ff18711d071c35dbb39e419730513cdc34a8cb4166f3e97a6f0bf12d8c47edd5845c28dfb295bd5bbc264125c7a86a2b0756151a98931ade55682b0db207bfe1bd9c43d5259c441b0791d9d46c6100ecc288bb20b654b51338d1b963b411be5c33e0ca677219fa9b80a5b4bfb53243b925c75c411d17eb1d8dab945251101c55262bcac99553d4119d542328c9c8b070b502b46742eac49692d5135c152c2fc8aa7d52f82177540118cb99799403ee0d963c13b2aa32ce4f6be215962f97a2124b912194479d02588116f71d7a90f7297a270d550f2f8aa26b5a0a116767eae18e9fbe96392ab8c2bd7ab4013327ba25bfb3be323944cbe88a76b608bd83339db9dfc46583e4298c2c303ecab8a348b51ab415421c27a02e2acb577622f0cb748af0ee8e92f7517dd8f7997ddc045392de6892eb296244f1c37b85f9dc739ff219889b86add4a7ad42233eca36b2c8b774c5f9647c15f2d87d5f00e18b6f86f1d5746ffaed8497c71a4ed2cd696400e7076e45ed1787da4a5dd52398a210de2ea04f490613ab5642e0ea8d7097fb5a72240b440d1e6ce00d6f80f231764ff92187dbc591bfd441a0cc336136173f55ba2430c9374c4621c5c3846a0ae8bb72b602bd05437f0d0d1f88d25aa428c526972d5aa3dd39904421204fc9227ba9f1b783b5e63868b9f6c78b6a411e3b1e4da8c85974e8f28884c6df6b5deee7937651fe187d5704e18b6422102da22fc7a19a40582913376e45e8ec6e9ce969771c0216ebd3699e13e41e7e5ff7d58d942813a3a1a5b7a7be4239e7c07242fc2b7b350e4404ed828c09685ffee988845a9e1b1325e94f80d5c6ac4148ccc75b711e04660f06caf28484eced677f0ef5d8879571dcf46680ed616413ee1d8764510cdf8aaa334336223547c30985eb9f82598d179f6e1207d1e25b8e29d42c6f27e6c26c8d1484914b18256f3709c9886f9ff1d58f97ee6265e5f7807e42fd11771cf6548e1d40abfd527011f757891a4b9bd1e6638a0a417638f23c843cbcbb393ac34f7221f9c07b8bf1958397c61a48db35623402bb27494ec3fe9276d5f4987f58fee2868308c6e0ab6b4a0223142e644fe72595c81b86e9956018e2989ad4e6aa834379c9fbb381b5ffb47a42ffd489916823eb467918fbd889a087dcae5b52edef7b82f63b713604440eceea9d656813eeaa68adf6bc733905cb2c69ba183315451ce0d36eade8ac7f32fac17698f2d48552acd53a90b320b636c43d46b81530d8349d469ce71b75daf79a85d73b99ba63c619aa1c522c28c84cbc1ac6e9676bfdea7f8b05b5bbbc32404e3cfa3f7dc10857da1a58e8e8816adf0a9a15201c4591c05bad21c4446d21e4a38cc6696b04f53d78b3ff4a7210ff277226f5a17840f5d37851ff20713efc4682cd08a45733d1ba57bfe1be6c48face8d588425122fd9c1986fddf263861db65c3115c39b8211b	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}\ = c39a3f0a7b62487433ac5fb5031dff3998a53e72182247a4cfafc8176acf4ae8d2100b3e8bd90c7969dd51b94d26890eee6837902f77f7af10e875cf51f74d20556fb1b7daa03c7b269be1fc61dbe983919c36c5200198317fe66720ff7c27a6ff5118b9841a43bc43dbc3c42caef5d71d804553510b3db325a35e24c64d5d53b553ae33c9636ddb29c3b584decfb9976680208ab24dd5d581415a25c4bd60a6d2ff7027ee3f76a7d0b076e920319c11fbb1dc5e8406ff419829862ddf09383118d2fc4467c0df6cb8c861aaf9351e5ef90625107d066530711c95fac21dca85cb62eb5c348451efb5e85eec78ebe2331d1b85bb429c44fbd0230d0ba9ab4e6c5614c07fc5e761f04dac29d54d4e0956f230ac280b286ce94a3514ad43353351e3457c01da4dbdc966e9d0763d9eda473c5f66c780d06d8449ede94af1129abcbce7998f818886cd7115a93deee60920d680c01a15440d2295d372836a2c8a4bcb6bd3338c1bb63bef1b68030accaa7494a00141f241dabd05a5722e92d775ffa158cebcf665df8dc7f6f01ee806c9e1cd590ac132a5ea122b7dab5914394d5e49385122814d82e90a8ef228a35013444b1c3306e46f8097c9b08e5b88bbf51c528474cfdca8fa719bdd8306aca0aa354b52ab4a132acb0aec54348c624bb4539ec379c3e59c01c7d17f0a27738f93e874ed5cc9fad6233edc180684a09104c252124c0c168a7eadd835f8ed5bea43123b0a1bcb7b4b11ade7b13a1264d775e52cc732cda28deb5ae25af854063e6063a5b441a57ca066c75ddc92379a53379b4c87c85c52baca248adc6dfb3563ad63d6e3f1ec9994c6b1af9d9786b0baa27783dfbb07a4afbe37a79f9f07b8af9ae8bbcc64b58cd2f5b2ee5b8803b383d4d4728d5c89c4b2239a937b74db6043982b83ab44ecceb74950e9feb62751f035dead79a95df6052f62c804d430411a81c41663bec3e764e0e2e89d37396019504634fe53d93b85239e23f93359ec3956e2be9a26fdee9a894509f111227ea4e603e18ba5d482bf8ca797a0bfb25895fa4e5cd6f84f6617c0cf7248dab484216d81d51a3d8299337e646602eefc369bdefcf9986587a19f5278b4e02366fc209aff3d6719cf8597914032e2eb02d39a04433203dab37ddc99b8469b4e83b6ac91b4056f0197bd3f9aa73ad01ac443a38b8baccc5535b1d2d6f4c151e98d321653f1b3d9ac3e77679f8ff848197601908d8176316e1db685d19235cd21359911baf2dd6279fa25a4b14396c3cf7357eb0f73b7d3e073fb1ba38384c4ef91174e0f36b75ea0061e1006007104d5e0ce0f9668ff8a58553c7de6e5a1eeeaa8b4b39f93f88458737aeb22142a8c0a6b0c6bd5cb71f499ae42a982d615708152da32c31c937bf4db51c43daee5d78eb0d7654f3d7765ef01e8ea8c5495fc815a9e3c47e78f8fc8e82d57357f91e78d3f0ae72ce0885473802b088bceccf7aa6f53970b0f4cd708b0f222656a9d323ad3dd73f9eb22b31c14c6002faab7aa602d62eac4f41f51f875e02d5b297b511bc903895b2efb49db5184399e5ec73800e21265fa91253ead98363f5fa70720cf92483d885a6b7c7324eb2eec487692ae4d2895b20e14c9b0a9ef2af734909ec747bf3f586738df65873d40e532725b92c33d84da6fbcf7e550aefea859b73d50d9804629a0b501d285f3eed3c9fc9118ca3e4dd9490135992d3d75a5a1315261446d9e69f969e1918ebab61ae13a56653e8dd84abd7219e241354dad750a51b2b1dd92fa3a9ae2bde5da510489106ac54c4dcac9d4958f7ee818b4849f8387337013e04c22c8cc8bcb540bc253357bad5b6a7b54a3bccc992b012bc1ebd2543c8e6469ac91a8c649e0919d3d85a59e0db88999ee7ac8a2b10b91ccf2ca2d130974cd6c364a614a4992358a212b41cce1d4d90146298e9137b5e012a2cd23e91b2a432ae3d4b3415c81c65e20b8fe18e7823f1c2786bf2e98883cebe48bfd742522717351eb3d9425433103dd9346bbb02417edbfb518d2ba75e51d82f9535afb842421cd85d5127ebc98257d42a51c21f8955bfefbd864850ceec896b5b1d2a5447e40a6fe20d9a8bdd1a6b5df6e0716ff41180d8215157eb1981abd7d6619a0c13166daa0821f05f80d9a55fdfd9ad943bacba22ccdb6161ff18711d071c35dbb39e419730513cdc34a8cb4166f3e97a6f0bf12d8c47edd5845c28dfb295bd5bbc264125c7a86a2b0756151a98931ade55682b0db207bfe1bd9c43d5259c441b0791d9d46c6100ecc288bb20b654b51338d1b963b411be5c33e0ca677219fa9b80a5b4bfb53243b925c75c411d17eb1d8dab945251101c55262bcac99553d4119d542328c9c8b070b502b46742eac49692d5135c152c2fc8aa7d52f82177540118cb99799403ee0d963c13b2aa32ce4f6be215962f97a2124b912194479d02588116f71d7a90f7297a270d550f2f8aa26b5a0a116767eae18e9fbe96392ab8c2bd7ab4013327ba25bfb3be323944cbe88a76b608bd83339db9dfc46583e4298c2c303ecab8a348b51ab415421c27a02e2acb577622f0cb748af0ee8e92f7517dd8f7997ddc045392de6892eb296244f1c37b85f9dc739ff219889b86add4a7ad42233eca36b2c8b774c5f9647c15f2d87d5f00e18b6f86f1d5746ffaed8497c71a4ed2cd696400e7076e45ed1787da4a5dd52398a210de2ea04f490613ab5642e0ea8d7097fb5a72240b440d1e6ce00d6f80f231764ff92187dbc591bfd441a0cc336136173f55ba2430c9374c4621c5c3846a0ae8bb72b602bd05437f0d0d1f88d25aa428c526972d5aa3dd39904421204fc9227ba9f1b783b5e63868b9f6c78b6a411e3b1e4da8c85974e8f28884c6df6b5deee7937651fe187d5704e18b6422102da22fc7a19a40582913376e45e8ec6e9ce969771c0216ebd3699e13e41e7e5ff7d58d942813a3a1a5b7a7be4239e7c07242fc2b7b350e4404ed828c09685ffee988845a9e1b1325e94f80d5c6ac4148ccc75b711e04660f06caf28484eced677f0ef5d8879571dcf46680ed616413ee1d8764510cdf8aaa334336223547c30985eb9f82598d179f6e1207d1e25b8e29d42c6f27e6c26c8d1484914b18256f3709c9886f9ff1d58f97ee6265e5f7807e42fd11771cf6548e1d40abfd527011f757891a4b9bd1e6638a0a417638f23c843cbcbb393ac34f7221f9c07b8bf1958397c61a48db35623402bb27494ec3fe9276d5f4987f58fee2868308c6e0ab6b4a0223142e644fe72595c81b86e9956018e2989ad4e6aa834379c9fbb381b5ffb47a42ffd489916823eb467918fbd889a087dcae5b52edef7b82f63b713604440eceea9d656813eeaa68adf6bc733905cb2c69ba183315451ce0d36eade8ac7f32fac17698f2d48552acd53a90b320b636c43d46b81530d8349d469ce71b75daf79a85d73b99ba63c619aa1c522c28c84cbc1ac6e9676bfdea7f8b05b5bbbc32404e3cfa3f7dc10857da1a58e8e8816adf0a9a15201c4591c05bad21c4446d21e4a38cc6696b04f53d78b3ff4a7210ff277226f5a17840f5d37851ff20713efc4682cd08a45733d1ba57bfe1be6c48face8d588425122fd9c1986fddf263861db65c3115c39b8211b	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}\ = 138923f07b62487433ac5fb5031dff3998a53e72182247a4cfafc8176acf4ae8d2100b3e8bd90c7969dd51b94d26890eee6837902f77f7af10e875cf51f74d20556fb1b7daa03c7b269be1fc61dbe983919c36c5200198317fe66720ff7c27a6ff5118b9841a43bc43dbc3c42caef5d71d804553510b3db325a35e24c64d5d53b553ae33c9636ddb29c3b584decfb9976680208ab24dd5d581415a25c4bd60a6d5ff7027ee3f76a7d0b076e920319c11fbb1dc5e8406ff419829862ddf09383118d2fc4467c0df6cb8c861aaf9351e5ef90625107d066530711c95fac21dca85cb62eb5c348451efb5e85eec78ebe2331d1b85bb429c44fbd0230d0ba9ab4e6c5614c07fc5e761f04dac29d54d4e0956f230ac280b286ce94a3514ad43353351e3457c01da4dbdc966e9d0763d9eda473c5f66c780d06d8449ede94af1129abcbce7998f818886cd7115a93deee60920d680c01a15440d2295d372836a2c8a4bcb6bd3338c1bb63bef1b68030accaa7494a00141f241dabd05a5722e92d775ffa158cebcf665df8dc7f6f01ee806c9e1cd590ac132a5ea122b7dab5914394d5e49385122814d82e90a8ef228a35013444b1c3306e46f8097c9b08e5b88bbf51c528474cfdca8fa719bdd8306aca0aa354b52ab4a132acb0aec54348c624bb4539ec379c3e59c01c7d17f0a27738f93e874ed5cc9fad6233edc180684a09104c252124c0c168a7eadd835f8ed5bea43123b0a1bcb7bcbc9d3e7b13a1264d775e52cc732cda28deb5ae25af854063e6063a5b441a57ca066c75ddc92379a53379b4c87c85c52baca248adc6dfb3563ad63d6e3f1ec9994c6b1af9d9786b0baa27783dfbb07a4afbe37a79f9f07b8af9ae8bbcc64b58cd2f5b2ee5b8803b383d4d4728d5c89c4b2239a937b74db6043982b83ab44ecceb74950e9feb62751f035dead79a95df6052f62c804d430411a81c41663bec3e764e0e2e89d37396019504634fe53d93b85239e23f93359ec3956e2be9a26fdee9a894509f111227ea4e603e18ba5d482bf8ca797a0bfb25895fa4e5cd6f84f6617c0cf7248dab484216d81d51a3d8299337e646602eefc369bdefcf9986587a19f5278b4e02366fc209aff3d6719cf8597914032e2eb02d39a04433203dab37ddc99b8469b4e83b6ac91b4056f0197bd3f9aa73ad01ac443a38b8baccc5535b1d2d6f4c151e98d321653f1b3d9ac3e77679f8ff848197601908d8176316e1db685d19235cd21359911baf2dd6279fa25a4b14396c3cf7357eb0f73b7d3e073fb1ba38384c4ef91174e0f36b75ea0061e1006007104d5e0ce0f9668ff8a58553c7de6e5a1eeeaa8b4b39f93f88458737aeb22142a8c0a6b0c6bd5cb71f499ae42a982d615708152da32c31c937bf4db51c43daee5d78eb0d7654f3d7765ef01e8ea8c5495fc815a9e3c47e78f8fc8e82d57357f91e78d3f0ae72ce0885473802b088bceccf7aa6f53970b0f4cd708b0f222656a9d323ad3dd73f9eb22b31c14c6002faab7aa602d62eac4f41f51f875e02d5b297b511bc903895b2efb49db5184399e5ec73800e21265fa91253ead98363f5fa70720cf92483d885a6b7c7324eb2eec487692ae4d2895b20e14c9b0a9ef2af734909ec747bf3f586738df65873d40e532725b92c33d84da6fbcf7e550aefea859b73d50d9804629a0b501d285f3eed3c9fc9118ca3e4dd9490135992d3d75a5a1315261446d9e69f969e1918ebab61ae13a56653e8dd84abd7219e241354dad750a51b2b1dd92fa3a9ae2bde5da510489106ac54c4dcac9d4958f7ee818b4849f8387337013e04c22c8cc8bcb540bc253357bad5b6a7b54a3bccc992b012bc1ebd2543c8e6469ac91a8c649e0919d3d85a59e0db88999ee7ac8a2b10b91ccf2ca2d130974cd6c364a614a4992358a212b41cce1d4d90146298e9137b5e012a2cd23e91b2a432ae3d4b3415c81c65e20b8fe18e7823f1c2786bf2e98883cebe48bfd742522717351eb3d9425433103dd9346bbb02417edbfb518d2ba75e51d82f9535afb842421cd85d5127ebc98257d42a51c21f8955bfefbd864850ceec896b5b1d2a5447e40a6fe20d9a8bdd1a6b5df6e0716ff41180d8215157eb1981abd7d6619a0c13166daa0821f05f80d9a55fdfd9ad943bacba22ccdb6161ff18711d071c35dbb39e419730513cdc34a8cb4166f3e97a6f0bf12d8c47edd5845c28dfb295bd5bbc264125c7a86a2b0756151a98931ade55682b0db207bfe1bd9c43d5259c441b0791d9d46c6100ecc288bb20b654b51338d1b963b411be5c33e0ca677219fa9b80a5b4bfb53243b925c75c411d17eb1d8dab945251101c55262bcac99553d4119d542328c9c8b070b502b46742eac49692d5135c152c2fc8aa7d52f82177540118cb99799403ee0d963c13b2aa32ce4f6be215962f97a2124b912194479d02588116f71d7a90f7297a270d550f2f8aa26b5a0a116767eae18e9fbe96392ab8c2bd7ab4013327ba25bfb3be323944cbe88a76b608bd83339db9dfc46583e4298c2c303ecab8a348b51ab415421c27a02e2acb577622f0cb748af0ee8e92f7517dd8f7997ddc045392de6892eb296244f1c37b85f9dc739ff219889b86add4a7ad42233eca36b2c8b774c5f9647c15f2d87d5f00e18b6f86f1d5746ffaed8497c71a4ed2cd696400e7076e45ed1787da4a5dd52398a210de2ea04f490613ab5642e0ea8d7097fb5a72240b440d1e6ce00d6f80f231764ff92187dbc591bfd441a0cc336136173f55ba2430c9374c4621c5c3846a0ae8bb72b602bd05437f0d0d1f88d25aa428c526972d5aa3dd39904421204fc9227ba9f1b783b5e63868b9f6c78b6a411e3b1e4da8c85974e8f28884c6df6b5deee7937651fe187d5704e18b6422102da22fc7a19a40582913376e45e8ec6e9ce969771c0216ebd3699e13e41e7e5ff7d58d942813a3a1a5b7a7be4239e7c07242fc2b7b350e4404ed828c09685ffee988845a9e1b1325e94f80d5c6ac4148ccc75b711e04660f06caf28484eced677f0ef5d8879571dcf46680ed616413ee1d8764510cdf8aaa334336223547c30985eb9f82598d179f6e1207d1e25b8e29d42c6f27e6c26c8d1484914b18256f3709c9886f9ff1d58f97ee6265e5f7807e42fd11771cf6548e1d40abfd527011f757891a4b9bd1e6638a0a417638f23c843cbcbb393ac34f7221f9c07b8bf1958397c61a48db35623402bb27494ec3fe9276d5f4987f58fee2868308c6e0ab6b4a0223142e644fe72595c81b86e9956018e2989ad4e6aa834379c9fbb381b5ffb47a42ffd489916823eb467918fbd889a087dcae5b52edef7b82f63b713604440eceea9d656813eeaa68adf6bc733905cb2c69ba183315451ce0d36eade8ac7f32fac17698f2d48552acd53a90b320b636c43d46b81530d8349d469ce71b75daf79a85d73b99ba63c619aa1c522c28c84cbc1ac6e9676bfdea7f8b05b5bbbc32404e3cfa3f7dc10857da1a58e8e8816adf0a9a15201c4591c05bad21c4446d21e4a38cc6696b04f53d78b3ff4a7210ff277226f5a17840f5d37851ff20713efc4682cd08a45733d1ba57bfe1be6c48face8d588425122fd9c1986fddf263861db65c3115c39b8211b	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}\ = f9a725c07b62487433ac5fb5031dff3998a53e72182247a4cfafc8176acf4ae8d2100b3e8bd90c7969dd51b94d26890eee6837902f77f7af10e875cf51f74d20556fb1b7daa03c7b269be1fc61dbe983919c36c5200198317fe66720ff7c27a6ff5118b9841a43bc43dbc3c42caef5d71d804553510b3db325a35e24c64d5d53b553ae33c9636ddb29c3b584decfb9976680208ab24dd5d581415a25c4bd60a6d5ff7027ee3f76a7d0b076e920319c11fbb1dc5e8406ff419829862ddf09383118d2fc4467c0df6cb8c861aaf9351e5ef90625107d066530711c95fac21dca85cb62eb5c348451efb5e85eec78ebe2331d1b85bb429c44fbd0230d0ba9ab4e6c5614c07fc5e761f04dac29d54d4e0956f230ac280b286ce94a3514ad43353351e3457c01da4dbdc966e9d0763d9eda473c5f66c780d06d8449ede94af1129abcbce7998f818886cd7115a93deee60920d680c01a15440d2295d372836a2c8a4bcb6bd3338c1bb63bef1b68030accaa7494a00141f241dabd05a5722e92d775ffa158cebcf665df8dc7f6f01ee806c9e1cd590ac132a5ea122b7dab5914394d5e49385122814d82e90a8ef228a35013444b1c3306e46f8097c9b08e5b88bbf51c528474cfdca8fa719bdd8306aca0aa354b52ab4a132acb0aec54348c624bb4539ec379c3e59c01c7d17f0a27738f93e874ed5cc9fad6233edc180684a09104c252124c0c168a7eadd835f8ed5bea43123b0a1bcb7b3bd54ae7b13a1264d775e52cc732cda28deb5ae25af854063e6063a5b441a57ca066c75ddc92379a53379b4c87c85c52baca248adc6dfb3563ad63d6e3f1ec9994c6b1af9d9786b0baa27783dfbb07a4afbe37a79f9f07b8af9ae8bbcc64b58cd2f5b2ee5b8803b383d4d4728d5c89c4b2239a937b74db6043982b83ab44ecceb74950e9feb62751f035dead79a95df6052f62c804d430411a81c41663bec3e764e0e2e89d37396019504634fe53d93b85239e23f93359ec3956e2be9a26fdee9a894509f111227ea4e603e18ba5d482bf8ca797a0bfb25895fa4e5cd6f84f6617c0cf7248dab484216d81d51a3d8299337e646602eefc369bdefcf9986587a19f5278b4e02366fc209aff3d6719cf8597914032e2eb02d39a04433203dab37ddc99b8469b4e83b6ac91b4056f0197bd3f9aa73ad01ac443a38b8baccc5535b1d2d6f4c151e98d321653f1b3d9ac3e77679f8ff848197601908d8176316e1db685d19235cd21359911baf2dd6279fa25a4b14396c3cf7357eb0f73b7d3e073fb1ba38384c4ef91174e0f36b75ea0061e1006007104d5e0ce0f9668ff8a58553c7de6e5a1eeeaa8b4b39f93f88458737aeb22142a8c0a6b0c6bd5cb71f499ae42a982d615708152da32c31c937bf4db51c43daee5d78eb0d7654f3d7765ef01e8ea8c5495fc815a9e3c47e78f8fc8e82d57357f91e78d3f0ae72ce0885473802b088bceccf7aa6f53970b0f4cd708b0f222656a9d323ad3dd73f9eb22b31c14c6002faab7aa602d62eac4f41f51f875e02d5b297b511bc903895b2efb49db5184399e5ec73800e21265fa91253ead98363f5fa70720cf92483d885a6b7c7324eb2eec487692ae4d2895b20e14c9b0a9ef2af734909ec747bf3f586738df65873d40e532725b92c33d84da6fbcf7e550aefea859b73d50d9804629a0b501d285f3eed3c9fc9118ca3e4dd9490135992d3d75a5a1315261446d9e69f969e1918ebab61ae13a56653e8dd84abd7219e241354dad750a51b2b1dd92fa3a9ae2bde5da510489106ac54c4dcac9d4958f7ee818b4849f8387337013e04c22c8cc8bcb540bc253357bad5b6a7b54a3bccc992b012bc1ebd2543c8e6469ac91a8c649e0919d3d85a59e0db88999ee7ac8a2b10b91ccf2ca2d130974cd6c364a614a4992358a212b41cce1d4d90146298e9137b5e012a2cd23e91b2a432ae3d4b3415c81c65e20b8fe18e7823f1c2786bf2e98883cebe48bfd742522717351eb3d9425433103dd9346bbb02417edbfb518d2ba75e51d82f9535afb842421cd85d5127ebc98257d42a51c21f8955bfefbd864850ceec896b5b1d2a5447e40a6fe20d9a8bdd1a6b5df6e0716ff41180d8215157eb1981abd7d6619a0c13166daa0821f05f80d9a55fdfd9ad943bacba22ccdb6161ff18711d071c35dbb39e419730513cdc34a8cb4166f3e97a6f0bf12d8c47edd5845c28dfb295bd5bbc264125c7a86a2b0756151a98931ade55682b0db207bfe1bd9c43d5259c441b0791d9d46c6100ecc288bb20b654b51338d1b963b411be5c33e0ca677219fa9b80a5b4bfb53243b925c75c411d17eb1d8dab945251101c55262bcac99553d4119d542328c9c8b070b502b46742eac49692d5135c152c2fc8aa7d52f82177540118cb99799403ee0d963c13b2aa32ce4f6be215962f97a2124b912194479d02588116f71d7a90f7297a270d550f2f8aa26b5a0a116767eae18e9fbe96392ab8c2bd7ab4013327ba25bfb3be323944cbe88a76b608bd83339db9dfc46583e4298c2c303ecab8a348b51ab415421c27a02e2acb577622f0cb748af0ee8e92f7517dd8f7997ddc045392de6892eb296244f1c37b85f9dc739ff219889b86add4a7ad42233eca36b2c8b774c5f9647c15f2d87d5f00e18b6f86f1d5746ffaed8497c71a4ed2cd696400e7076e45ed1787da4a5dd52398a210de2ea04f490613ab5642e0ea8d7097fb5a72240b440d1e6ce00d6f80f231764ff92187dbc591bfd441a0cc336136173f55ba2430c9374c4621c5c3846a0ae8bb72b602bd05437f0d0d1f88d25aa428c526972d5aa3dd39904421204fc9227ba9f1b783b5e63868b9f6c78b6a411e3b1e4da8c85974e8f28884c6df6b5deee7937651fe187d5704e18b6422102da22fc7a19a40582913376e45e8ec6e9ce969771c0216ebd3699e13e41e7e5ff7d58d942813a3a1a5b7a7be4239e7c07242fc2b7b350e4404ed828c09685ffee988845a9e1b1325e94f80d5c6ac4148ccc75b711e04660f06caf28484eced677f0ef5d8879571dcf46680ed616413ee1d8764510cdf8aaa334336223547c30985eb9f82598d179f6e1207d1e25b8e29d42c6f27e6c26c8d1484914b18256f3709c9886f9ff1d58f97ee6265e5f7807e42fd11771cf6548e1d40abfd527011f757891a4b9bd1e6638a0a417638f23c843cbcbb393ac34f7221f9c07b8bf1958397c61a48db35623402bb27494ec3fe9276d5f4987f58fee2868308c6e0ab6b4a0223142e644fe72595c81b86e9956018e2989ad4e6aa834379c9fbb381b5ffb47a42ffd489916823eb467918fbd889a087dcae5b52edef7b82f63b713604440eceea9d656813eeaa68adf6bc733905cb2c69ba183315451ce0d36eade8ac7f32fac17698f2d48552acd53a90b320b636c43d46b81530d8349d469ce71b75daf79a85d73b99ba63c619aa1c522c28c84cbc1ac6e9676bfdea7f8b05b5bbbc32404e3cfa3f7dc10857da1a58e8e8816adf0a9a15201c4591c05bad21c4446d21e4a38cc6696b04f53d78b3ff4a7210ff277226f5a17840f5d37851ff20713efc4682cd08a45733d1ba57bfe1be6c48face8d588425122fd9c1986fddf263861db65c3115c39b8211b	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}\ = f2487f9b7b62487433ac5fb5031dff3998a53e72182247a4cfafc8176acf4ae8d2100b3e8bd90c7969dd51b94d26890eee6837902f77f7af10e875cf51f74d20556fb1b7daa03c7b269be1fc61dbe983919c36c5200198317fe66720ff7c27a6ff5118b9841a43bc43dbc3c42caef5d71d804553510b3db325a35e24c64d5d53b553ae33c9636ddb29c3b584decfb9976680208ab24dd5d581415a25c4bd60a6d5ff7027ee3f76a7d0b076e920319c11fbb1dc5e8406ff419829862ddf09383118d2fc4467c0df6cb8c861aaf9351e5ef90625107d066530711c95fac21dca85cb62eb5c348451efb5e85eec78ebe2331d1b85bb429c44fbd0230d0ba9ab4e6c5614c07fc5e761f04dac29d54d4e0956f230ac280b286ce94a3514ad43353351e3457c01da4dbdc966e9d0763d9eda473c5f66c780d06d8449ede94af1129abcbce7998f818886cd7115a93deee60920d680c01a15440d2295d372836a2c8a4bcb6bd3338c1bb63bef1b68030accaa7494a00141f241dabd05a5722e92d775ffa158cebcf665df8dc7f6f01ee806c9e1cd590ac132a5ea122b7dab5914394d5e49385122814d82e90a8ef228a35013444b1c3306e46f8097c9b08e5b88bbf51c528474cfdca8fa719bdd8306aca0aa354b52ab4a132acb0aec54348c624bb4539ec379c3e59c01c7d17f0a27738f93e874ed5cc9fad6233edc180684a09104c252124c0c168a7eadd835f8ed5bea43123b0a1bcb7bdb7448e7b13a1264d775e52cc732cda28deb5ae25af854063e6063a5b441a57ca066c75ddc92379a53379b4c87c85c52baca248adc6dfb3563ad63d6e3f1ec9994c6b1af9d9786b0baa27783dfbb07a4afbe37a79f9f07b8af9ae8bbcc64b58cd2f5b2ee5b8803b383d4d4728d5c89c4b2239a937b74db6043982b83ab44ecceb74950e9feb62751f035dead79a95df6052f62c804d430411a81c41663bec3e764e0e2e89d37396019504634fe53d93b85239e23f93359ec3956e2be9a26fdee9a894509f111227ea4e603e18ba5d482bf8ca797a0bfb25895fa4e5cd6f84f6617c0cf7248dab484216d81d51a3d8299337e646602eefc369bdefcf9986587a19f5278b4e02366fc209aff3d6719cf8597914032e2eb02d39a04433203dab37ddc99b8469b4e83b6ac91b4056f0197bd3f9aa73ad01ac443a38b8baccc5535b1d2d6f4c151e98d321653f1b3d9ac3e77679f8ff848197601908d8176316e1db685d19235cd21359911baf2dd6279fa25a4b14396c3cf7357eb0f73b7d3e073fb1ba38384c4ef91174e0f36b75ea0061e1006007104d5e0ce0f9668ff8a58553c7de6e5a1eeeaa8b4b39f93f88458737aeb22142a8c0a6b0c6bd5cb71f499ae42a982d615708152da32c31c937bf4db51c43daee5d78eb0d7654f3d7765ef01e8ea8c5495fc815a9e3c47e78f8fc8e82d57357f91e78d3f0ae72ce0885473802b088bceccf7aa6f53970b0f4cd708b0f222656a9d323ad3dd73f9eb22b31c14c6002faab7aa602d62eac4f41f51f875e02d5b297b511bc903895b2efb49db5184399e5ec73800e21265fa91253ead98363f5fa70720cf92483d885a6b7c7324eb2eec487692ae4d2895b20e14c9b0a9ef2af734909ec747bf3f586738df65873d40e532725b92c33d84da6fbcf7e550aefea859b73d50d9804629a0b501d285f3eed3c9fc9118ca3e4dd9490135992d3d75a5a1315261446d9e69f969e1918ebab61ae13a56653e8dd84abd7219e241354dad750a51b2b1dd92fa3a9ae2bde5da510489106ac54c4dcac9d4958f7ee818b4849f8387337013e04c22c8cc8bcb540bc253357bad5b6a7b54a3bccc992b012bc1ebd2543c8e6469ac91a8c649e0919d3d85a59e0db88999ee7ac8a2b10b91ccf2ca2d130974cd6c364a614a4992358a212b41cce1d4d90146298e9137b5e012a2cd23e91b2a432ae3d4b3415c81c65e20b8fe18e7823f1c2786bf2e98883cebe48bfd742522717351eb3d9425433103dd9346bbb02417edbfb518d2ba75e51d82f9535afb842421cd85d5127ebc98257d42a51c21f8955bfefbd864850ceec896b5b1d2a5447e40a6fe20d9a8bdd1a6b5df6e0716ff41180d8215157eb1981abd7d6619a0c13166daa0821f05f80d9a55fdfd9ad943bacba22ccdb6161ff18711d071c35dbb39e419730513cdc34a8cb4166f3e97a6f0bf12d8c47edd5845c28dfb295bd5bbc264125c7a86a2b0756151a98931ade55682b0db207bfe1bd9c43d5259c441b0791d9d46c6100ecc288bb20b654b51338d1b963b411be5c33e0ca677219fa9b80a5b4bfb53243b925c75c411d17eb1d8dab945251101c55262bcac99553d4119d542328c9c8b070b502b46742eac49692d5135c152c2fc8aa7d52f82177540118cb99799403ee0d963c13b2aa32ce4f6be215962f97a2124b912194479d02588116f71d7a90f7297a270d550f2f8aa26b5a0a116767eae18e9fbe96392ab8c2bd7ab4013327ba25bfb3be323944cbe88a76b608bd83339db9dfc46583e4298c2c303ecab8a348b51ab415421c27a02e2acb577622f0cb748af0ee8e92f7517dd8f7997ddc045392de6892eb296244f1c37b85f9dc739ff219889b86add4a7ad42233eca36b2c8b774c5f9647c15f2d87d5f00e18b6f86f1d5746ffaed8497c71a4ed2cd696400e7076e45ed1787da4a5dd52398a210de2ea04f490613ab5642e0ea8d7097fb5a72240b440d1e6ce00d6f80f231764ff92187dbc591bfd441a0cc336136173f55ba2430c9374c4621c5c3846a0ae8bb72b602bd05437f0d0d1f88d25aa428c526972d5aa3dd39904421204fc9227ba9f1b783b5e63868b9f6c78b6a411e3b1e4da8c85974e8f28884c6df6b5deee7937651fe187d5704e18b6422102da22fc7a19a40582913376e45e8ec6e9ce969771c0216ebd3699e13e41e7e5ff7d58d942813a3a1a5b7a7be4239e7c07242fc2b7b350e4404ed828c09685ffee988845a9e1b1325e94f80d5c6ac4148ccc75b711e04660f06caf28484eced677f0ef5d8879571dcf46680ed616413ee1d8764510cdf8aaa334336223547c30985eb9f82598d179f6e1207d1e25b8e29d42c6f27e6c26c8d1484914b18256f3709c9886f9ff1d58f97ee6265e5f7807e42fd11771cf6548e1d40abfd527011f757891a4b9bd1e6638a0a417638f23c843cbcbb393ac34f7221f9c07b8bf1958397c61a48db35623402bb27494ec3fe9276d5f4987f58fee2868308c6e0ab6b4a0223142e644fe72595c81b86e9956018e2989ad4e6aa834379c9fbb381b5ffb47a42ffd489916823eb467918fbd889a087dcae5b52edef7b82f63b713604440eceea9d656813eeaa68adf6bc733905cb2c69ba183315451ce0d36eade8ac7f32fac17698f2d48552acd53a90b320b636c43d46b81530d8349d469ce71b75daf79a85d73b99ba63c619aa1c522c28c84cbc1ac6e9676bfdea7f8b05b5bbbc32404e3cfa3f7dc10857da1a58e8e8816adf0a9a15201c4591c05bad21c4446d21e4a38cc6696b04f53d78b3ff4a7210ff277226f5a17840f5d37851ff20713efc4682cd08a45733d1ba57bfe1be6c48face8d588425122fd9c1986fddf263861db65c3115c39b8211b	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}\ = 6a5560857b62487433ac5fb5031dff3998a53e72182247a4cfafc8176acf4ae8d2100b3e8bd90c7969dd51b94d26890eee6837902f77f7af10e875cf51f74d20556fb1b7daa03c7b269be1fc61dbe983919c36c5200198317fe66720ff7c27a6ff5118b9841a43bc43dbc3c42caef5d71d804553510b3db325a35e24c64d5d53b553ae33c9636ddb29c3b584decfb9976680208ab24dd5d581415a25c4bd60a6d4ff7027ee3f76a7d0b076e920319c11fbb1dc5e8406ff419829862ddf09383118d2fc4467c0df6cb8c861aaf9351e5ef90625107d066530711c95fac21dca85cb62eb5c348451efb5e85eec78ebe2331d1b85bb429c44fbd0230d0ba9ab4e6c5614c07fc5e761f04dac29d54d4e0956f230ac280b286ce94a3514ad43353351e3457c01da4dbdc966e9d0763d9eda473c5f66c780d06d8449ede94af1129abcbce7998f818886cd7115a93deee60920d680c01a15440d2295d372836a2c8a4bcb6bd3338c1bb63bef1b68030accaa7494a00141f241dabd05a5722e92d775ffa158cebcf665df8dc7f6f01ee806c9e1cd590ac132a5ea122b7dab5914394d5e49385122814d82e90a8ef228a35013444b1c3306e46f8097c9b08e5b88bbf51c528474cfdca8fa719bdd8306aca0aa354b52ab4a132acb0aec54348c624bb4539ec379c3e59c01c7d17f0a27738f93e874ed5cc9fad6233edc180684a09104c252124c0c168a7eadd835f8ed5bea43123b0a1bcb7bdb7448e7b13a1264d775e52cc732cda28deb5ae25af854063e6063a5b441a57ca066c75ddc92379a53379b4c87c85c52baca248adc6dfb3563ad63d6e3f1ec9994c6b1af9d9786b0baa27783dfbb07a4afbe37a79f9f07b8af9ae8bbcc64b58cd2f5b2ee5b8803b383d4d4728d5c89c4b2239a937b74db6043982b83ab44ecceb74950e9feb62751f035dead79a95df6052f62c804d430411a81c41663bec3e764e0e2e89d37396019504634fe53d93b85239e23f93359ec3956e2be9a26fdee9a894509f111227ea4e603e18ba5d482bf8ca797a0bfb25895fa4e5cd6f84f6617c0cf7248dab484216d81d51a3d8299337e646602eefc369bdefcf9986587a19f5278b4e02366fc209aff3d6719cf8597914032e2eb02d39a04433203dab37ddc99b8469b4e83b6ac91b4056f0197bd3f9aa73ad01ac443a38b8baccc5535b1d2d6f4c151e98d321653f1b3d9ac3e77679f8ff848197601908d8176316e1db685d19235cd21359911baf2dd6279fa25a4b14396c3cf7357eb0f73b7d3e073fb1ba38384c4ef91174e0f36b75ea0061e1006007104d5e0ce0f9668ff8a58553c7de6e5a1eeeaa8b4b39f93f88458737aeb22142a8c0a6b0c6bd5cb71f499ae42a982d615708152da32c31c937bf4db51c43daee5d78eb0d7654f3d7765ef01e8ea8c5495fc815a9e3c47e78f8fc8e82d57357f91e78d3f0ae72ce0885473802b088bceccf7aa6f53970b0f4cd708b0f222656a9d323ad3dd73f9eb22b31c14c6002faab7aa602d62eac4f41f51f875e02d5b297b511bc903895b2efb49db5184399e5ec73800e21265fa91253ead98363f5fa70720cf92483d885a6b7c7324eb2eec487692ae4d2895b20e14c9b0a9ef2af734909ec747bf3f586738df65873d40e532725b92c33d84da6fbcf7e550aefea859b73d50d9804629a0b501d285f3eed3c9fc9118ca3e4dd9490135992d3d75a5a1315261446d9e69f969e1918ebab61ae13a56653e8dd84abd7219e241354dad750a51b2b1dd92fa3a9ae2bde5da510489106ac54c4dcac9d4958f7ee818b4849f8387337013e04c22c8cc8bcb540bc253357bad5b6a7b54a3bccc992b012bc1ebd2543c8e6469ac91a8c649e0919d3d85a59e0db88999ee7ac8a2b10b91ccf2ca2d130974cd6c364a614a4992358a212b41cce1d4d90146298e9137b5e012a2cd23e91b2a432ae3d4b3415c81c65e20b8fe18e7823f1c2786bf2e98883cebe48bfd742522717351eb3d9425433103dd9346bbb02417edbfb518d2ba75e51d82f9535afb842421cd85d5127ebc98257d42a51c21f8955bfefbd864850ceec896b5b1d2a5447e40a6fe20d9a8bdd1a6b5df6e0716ff41180d8215157eb1981abd7d6619a0c13166daa0821f05f80d9a55fdfd9ad943bacba22ccdb6161ff18711d071c35dbb39e419730513cdc34a8cb4166f3e97a6f0bf12d8c47edd5845c28dfb295bd5bbc264125c7a86a2b0756151a98931ade55682b0db207bfe1bd9c43d5259c441b0791d9d46c6100ecc288bb20b654b51338d1b963b411be5c33e0ca677219fa9b80a5b4bfb53243b925c75c411d17eb1d8dab945251101c55262bcac99553d4119d542328c9c8b070b502b46742eac49692d5135c152c2fc8aa7d52f82177540118cb99799403ee0d963c13b2aa32ce4f6be215962f97a2124b912194479d02588116f71d7a90f7297a270d550f2f8aa26b5a0a116767eae18e9fbe96392ab8c2bd7ab4013327ba25bfb3be323944cbe88a76b608bd83339db9dfc46583e4298c2c303ecab8a348b51ab415421c27a02e2acb577622f0cb748af0ee8e92f7517dd8f7997ddc045392de6892eb296244f1c37b85f9dc739ff219889b86add4a7ad42233eca36b2c8b774c5f9647c15f2d87d5f00e18b6f86f1d5746ffaed8497c71a4ed2cd696400e7076e45ed1787da4a5dd52398a210de2ea04f490613ab5642e0ea8d7097fb5a72240b440d1e6ce00d6f80f231764ff92187dbc591bfd441a0cc336136173f55ba2430c9374c4621c5c3846a0ae8bb72b602bd05437f0d0d1f88d25aa428c526972d5aa3dd39904421204fc9227ba9f1b783b5e63868b9f6c78b6a411e3b1e4da8c85974e8f28884c6df6b5deee7937651fe187d5704e18b6422102da22fc7a19a40582913376e45e8ec6e9ce969771c0216ebd3699e13e41e7e5ff7d58d942813a3a1a5b7a7be4239e7c07242fc2b7b350e4404ed828c09685ffee988845a9e1b1325e94f80d5c6ac4148ccc75b711e04660f06caf28484eced677f0ef5d8879571dcf46680ed616413ee1d8764510cdf8aaa334336223547c30985eb9f82598d179f6e1207d1e25b8e29d42c6f27e6c26c8d1484914b18256f3709c9886f9ff1d58f97ee6265e5f7807e42fd11771cf6548e1d40abfd527011f757891a4b9bd1e6638a0a417638f23c843cbcbb393ac34f7221f9c07b8bf1958397c61a48db35623402bb27494ec3fe9276d5f4987f58fee2868308c6e0ab6b4a0223142e644fe72595c81b86e9956018e2989ad4e6aa834379c9fbb381b5ffb47a42ffd489916823eb467918fbd889a087dcae5b52edef7b82f63b713604440eceea9d656813eeaa68adf6bc733905cb2c69ba183315451ce0d36eade8ac7f32fac17698f2d48552acd53a90b320b636c43d46b81530d8349d469ce71b75daf79a85d73b99ba63c619aa1c522c28c84cbc1ac6e9676bfdea7f8b05b5bbbc32404e3cfa3f7dc10857da1a58e8e8816adf0a9a15201c4591c05bad21c4446d21e4a38cc6696b04f53d78b3ff4a7210ff277226f5a17840f5d37851ff20713efc4682cd08a45733d1ba57bfe1be6c48face8d588425122fd9c1986fddf263861db65c3115c39b8211b	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{80EFCC3D-7231E77A-CBAD456E-14BE20BC}	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeSecurityPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeTakeOwnershipPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeLoadDriverPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeSystemProfilePrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeSystemtimePrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeProfSingleProcessPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeIncBasePriorityPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeCreatePagefilePrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeBackupPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeRestorePrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeShutdownPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeDebugPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeSystemEnvironmentPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeChangeNotifyPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeRemoteShutdownPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeUndockPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeManageVolumePrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeImpersonatePrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeCreateGlobalPrivilege	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: 33	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: 34	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: 35	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
Token: SeIncreaseQuotaPrivilege	872	explorer.exe
Token: SeSecurityPrivilege	872	explorer.exe
Token: SeTakeOwnershipPrivilege	872	explorer.exe
Token: SeLoadDriverPrivilege	872	explorer.exe
Token: SeSystemProfilePrivilege	872	explorer.exe
Token: SeSystemtimePrivilege	872	explorer.exe
Token: SeProfSingleProcessPrivilege	872	explorer.exe
Token: SeIncBasePriorityPrivilege	872	explorer.exe
Token: SeCreatePagefilePrivilege	872	explorer.exe
Token: SeBackupPrivilege	872	explorer.exe
Token: SeRestorePrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeDebugPrivilege	872	explorer.exe
Token: SeSystemEnvironmentPrivilege	872	explorer.exe
Token: SeChangeNotifyPrivilege	872	explorer.exe
Token: SeRemoteShutdownPrivilege	872	explorer.exe
Token: SeUndockPrivilege	872	explorer.exe
Token: SeManageVolumePrivilege	872	explorer.exe
Token: SeImpersonatePrivilege	872	explorer.exe
Token: SeCreateGlobalPrivilege	872	explorer.exe
Token: 33	872	explorer.exe
Token: 34	872	explorer.exe
Token: 35	872	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

872 explorer.exe

pid	process
872	explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe

description	pid	process	target process
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 896	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	notepad.exe
PID 1652 wrote to memory of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe
PID 1652 wrote to memory of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe
PID 1652 wrote to memory of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe
PID 1652 wrote to memory of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe
PID 1652 wrote to memory of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe
PID 1652 wrote to memory of 872	1652	a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe
"C:\Users\Admin\AppData\Local\Temp\a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Adds Run key to start application
PID:896

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Checks BIOS information in registry
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5
Filesize
2KB

MD5
510b97bbfee7b4721801b408ca0305bd

SHA1
025993468e366f0186609cf127d0c784fa977ccd

SHA256
b74b9d56c2cac2a7b9122c81fbdca5638c760d80973f0d993b1bf9277d1b8d64

SHA512
ab3c1aacdb078b27629f4ab0ea87616a0f3589c56c8d508e17c0fbb5acb3756807662ab5213b9e85ef750a658d0c9b2c48ce2cc2cd121c81f473d299c9ee1006

Download Submit
C:\Windupdt\winupdate.exe
Filesize
848KB

MD5
5ff6c4af76faf74394c79161579e8a4f

SHA1
c36bca787b4629814a34d116b7c3ca5262fc4cfc

SHA256
a69effb9cb8cb766f84043fe5b8417d223a46e3ec3f3e02152f844f7774cf51d

SHA512
d15f6aeb2c2ac911a1c50356a8db5960d299b440bbf2e059a7ee5cfc4d3efc8c121ccc7fe737434ad04ef76f64000e77ca7fdc34b0193a2ad103b735e9ccf6d3

Download Submit
memory/872-62-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/872-59-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/872-60-0x000000001320E800-mapping.dmp

Download
memory/872-64-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/872-57-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/872-66-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/872-68-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/872-69-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/896-55-0x0000000000000000-mapping.dmp

Download
memory/1652-61-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1652-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads